[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v2 08/11] authz: add QAuthZList object type for
From: |
Daniel P . Berrangé |
Subject: |
Re: [Qemu-devel] [PATCH v2 08/11] authz: add QAuthZList object type for an access control list |
Date: |
Thu, 21 Jun 2018 16:39:41 +0100 |
User-agent: |
Mutt/1.9.5 (2018-04-13) |
On Thu, Jun 21, 2018 at 10:28:23AM -0500, Eric Blake wrote:
> On 06/15/2018 10:42 AM, Daniel P. Berrangé wrote:
> > From: "Daniel P. Berrange" <address@hidden>
> >
> > Add a QAuthZList object type that implements the QAuthZ interface. This
> > built-in implementation maintains a trivial access control list with a
> > sequence of match rules and a final default policy. This replicates the
> > functionality currently provided by the qemu_acl module.
> >
>
> >
> > It is not currently possible to create this via -object, since there is
> > no syntax supported to specify non-scalar properties for objects. This
> > is likely to be addressed by later support for using JSON with -object,
> > or an equivalent approach.
>
> Is this statement slightly stale, since we have JSON support with --object
> already?
That's news to me if we do. Markus did a PoC but AFAIK it was never
proposed for merge so far.
> > +##
> > +# @QAuthZListFormat:
> > +#
> > +# The authorization policy result
> > +#
> > +# @exact: an exact string match
> > +# @glob: string with ? and * shell wildcard support
>
> The shell also has [] globbing: a[bc]d matches 'abd' and 'acd'. Worth
> mentioning?
Sure,
>
> > +#
> > +# Since: 3.0
> > +##
> > +{ 'enum': 'QAuthZListFormat',
> > + 'prefix': 'QAUTHZ_LIST_FORMAT',
> > + 'data': ['exact', 'glob']}
> > +
> > +##
> > +# @QAuthZListRule:
> > +#
> > +# A single authorization rule.
> > +#
> > +# @match: a glob to match against a user identity
> > +# @policy: the result to return if @match evaluates to true
> > +# @format: (optional) the format of the @match rule (default 'exact')
> > +#
> > +# Since: 3.0
> > +##
> > +{ 'struct': 'QAuthZListRule',
> > + 'data': {'match': 'str',
> > + 'policy': 'QAuthZListPolicy',
> > + '*format': 'QAuthZListFormat'}}
> > +
> > +##
> > +# @QAuthZListRuleListHack:
> > +#
> > +# Not exposed via QMP; hack to generate QAuthZListRuleList
> > +# for use internally by the code.
>
> Someday, it would be nice if qom-set were fully specified rather than
> requiring hacks like this. Oh well, not new to your patches. I take it
> this is one case where order matters: the first rule that matches is applied
> (with no further rules tested), even if later rules in the list would also
> match.
NB this isn't needed for qom-set - its so that the include/authz/list.h
header file can reference this data type in the struct it defines.
Yes, ordering is important - first matching rule wins.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-devel] [PATCH v2 04/11] hw/usb: fix const-ness for string params in MTP driver, (continued)
- [Qemu-devel] [PATCH v2 04/11] hw/usb: fix const-ness for string params in MTP driver, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 01/11] util: add helper APIs for dealing with inotify in portable manner, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 06/11] authz: add QAuthZ object as an authorization base class, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 05/11] hw/usb: switch MTP to use new inotify APIs, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 07/11] authz: add QAuthZSimple object type for easy whitelist auth checks, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 09/11] authz: add QAuthZListFile object type for a file access control list, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 08/11] authz: add QAuthZList object type for an access control list, Daniel P . Berrangé, 2018/06/15
[Qemu-devel] [PATCH v2 10/11] authz: add QAuthZPAM object type for authorizing using PAM, Daniel P . Berrangé, 2018/06/15
[Qemu-devel] [PATCH v2 11/11] authz: delete existing ACL implementation, Daniel P . Berrangé, 2018/06/15