Re: [Qemu-devel] [PATCH v2 08/11] authz: add QAuthZList object type for an access control list

["Daniel P. Berrangé" <berrange@redhat.com>]

On Thu, Jun 21, 2018 at 10:28:23AM -0500, Eric Blake wrote:
> On 06/15/2018 10:42 AM, Daniel P. Berrangé wrote:
> > From: "Daniel P. Berrange" <berrange@redhat.com>
> > 
> > Add a QAuthZList object type that implements the QAuthZ interface. This
> > built-in implementation maintains a trivial access control list with a
> > sequence of match rules and a final default policy. This replicates the
> > functionality currently provided by the qemu_acl module.
> > 
> 
> > 
> > It is not currently possible to create this via -object, since there is
> > no syntax supported to specify non-scalar properties for objects. This
> > is likely to be addressed by later support for using JSON with -object,
> > or an equivalent approach.
> 
> Is this statement slightly stale, since we have JSON support with --object
> already?

That's news to me if we do. Markus did a PoC but AFAIK it was never
proposed for merge so far.


> > +##
> > +# @QAuthZListFormat:
> > +#
> > +# The authorization policy result
> > +#
> > +# @exact: an exact string match
> > +# @glob: string with ? and * shell wildcard support
> 
> The shell also has [] globbing: a[bc]d matches 'abd' and 'acd'.  Worth
> mentioning?

Sure,

> 
> > +#
> > +# Since: 3.0
> > +##
> > +{ 'enum': 'QAuthZListFormat',
> > +  'prefix': 'QAUTHZ_LIST_FORMAT',
> > +  'data': ['exact', 'glob']}
> > +
> > +##
> > +# @QAuthZListRule:
> > +#
> > +# A single authorization rule.
> > +#
> > +# @match: a glob to match against a user identity
> > +# @policy: the result to return if @match evaluates to true
> > +# @format: (optional) the format of the @match rule (default 'exact')
> > +#
> > +# Since: 3.0
> > +##
> > +{ 'struct': 'QAuthZListRule',
> > +  'data': {'match': 'str',
> > +           'policy': 'QAuthZListPolicy',
> > +           '*format': 'QAuthZListFormat'}}
> > +
> > +##
> > +# @QAuthZListRuleListHack:
> > +#
> > +# Not exposed via QMP; hack to generate QAuthZListRuleList
> > +# for use internally by the code.
> 
> Someday, it would be nice if qom-set were fully specified rather than
> requiring hacks like this.  Oh well, not new to your patches.  I take it
> this is one case where order matters: the first rule that matches is applied
> (with no further rules tested), even if later rules in the list would also
> match.

NB this isn't needed for qom-set - its so that the include/authz/list.h
header file can reference this data type in the struct it defines.

Yes, ordering is important - first matching rule wins.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|