From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46752)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1aiPPv-0004iX-6y
	for qemu-devel@nongnu.org; Tue, 22 Mar 2016 12:44:28 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1aiPPu-0008Ox-5O
	for qemu-devel@nongnu.org; Tue, 22 Mar 2016 12:44:27 -0400
Date: Tue, 22 Mar 2016 16:44:15 +0000
From: "Daniel P. Berrange" <berrange@redhat.com>
Message-ID: <20160322164415.GN25450@redhat.com>
References: <1457635927-23045-1-git-send-email-berrange@redhat.com>
	<1457636396-24983-1-git-send-email-berrange@redhat.com>
	<1457636396-24983-4-git-send-email-berrange@redhat.com>
	<56F173E6.6000604@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <56F173E6.6000604@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v3 04/10] util: add QAuthZ object as an
 authorization base class
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Eric Blake <eblake@redhat.com>
Cc: qemu-block@nongnu.org, Markus Armbruster <armbru@redhat.com>, qemu-devel@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>, Max Reitz <mreitz@redhat.com>, Andreas =?utf-8?Q?F=C3=A4rber?= <afaerber@suse.de>

On Tue, Mar 22, 2016 at 10:33:42AM -0600, Eric Blake wrote:
> On 03/10/2016 11:59 AM, Daniel P. Berrange wrote:
> > The current qemu_acl module provides a simple access control
> > list facility inside QEMU, which is used via a set of monitor
> > commands acl_show, acl_policy, acl_add, acl_remove & acl_reset.
> > 
> > Note there is no ability to create ACLs - the network services
> > (eg VNC server) were expected to create ACLs that they want to
> > check.
> > 
> > There is also no way to define ACLs on the command line, nor
> > potentially integrate with external authorization systems like
> > polkit, pam, ldap lookup, etc.
> > 
> > The QAuthZ object defines a minimal abstract QOM class that can
> > be subclassed for creating different authorization providers.
> > 
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > ---
> 
> > +++ b/include/qemu/authz.h
> > +
> > +/**
> > + * QAuthZ:
> > + *
> > + * The QAuthZ class defines an API contract to be used
> > + * for providing an authorization driver for network
> > + * services.
> 
> Just network services? Or is it broader than that?

Any service that requires authentication. It is actually nothing
specific to networking

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|