Re: [Qemu-devel] PATCH: 7/7: Add external persistent ACL file

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Anthony Liguori <anthony@codemonkey.ws>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] PATCH: 7/7: Add external persistent ACL file
Date: Sat, 14 Feb 2009 16:16:25 -0600	[thread overview]
Message-ID: <499742B9.5060201@codemonkey.ws> (raw)
In-Reply-To: <20090212150449.GW9894@redhat.com>

Daniel P. Berrange wrote:
> This patch introduces a simple access control file capability
> for authorizing clients of QEMU's various network services.
> The file is designed such that it can be shared amongst multiple
> QEMU instances. The style of commands is similar to that used
> in the monitor ACL commands. It is a line oriented format, with
> comments indicated by leading '#'.Each non-comment line consists
> of 4 fields, 'scope', 'aclname', 'action' and 'value'.
>
> The scope allows control over what VMs the rule applies to. This
> is a glob, so '*' matches any VM. An explicit value can be match
> against the VM name, as given by the '-name' argument.
>
> The aclname is one of the ACLs defined by QEMU, either vnc.username
> or vnc.x509dname for now. More later perhaps.
>
> The action can be one of 'policy' 'allow', or 'deny'. The policy
> sets the default allow/deny state for the ACL, if no rules match.
>
> Finally the 'value' is another glob matching against the client
> name being checked.
>
> An example showing use of both SASL username ACLs, and x509 client
> certificate distinguished name ACLs.
>
>    # Default deny all for all SASL authenticated users in all VMs
>    * vnc.username policy deny
>
>    # Allow bob access to all VMs
>    * vnc.username allow bob
>
>    # Allow fred and test access to the VM named 'demo'
>    demo vnc.username allow fred
>    demo vnc.username allow test
>
>
>    # Deny all x509 client certificates on all VMs
>    * vnc.x509dname policy deny
>
>    # Allow all users from the ACME, London office to all VMs
>    * vnc.x509dname allow "C=GB,O=ACME,L=London,CN=*"
>
>    # Allow Joe from Boston, access to VM 'demo'
>    demo vnc.x509dname allow "C=GB,O=ACME,L=Boston,CN=joe"
>   

I feel really uncomfortable with this especially since Markus is now 
working on configuration file support.  It seems to me that we'll want 
to store any ACL information in the host configuration file.

Unless there's a really strong case that you always want ACLs to be 
stored in a separate file, I'd rather wait to see how the host 
configuration file stuff turns out before applying this.

I assume that libvirt will use the monitor interface anyway so 
presumably, it's not a huge problem to wait on this?

Regards,

Anthony Liguori

next prev parent reply	other threads:[~2009-02-14 22:16 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-02-12 14:53 [Qemu-devel] PATCH: 0/7: Support SASL authentication in VNC server Daniel P. Berrange
2009-02-12 15:01 ` [Qemu-devel] PATCH: 1/7: Extend 'info vnc' output to show client Daniel P. Berrange
2009-02-13 18:30   ` Anthony Liguori
2009-02-15 11:43     ` Daniel P. Berrange
2009-02-15 18:22       ` Anthony Liguori
2009-02-18 21:10       ` [Qemu-devel] " Mike Day
2009-02-12 15:02 ` [Qemu-devel] PATCH: 2/7: Push VncState struct into vnc.h Daniel P. Berrange
2009-02-14 22:09   ` Anthony Liguori
2009-02-15 11:43     ` Daniel P. Berrange
2009-02-12 15:02 ` [Qemu-devel] PATCH: 3/7: Split out VNC TLS auth code to separate file Daniel P. Berrange
2009-02-12 15:03 ` [Qemu-devel] PATCH: 4/7: Add SASL authentication extension to VNC Daniel P. Berrange
2009-02-12 15:03 ` [Qemu-devel] PATCH: 5/7: Include auth credentials in 'info vnc' Daniel P. Berrange
2009-02-12 15:04 ` [Qemu-devel] PATCH: 6/7: Support simple ACL for client authorization Daniel P. Berrange
2009-02-14 22:14   ` Anthony Liguori
2009-02-12 15:04 ` [Qemu-devel] PATCH: 7/7: Add external persistent ACL file Daniel P. Berrange
2009-02-14 22:16   ` Anthony Liguori [this message]
2009-02-15 11:28     ` Daniel P. Berrange
2009-02-12 15:43 ` [Qemu-devel] PATCH: 0/7: Support SASL authentication in VNC server Daniel P. Berrange
2009-02-14 22:17 ` Anthony Liguori

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=499742B9.5060201@codemonkey.ws \
    --to=anthony@codemonkey.ws \
    --cc=berrange@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).