From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org, "Gerd Hoffmann" <kraxel@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Andreas Färber" <afaerber@suse.de>
Subject: Re: [Qemu-devel] [PATCH v3 09/11] authz: add QAuthZListFile object type for a file access control list
Date: Wed, 20 Jun 2018 12:38:42 +0100 [thread overview]
Message-ID: <20180620113842.GL2549@work-vm> (raw)
In-Reply-To: <20180620113442.GK3441@redhat.com>
* Daniel P. Berrangé (berrange@redhat.com) wrote:
> On Wed, Jun 20, 2018 at 12:29:38PM +0100, Dr. David Alan Gilbert wrote:
> > * Daniel P. Berrangé (berrange@redhat.com) wrote:
> > > On Wed, Jun 20, 2018 at 11:58:01AM +0100, Dr. David Alan Gilbert wrote:
> > > > * Daniel P. Berrangé (berrange@redhat.com) wrote:
> > > > > Add a QAuthZListFile object type that implements the QAuthZ interface. This
> > > > > built-in implementation is a proxy around the QAtuhZList object type,
> > > > > initializing it from an external file, and optionally, automatically
> > > > > reloading it whenever it changes.
> > > > >
> > > > > To create an instance of this object via the QMP monitor, the syntax
> > > > > used would be:
> > > > >
> > > > > {
> > > > > "execute": "object-add",
> > > > > "arguments": {
> > > > > "qom-type": "authz-list-file",
> > > > > "id": "authz0",
> > > > > "parameters": {
> > > > > "filename": "/etc/qemu/vnc.acl",
> > > > > "refresh": "yes"
> > > > > }
> > > > > }
> > > > > }
> > > > >
> > > > > If "refresh" is "yes", inotify is used to monitor the file,
> > > > > automatically reloading changes. If an error occurs during reloading,
> > > > > all authorizations will fail until the file is next successfully
> > > > > loaded.
> > > >
> > > > I'm curious about the 'refresh' stuff:
> > > > a) If refresh=no is there a way to explicitly ask for a refresh
> > > > when some tool knows it's finished with fiddling with the file.
> > >
> > > If refresh=no, then you can still use object_del + object_add to
> > > recreate the ACL object which will cause new content to be picked
> > > up.
> >
> > But if I have a VNC/NBD/etc listening, won't it be bound to the old
> > object, so I can't delete the old object?
>
> That's ok actually - the network servers merely record the ID of the
> authz object. They resolve that to an actual object instance at the
> time they do the authorization check, and failsafe to DENY if it is
> missing. So you can safely delete & recreate on the fly.
OK, that needs documenting; binding it at the time of parsing wouldn't
be surprising to anyone except for that use.
Dave
> Regards,
> Daniel
> --
> |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o- https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2018-06-20 11:38 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-20 10:35 [Qemu-devel] [PATCH v3 00/11] Add a standard authorization framework Daniel P. Berrangé
2018-06-20 10:35 ` [Qemu-devel] [PATCH v3 01/11] util: add helper APIs for dealing with inotify in portable manner Daniel P. Berrangé
2018-06-20 10:35 ` [Qemu-devel] [PATCH v3 02/11] qom: don't require user creatable objects to be registered Daniel P. Berrangé
2018-06-20 10:35 ` [Qemu-devel] [PATCH v3 03/11] hw/usb: don't set IN_ISDIR for inotify watch in MTP driver Daniel P. Berrangé
2018-06-20 10:35 ` [Qemu-devel] [PATCH v3 04/11] hw/usb: fix const-ness for string params " Daniel P. Berrangé
2018-06-20 10:35 ` [Qemu-devel] [PATCH v3 05/11] hw/usb: switch MTP to use new inotify APIs Daniel P. Berrangé
2018-06-20 10:35 ` [Qemu-devel] [PATCH v3 06/11] authz: add QAuthZ object as an authorization base class Daniel P. Berrangé
2018-06-20 10:35 ` [Qemu-devel] [PATCH v3 07/11] authz: add QAuthZSimple object type for easy whitelist auth checks Daniel P. Berrangé
2018-06-20 10:35 ` [Qemu-devel] [PATCH v3 08/11] authz: add QAuthZList object type for an access control list Daniel P. Berrangé
2018-06-20 10:35 ` [Qemu-devel] [PATCH v3 09/11] authz: add QAuthZListFile object type for a file " Daniel P. Berrangé
2018-06-20 10:58 ` Dr. David Alan Gilbert
2018-06-20 11:11 ` Daniel P. Berrangé
2018-06-20 11:29 ` Dr. David Alan Gilbert
2018-06-20 11:34 ` Daniel P. Berrangé
2018-06-20 11:38 ` Dr. David Alan Gilbert [this message]
2018-06-20 11:55 ` Daniel P. Berrangé
2018-06-20 10:35 ` [Qemu-devel] [PATCH v3 10/11] authz: add QAuthZPAM object type for authorizing using PAM Daniel P. Berrangé
2018-06-20 10:35 ` [Qemu-devel] [PATCH v3 11/11] authz: delete existing ACL implementation Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180620113842.GL2549@work-vm \
--to=dgilbert@redhat.com \
--cc=afaerber@suse.de \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).