qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v2 09/11] authz: add QAuthZListFile object type


From: Eric Blake
Subject: Re: [Qemu-devel] [PATCH v2 09/11] authz: add QAuthZListFile object type for a file access control list
Date: Thu, 21 Jun 2018 10:30:59 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0

On 06/15/2018 10:42 AM, Daniel P. Berrangé wrote:
Add a QAuthZListFile object type that implements the QAuthZ interface. This
built-in implementation is a proxy around the QAtuhZList object type,
initializing it from an external file, and optionally, automatically
reloading it whenever it changes.

To create an instance of this object via the QMP monitor, the syntax
used would be:

       {
         "execute": "object-add",
         "arguments": {
           "qom-type": "authz-list",
           "id": "auth0",
           "parameters": {
             "filename": "/etc/qemu/vnc.acl",
            "refresh": "yes"

Would this be better as a JSON bool instead of a "yes"/"no" string?

TAB damage.

           }
         }
       }

If "refresh" is "yes", inotify is used to monitor the file,
automatically reloading changes. If an error occurs during reloading,
all authorizations will fail until the file is next successfully
loaded.

The /etc/qemu/vnc.acl file would contain a JSON representation of a
QAuthZList object

     {
       "rules": [
          { "match": "fred", "policy": "allow", "format": "exact" },
          { "match": "bob", "policy": "allow", "format": "exact" },
          { "match": "danb", "policy": "deny", "format": "glob" },
          { "match": "dan*", "policy": "allow", "format": "exact" },
       ],
       "policy": "deny"
     }

This sets up an authorization rule that allows 'fred', 'bob' and anyone
whose name starts with 'dan', except for 'danb'. Everyone unmatched is
denied.

The object can be loaded on the comand line using

s/comand/command/


    -object authz-list-file,id=authz0,filename=/etc/qemu/vnc.acl,refresh=yes

Double dash, for the sake of qemu-img


Signed-off-by: Daniel P. Berrangé <address@hidden>
---

+/**
+ * QAuthZListFile:
+ *
+ * This authorization driver provides a file mechanism
+ * for granting access by matching user names against a
+ * file of globs. Each match rule has an associated policy
+ * and a catch all policy applies if no rule matches
+ *
+ * To create an instance of this class via QMP:
+ *
+ *  {
+ *    "execute": "object-add",
+ *    "arguments": {
+ *      "qom-type": "authz-list-file",
+ *      "id": "authz0",
+ *      "parameters": {
+ *        "filename": "/etc/qemu/myvm-vnc.acl",
+ *        "refresh": "yes"
+ *      }

If you change the commit message to use bool, also change this comment to match.

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org



reply via email to

[Prev in Thread] Current Thread [Next in Thread]