From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1LYSoj-0007Mt-1o for qemu-devel@nongnu.org; Sat, 14 Feb 2009 17:16:57 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1LYSoh-0007Lq-CX for qemu-devel@nongnu.org; Sat, 14 Feb 2009 17:16:56 -0500 Received: from [199.232.76.173] (port=42932 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1LYSoh-0007Ln-8Q for qemu-devel@nongnu.org; Sat, 14 Feb 2009 17:16:55 -0500 Received: from yx-out-1718.google.com ([74.125.44.153]:9530) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1LYSog-0003Ee-Uq for qemu-devel@nongnu.org; Sat, 14 Feb 2009 17:16:55 -0500 Received: by yx-out-1718.google.com with SMTP id 4so1143762yxp.82 for ; Sat, 14 Feb 2009 14:16:54 -0800 (PST) Message-ID: <499742B9.5060201@codemonkey.ws> Date: Sat, 14 Feb 2009 16:16:25 -0600 From: Anthony Liguori MIME-Version: 1.0 Subject: Re: [Qemu-devel] PATCH: 7/7: Add external persistent ACL file References: <20090212145302.GO9894@redhat.com> <20090212150449.GW9894@redhat.com> In-Reply-To: <20090212150449.GW9894@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" , qemu-devel@nongnu.org Daniel P. Berrange wrote: > This patch introduces a simple access control file capability > for authorizing clients of QEMU's various network services. > The file is designed such that it can be shared amongst multiple > QEMU instances. The style of commands is similar to that used > in the monitor ACL commands. It is a line oriented format, with > comments indicated by leading '#'.Each non-comment line consists > of 4 fields, 'scope', 'aclname', 'action' and 'value'. > > The scope allows control over what VMs the rule applies to. This > is a glob, so '*' matches any VM. An explicit value can be match > against the VM name, as given by the '-name' argument. > > The aclname is one of the ACLs defined by QEMU, either vnc.username > or vnc.x509dname for now. More later perhaps. > > The action can be one of 'policy' 'allow', or 'deny'. The policy > sets the default allow/deny state for the ACL, if no rules match. > > Finally the 'value' is another glob matching against the client > name being checked. > > An example showing use of both SASL username ACLs, and x509 client > certificate distinguished name ACLs. > > # Default deny all for all SASL authenticated users in all VMs > * vnc.username policy deny > > # Allow bob access to all VMs > * vnc.username allow bob > > # Allow fred and test access to the VM named 'demo' > demo vnc.username allow fred > demo vnc.username allow test > > > # Deny all x509 client certificates on all VMs > * vnc.x509dname policy deny > > # Allow all users from the ACME, London office to all VMs > * vnc.x509dname allow "C=GB,O=ACME,L=London,CN=*" > > # Allow Joe from Boston, access to VM 'demo' > demo vnc.x509dname allow "C=GB,O=ACME,L=Boston,CN=joe" > I feel really uncomfortable with this especially since Markus is now working on configuration file support. It seems to me that we'll want to store any ACL information in the host configuration file. Unless there's a really strong case that you always want ACLs to be stored in a separate file, I'd rather wait to see how the host configuration file stuff turns out before applying this. I assume that libvirt will use the monitor interface anyway so presumably, it's not a huge problem to wait on this? Regards, Anthony Liguori