Re: [Qemu-devel] [PATCH v2 09/11] authz: add QAuthZListFile object type for a file access control list

["Daniel P. Berrangé" <berrange@redhat.com>]

On Thu, Jun 21, 2018 at 10:30:59AM -0500, Eric Blake wrote:
> On 06/15/2018 10:42 AM, Daniel P. Berrangé wrote:
> > Add a QAuthZListFile object type that implements the QAuthZ interface. This
> > built-in implementation is a proxy around the QAtuhZList object type,
> > initializing it from an external file, and optionally, automatically
> > reloading it whenever it changes.
> > 
> > To create an instance of this object via the QMP monitor, the syntax
> > used would be:
> > 
> >        {
> >          "execute": "object-add",
> >          "arguments": {
> >            "qom-type": "authz-list",
> >            "id": "auth0",
> >            "parameters": {
> >              "filename": "/etc/qemu/vnc.acl",
> > 	    "refresh": "yes"
> 
> Would this be better as a JSON bool instead of a "yes"/"no" string?

Quiet probably - I'll have to double check it does work

> 
> TAB damage.
> 
> >            }
> >          }
> >        }
> > 
> > If "refresh" is "yes", inotify is used to monitor the file,
> > automatically reloading changes. If an error occurs during reloading,
> > all authorizations will fail until the file is next successfully
> > loaded.
> > 
> > The /etc/qemu/vnc.acl file would contain a JSON representation of a
> > QAuthZList object
> > 
> >      {
> >        "rules": [
> >           { "match": "fred", "policy": "allow", "format": "exact" },
> >           { "match": "bob", "policy": "allow", "format": "exact" },
> >           { "match": "danb", "policy": "deny", "format": "glob" },
> >           { "match": "dan*", "policy": "allow", "format": "exact" },
> >        ],
> >        "policy": "deny"
> >      }
> > 
> > This sets up an authorization rule that allows 'fred', 'bob' and anyone
> > whose name starts with 'dan', except for 'danb'. Everyone unmatched is
> > denied.
> > 
> > The object can be loaded on the comand line using
> 
> s/comand/command/
> 
> > 
> >     -object authz-list-file,id=authz0,filename=/etc/qemu/vnc.acl,refresh=yes
> 
> Double dash, for the sake of qemu-img
> 
> > 
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> 
> > +/**
> > + * QAuthZListFile:
> > + *
> > + * This authorization driver provides a file mechanism
> > + * for granting access by matching user names against a
> > + * file of globs. Each match rule has an associated policy
> > + * and a catch all policy applies if no rule matches
> > + *
> > + * To create an instance of this class via QMP:
> > + *
> > + *  {
> > + *    "execute": "object-add",
> > + *    "arguments": {
> > + *      "qom-type": "authz-list-file",
> > + *      "id": "authz0",
> > + *      "parameters": {
> > + *        "filename": "/etc/qemu/myvm-vnc.acl",
> > + *        "refresh": "yes"
> > + *      }
> 
> If you change the commit message to use bool, also change this comment to
> match.
> 
> -- 
> Eric Blake, Principal Software Engineer
> Red Hat, Inc.           +1-919-301-3266
> Virtualization:  qemu.org | libvirt.org

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|