Re: [Qemu-devel] [PATCH v2 08/11] authz: add QAuthZList object type for an access control list

["Daniel P. Berrangé" <berrange@redhat.com>]

On Thu, Jun 21, 2018 at 06:36:19PM +0200, Markus Armbruster wrote:
> Daniel P. Berrangé <berrange@redhat.com> writes:
> 
> > On Thu, Jun 21, 2018 at 10:28:23AM -0500, Eric Blake wrote:
> >> On 06/15/2018 10:42 AM, Daniel P. Berrangé wrote:
> >> > From: "Daniel P. Berrange" <berrange@redhat.com>
> >> > 
> >> > Add a QAuthZList object type that implements the QAuthZ interface. This
> >> > built-in implementation maintains a trivial access control list with a
> >> > sequence of match rules and a final default policy. This replicates the
> >> > functionality currently provided by the qemu_acl module.
> >> > 
> >> 
> >> > 
> >> > It is not currently possible to create this via -object, since there is
> >> > no syntax supported to specify non-scalar properties for objects. This
> >> > is likely to be addressed by later support for using JSON with -object,
> >> > or an equivalent approach.
> >> 
> >> Is this statement slightly stale, since we have JSON support with --object
> >> already?
> >
> > That's news to me if we do. Markus did a PoC but AFAIK it was never
> > proposed for merge so far.
> 
> Correct.  Can finish the job if there's a need.
> 
> [...]

I'm not hugely bothered by it - this QAuthZList impl serves two core
purposes - a replacement for the HMP monitor commands I deprecated,
an an engine for the QAuthZListFile which stores QAuthZList objects in
external json files. The latter is what I think we'll use in practice,
as it lets us auto-refresh on the fly via inotify which is much more
convenient than having libvirt do object_add/object_del.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|