From: Eric Blake <eblake@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>, qemu-devel@nongnu.org
Cc: "Andreas Färber" <afaerber@suse.de>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v2 09/11] authz: add QAuthZListFile object type for a file access control list
Date: Thu, 21 Jun 2018 10:30:59 -0500 [thread overview]
Message-ID: <c32feaa0-3a5b-3781-0f9e-21274f87b58b@redhat.com> (raw)
In-Reply-To: <20180615154203.11347-10-berrange@redhat.com>
On 06/15/2018 10:42 AM, Daniel P. Berrangé wrote:
> Add a QAuthZListFile object type that implements the QAuthZ interface. This
> built-in implementation is a proxy around the QAtuhZList object type,
> initializing it from an external file, and optionally, automatically
> reloading it whenever it changes.
>
> To create an instance of this object via the QMP monitor, the syntax
> used would be:
>
> {
> "execute": "object-add",
> "arguments": {
> "qom-type": "authz-list",
> "id": "auth0",
> "parameters": {
> "filename": "/etc/qemu/vnc.acl",
> "refresh": "yes"
Would this be better as a JSON bool instead of a "yes"/"no" string?
TAB damage.
> }
> }
> }
>
> If "refresh" is "yes", inotify is used to monitor the file,
> automatically reloading changes. If an error occurs during reloading,
> all authorizations will fail until the file is next successfully
> loaded.
>
> The /etc/qemu/vnc.acl file would contain a JSON representation of a
> QAuthZList object
>
> {
> "rules": [
> { "match": "fred", "policy": "allow", "format": "exact" },
> { "match": "bob", "policy": "allow", "format": "exact" },
> { "match": "danb", "policy": "deny", "format": "glob" },
> { "match": "dan*", "policy": "allow", "format": "exact" },
> ],
> "policy": "deny"
> }
>
> This sets up an authorization rule that allows 'fred', 'bob' and anyone
> whose name starts with 'dan', except for 'danb'. Everyone unmatched is
> denied.
>
> The object can be loaded on the comand line using
s/comand/command/
>
> -object authz-list-file,id=authz0,filename=/etc/qemu/vnc.acl,refresh=yes
Double dash, for the sake of qemu-img
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> +/**
> + * QAuthZListFile:
> + *
> + * This authorization driver provides a file mechanism
> + * for granting access by matching user names against a
> + * file of globs. Each match rule has an associated policy
> + * and a catch all policy applies if no rule matches
> + *
> + * To create an instance of this class via QMP:
> + *
> + * {
> + * "execute": "object-add",
> + * "arguments": {
> + * "qom-type": "authz-list-file",
> + * "id": "authz0",
> + * "parameters": {
> + * "filename": "/etc/qemu/myvm-vnc.acl",
> + * "refresh": "yes"
> + * }
If you change the commit message to use bool, also change this comment
to match.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
next prev parent reply other threads:[~2018-06-21 15:31 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-15 15:41 [Qemu-devel] [PATCH v2 00/11] Add a standard authorization framework Daniel P. Berrangé
2018-06-15 15:41 ` [Qemu-devel] [PATCH v2 01/11] util: add helper APIs for dealing with inotify in portable manner Daniel P. Berrangé
2018-06-15 15:41 ` [Qemu-devel] [PATCH v2 02/11] qom: don't require user creatable objects to be registered Daniel P. Berrangé
2018-06-15 15:41 ` [Qemu-devel] [PATCH v2 03/11] hw/usb: don't set IN_ISDIR for inotify watch in MTP driver Daniel P. Berrangé
2018-06-15 15:41 ` [Qemu-devel] [PATCH v2 04/11] hw/usb: fix const-ness for string params " Daniel P. Berrangé
2018-06-15 15:41 ` [Qemu-devel] [PATCH v2 05/11] hw/usb: switch MTP to use new inotify APIs Daniel P. Berrangé
2018-06-15 15:41 ` [Qemu-devel] [PATCH v2 06/11] authz: add QAuthZ object as an authorization base class Daniel P. Berrangé
2018-06-15 15:41 ` [Qemu-devel] [PATCH v2 07/11] authz: add QAuthZSimple object type for easy whitelist auth checks Daniel P. Berrangé
2018-06-15 15:42 ` [Qemu-devel] [PATCH v2 08/11] authz: add QAuthZList object type for an access control list Daniel P. Berrangé
2018-06-21 15:28 ` Eric Blake
2018-06-21 15:39 ` Daniel P. Berrangé
2018-06-21 16:36 ` Markus Armbruster
2018-06-22 8:41 ` Daniel P. Berrangé
2018-06-15 15:42 ` [Qemu-devel] [PATCH v2 09/11] authz: add QAuthZListFile object type for a file " Daniel P. Berrangé
2018-06-21 15:30 ` Eric Blake [this message]
2018-06-21 15:40 ` Daniel P. Berrangé
2018-06-15 15:42 ` [Qemu-devel] [PATCH v2 10/11] authz: add QAuthZPAM object type for authorizing using PAM Daniel P. Berrangé
2018-06-15 15:42 ` [Qemu-devel] [PATCH v2 11/11] authz: delete existing ACL implementation Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c32feaa0-3a5b-3781-0f9e-21274f87b58b@redhat.com \
--to=eblake@redhat.com \
--cc=afaerber@suse.de \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=dgilbert@redhat.com \
--cc=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).