Re: [Qemu-devel] [PATCH 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove

["Daniel P. Berrangé" <berrange@redhat.com>]

On Tue, Jun 19, 2018 at 01:31:40PM +0100, Dr. David Alan Gilbert wrote:
> * Daniel P. Berrangé (berrange@redhat.com) wrote:
> > The various ACL related commands are obsolete now that the QAuthZ
> > framework for authorization is fully integrated throughout QEMU network
> > services. Mark it as deprecated with no replacement to be provided.
> > 
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> 
> OK, so I can do all these by using object_add/object_del with the right
> type and parameters?

It is a different paradigm for the way you manage it, but the end result
allows the same thing to be achieved, in a more flexible way.

With the old way, we precreated an ACL object for VNC, and then you
had to use these commands to add/remove individual  match rules and
or change the policy, etc. You could never create/delete the ACL itself.

With the new way, we have 4 different ACL implementations (so far)
and you can choose which to use. So you create the entire ACL with
all its rules populated atomically with object_add. There's no
create/delete of individual rules within the ACL, so if you want to
change rules you just delete the entire ACL & create it again. It
has failsafe to reject in case a client connects between the time
you delete and recreate.

One of the ACL impls allows storing the rules in a standalone text
file which we monitor with inotify. So in fact using that you can
update rules on the fly without needing QEMU interaction - just
change the content whenever needed.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|