[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3 09/11] authz: add QAuthZListFile object type
|
From: |
Daniel P . Berrangé |
|
Subject: |
Re: [Qemu-devel] [PATCH v3 09/11] authz: add QAuthZListFile object type for a file access control list |
|
Date: |
Wed, 20 Jun 2018 12:55:38 +0100 |
|
User-agent: |
Mutt/1.9.5 (2018-04-13) |
On Wed, Jun 20, 2018 at 12:38:42PM +0100, Dr. David Alan Gilbert wrote:
> * Daniel P. Berrangé (address@hidden) wrote:
> > On Wed, Jun 20, 2018 at 12:29:38PM +0100, Dr. David Alan Gilbert wrote:
> > > * Daniel P. Berrangé (address@hidden) wrote:
> > > > On Wed, Jun 20, 2018 at 11:58:01AM +0100, Dr. David Alan Gilbert wrote:
> > > > > * Daniel P. Berrangé (address@hidden) wrote:
> > > > > > Add a QAuthZListFile object type that implements the QAuthZ
> > > > > > interface. This
> > > > > > built-in implementation is a proxy around the QAtuhZList object
> > > > > > type,
> > > > > > initializing it from an external file, and optionally, automatically
> > > > > > reloading it whenever it changes.
> > > > > >
> > > > > > To create an instance of this object via the QMP monitor, the syntax
> > > > > > used would be:
> > > > > >
> > > > > > {
> > > > > > "execute": "object-add",
> > > > > > "arguments": {
> > > > > > "qom-type": "authz-list-file",
> > > > > > "id": "authz0",
> > > > > > "parameters": {
> > > > > > "filename": "/etc/qemu/vnc.acl",
> > > > > > "refresh": "yes"
> > > > > > }
> > > > > > }
> > > > > > }
> > > > > >
> > > > > > If "refresh" is "yes", inotify is used to monitor the file,
> > > > > > automatically reloading changes. If an error occurs during
> > > > > > reloading,
> > > > > > all authorizations will fail until the file is next successfully
> > > > > > loaded.
> > > > >
> > > > > I'm curious about the 'refresh' stuff:
> > > > > a) If refresh=no is there a way to explicitly ask for a refresh
> > > > > when some tool knows it's finished with fiddling with the file.
> > > >
> > > > If refresh=no, then you can still use object_del + object_add to
> > > > recreate the ACL object which will cause new content to be picked
> > > > up.
> > >
> > > But if I have a VNC/NBD/etc listening, won't it be bound to the old
> > > object, so I can't delete the old object?
> >
> > That's ok actually - the network servers merely record the ID of the
> > authz object. They resolve that to an actual object instance at the
> > time they do the authorization check, and failsafe to DENY if it is
> > missing. So you can safely delete & recreate on the fly.
>
> OK, that needs documenting; binding it at the time of parsing wouldn't
> be surprising to anyone except for that use.
I'll document that explicitly against each network service that I wire this
functionality up to, in the second dependent patch series.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-devel] [PATCH v3 04/11] hw/usb: fix const-ness for string params in MTP driver, (continued)
- [Qemu-devel] [PATCH v3 04/11] hw/usb: fix const-ness for string params in MTP driver, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 05/11] hw/usb: switch MTP to use new inotify APIs, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 07/11] authz: add QAuthZSimple object type for easy whitelist auth checks, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 06/11] authz: add QAuthZ object as an authorization base class, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 09/11] authz: add QAuthZListFile object type for a file access control list, Daniel P . Berrangé, 2018/06/20
[Qemu-devel] [PATCH v3 08/11] authz: add QAuthZList object type for an access control list, Daniel P . Berrangé, 2018/06/20
[Qemu-devel] [PATCH v3 10/11] authz: add QAuthZPAM object type for authorizing using PAM, Daniel P . Berrangé, 2018/06/20
[Qemu-devel] [PATCH v3 11/11] authz: delete existing ACL implementation, Daniel P . Berrangé, 2018/06/20