[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v6 09/11] authz: add QAuthZListFile object type
From: |
Daniel P . Berrangé |
Subject: |
Re: [Qemu-devel] [PATCH v6 09/11] authz: add QAuthZListFile object type for a file access control list |
Date: |
Thu, 15 Nov 2018 10:33:14 +0000 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Thu, Nov 08, 2018 at 02:23:34AM +0400, Marc-André Lureau wrote:
> On Fri, Oct 19, 2018 at 5:42 PM Daniel P. Berrangé <address@hidden> wrote:
> >
> > Add a QAuthZListFile object type that implements the QAuthZ interface. This
> > built-in implementation is a proxy around the QAtuhZList object type,
> > initializing it from an external file, and optionally, automatically
> > reloading it whenever it changes.
> >
> > To create an instance of this object via the QMP monitor, the syntax
> > used would be:
> >
> > {
> > "execute": "object-add",
> > "arguments": {
> > "qom-type": "authz-list-file",
> > "id": "authz0",
> > "parameters": {
> > "filename": "/etc/qemu/vnc.acl",
> > "refresh": "yes"
> > }
> > }
> > }
> >
> > If "refresh" is "yes", inotify is used to monitor the file,
> > automatically reloading changes. If an error occurs during reloading,
> > all authorizations will fail until the file is next successfully
> > loaded.
> >
> > The /etc/qemu/vnc.acl file would contain a JSON representation of a
> > QAuthZList object
> >
> > {
> > "rules": [
> > { "match": "fred", "policy": "allow", "format": "exact" },
> > { "match": "bob", "policy": "allow", "format": "exact" },
> > { "match": "danb", "policy": "deny", "format": "glob" },
> > { "match": "dan*", "policy": "allow", "format": "exact" },
> > ],
> > "policy": "deny"
> > }
> >
> > This sets up an authorization rule that allows 'fred', 'bob' and anyone
> > whose name starts with 'dan', except for 'danb'. Everyone unmatched is
> > denied.
> >
> > The object can be loaded on the comand line using
> >
> > -object authz-list-file,id=authz0,filename=/etc/qemu/vnc.acl,refresh=yes
> >
> > Signed-off-by: Daniel P. Berrangé <address@hidden>
> > ---
> > include/authz/listfile.h | 110 +++++++++++++++
> > authz/listfile.c | 286 +++++++++++++++++++++++++++++++++++++++
> > authz/Makefile.objs | 1 +
> > authz/trace-events | 4 +
> > qemu-options.hx | 46 +++++++
> > 5 files changed, 447 insertions(+)
> > create mode 100644 include/authz/listfile.h
> > create mode 100644 authz/listfile.c
> > +static void
> > +qauthz_list_file_prop_set_filename(Object *obj,
> > + const char *value,
> > + Error **errp G_GNUC_UNUSED)
> > +{
> > + QAuthZListFile *fauthz = QAUTHZ_LIST_FILE(obj);
> > +
> > + fauthz->filename = g_strdup(value);
>
> Either prevent from modifying the filename, or free the exisiting value.
I'm freeing existing value.
>
> other than that (and the lack of test)
...and adding a test
> Reviewed-by: Marc-André Lureau <address@hidden>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|