[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v5 08/11] authz: add QAuthZList object type for
|
From: |
Philippe Mathieu-Daudé |
|
Subject: |
Re: [Qemu-devel] [PATCH v5 08/11] authz: add QAuthZList object type for an access control list |
|
Date: |
Fri, 19 Oct 2018 14:55:55 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0 |
On 19/10/2018 14:41, Daniel P. Berrangé wrote:
> On Fri, Oct 19, 2018 at 11:57:45AM +0200, Philippe Mathieu-Daudé wrote:
>> On 09/10/2018 15:04, Daniel P. Berrangé wrote:
>>> From: "Daniel P. Berrange" <address@hidden>
>>>
>>> Add a QAuthZList object type that implements the QAuthZ interface. This
>>> built-in implementation maintains a trivial access control list with a
>>> sequence of match rules and a final default policy. This replicates the
>>> functionality currently provided by the qemu_acl module.
>>>
>>> To create an instance of this object via the QMP monitor, the syntax
>>> used would be:
>>>
>>> {
>>> "execute": "object-add",
>>> "arguments": {
>>> "qom-type": "authz-list",
>>> "id": "authz0",
>>> "parameters": {
>>> "rules": [
>>> { "match": "fred", "policy": "allow", "format": "exact" },
>>> { "match": "bob", "policy": "allow", "format": "exact" },
>>> { "match": "danb", "policy": "deny", "format": "glob" },
>>> { "match": "dan*", "policy": "allow", "format": "exact" },
>>> ],
>>> "policy": "deny"
>>> }
>>> }
>>> }
>>>
>>> This sets up an authorization rule that allows 'fred', 'bob' and anyone
>>> whose name starts with 'dan', except for 'danb'. Everyone unmatched is
>>> denied.
>>>
>>> It is not currently possible to create this via -object, since there is
>>> no syntax supported to specify non-scalar properties for objects. This
>>> is likely to be addressed by later support for using JSON with -object,
>>> or an equivalent approach.
>>>
>>> In any case the future "authz-listfile" object can be used from the
>>> CLI and is likely a better choice, as it allows the ACL to be refreshed
>>> automatically on change.
>>> +static void
>>> +qauthz_list_prop_set_policy(Object *obj,
>>> + int value,
>>> + Error **errp G_GNUC_UNUSED)
>>> +{
>>> + QAuthZList *bauthz = QAUTHZ_LIST(obj);
>>> +
>>
>> Here:
>>
>> g_free(bauthz->policy);
>
> 'policy' is an integer, so I don't think we need g_free(0x1) :-)
Oops :^)
>
>>
>>> + bauthz->policy = value;
>>> +}
>
> Regards,
> Daniel
>
- Re: [Qemu-devel] [PATCH v5 09/11] authz: add QAuthZListFile object type for a file access control list, (continued)
[Qemu-devel] [PATCH v5 11/11] authz: delete existing ACL implementation, Daniel P . Berrangé, 2018/10/09
[Qemu-devel] [PATCH v5 08/11] authz: add QAuthZList object type for an access control list, Daniel P . Berrangé, 2018/10/09
Re: [Qemu-devel] [PATCH v5 00/11] Add a standard authorization framework, Daniel P . Berrangé, 2018/10/18