[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 6/6] monitor: deprecate acl_show, acl_reset, acl
From: |
Daniel P . Berrangé |
Subject: |
Re: [Qemu-devel] [PATCH 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove |
Date: |
Tue, 19 Jun 2018 13:52:12 +0100 |
User-agent: |
Mutt/1.9.5 (2018-04-13) |
On Tue, Jun 19, 2018 at 01:31:40PM +0100, Dr. David Alan Gilbert wrote:
> * Daniel P. Berrangé (address@hidden) wrote:
> > The various ACL related commands are obsolete now that the QAuthZ
> > framework for authorization is fully integrated throughout QEMU network
> > services. Mark it as deprecated with no replacement to be provided.
> >
> > Signed-off-by: Daniel P. Berrangé <address@hidden>
>
> OK, so I can do all these by using object_add/object_del with the right
> type and parameters?
It is a different paradigm for the way you manage it, but the end result
allows the same thing to be achieved, in a more flexible way.
With the old way, we precreated an ACL object for VNC, and then you
had to use these commands to add/remove individual match rules and
or change the policy, etc. You could never create/delete the ACL itself.
With the new way, we have 4 different ACL implementations (so far)
and you can choose which to use. So you create the entire ACL with
all its rules populated atomically with object_add. There's no
create/delete of individual rules within the ACL, so if you want to
change rules you just delete the entire ACL & create it again. It
has failsafe to reject in case a client connects between the time
you delete and recreate.
One of the ACL impls allows storing the rules in a standalone text
file which we monitor with inotify. So in fact using that you can
update rules on the fly without needing QEMU interaction - just
change the content whenever needed.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-devel] [PATCH 0/6] Add authorization support to all network services, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH 1/6] qemu-nbd: add support for authorization of TLS clients, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH 2/6] nbd: allow authorization with nbd-server-start QMP command, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH 4/6] chardev: add support for authorization for TLS clients, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH 3/6] migration: add support for a "tls-authz" migration parameter, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove, Daniel P . Berrangé, 2018/06/15
- Re: [Qemu-devel] [PATCH 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove, Dr. David Alan Gilbert, 2018/06/19
- Re: [Qemu-devel] [PATCH 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove,
Daniel P . Berrangé <=
- [Qemu-devel] [PATCH 5/6] vnc: allow specifying a custom authorization object name, Daniel P . Berrangé, 2018/06/15