From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46534) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aiPPH-00042a-K9 for qemu-devel@nongnu.org; Tue, 22 Mar 2016 12:43:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aiPPD-0008Ak-Gp for qemu-devel@nongnu.org; Tue, 22 Mar 2016 12:43:47 -0400 Date: Tue, 22 Mar 2016 16:43:32 +0000 From: "Daniel P. Berrange" Message-ID: <20160322164332.GM25450@redhat.com> References: <1457635927-23045-1-git-send-email-berrange@redhat.com> <1457636396-24983-1-git-send-email-berrange@redhat.com> <1457636396-24983-4-git-send-email-berrange@redhat.com> <56F173E6.6000604@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <56F173E6.6000604@redhat.com> Subject: Re: [Qemu-devel] [PATCH v3 04/10] util: add QAuthZ object as an authorization base class Reply-To: "Daniel P. Berrange" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Eric Blake Cc: qemu-block@nongnu.org, Markus Armbruster , qemu-devel@nongnu.org, Paolo Bonzini , Max Reitz , Andreas =?utf-8?Q?F=C3=A4rber?= On Tue, Mar 22, 2016 at 10:33:42AM -0600, Eric Blake wrote: > On 03/10/2016 11:59 AM, Daniel P. Berrange wrote: > > The current qemu_acl module provides a simple access control > > list facility inside QEMU, which is used via a set of monitor > > commands acl_show, acl_policy, acl_add, acl_remove & acl_reset. > > > > Note there is no ability to create ACLs - the network services > > (eg VNC server) were expected to create ACLs that they want to > > check. > > > > There is also no way to define ACLs on the command line, nor > > potentially integrate with external authorization systems like > > polkit, pam, ldap lookup, etc. > > > > The QAuthZ object defines a minimal abstract QOM class that can > > be subclassed for creating different authorization providers. > > > > Signed-off-by: Daniel P. Berrange > > --- > > > +++ b/include/qemu/authz.h > > + > > +/** > > + * QAuthZ: > > + * > > + * The QAuthZ class defines an API contract to be used > > + * for providing an authorization driver for network > > + * services. > > Just network services? Or is it broader than that? > > > +/** > > + * qauthz_is_allowed: > > + * @authz: the authorization object > > + * @identity: the user identity to authorize > > + * @errp: pointer to a NULL initialized error object > > + * > > + * Check if a user @identity is authorized > > + * > > + * Returns: true if @identity is authorizd, false otherwise > > s/authorizd/authorized/ > > I think you need more documentation on return semantics. Do we have > strict binary return (either we returned true and errp is unset, or we > returned false and errp is set), or is it a ternary (we return true and > errp is unset: permission is explicitly granted; we return false and > errp is unset: permission is explicitly denied; or we set errp: we could > not determine permission). And if a ternary, do we also want to require > that setting 'errp' also requires a return of false, or is the return > undefined in that case? It is intended to be ternary, and if errp is set, the return value should be false. ie you should be able todo if (qauthz_is_allowed(authz, identity, NULL)) .... safe in the knowledge that any error that you're ignoring will result in denial of permission Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|