qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v6 09/11] authz: add QAuthZListFile object type

From: Daniel P . Berrangé
Subject: Re: [Qemu-devel] [PATCH v6 09/11] authz: add QAuthZListFile object type for a file access control list
Date: Thu, 15 Nov 2018 10:33:14 +0000
User-agent: Mutt/1.10.1 (2018-07-13) 
On Thu, Nov 08, 2018 at 02:23:34AM +0400, Marc-André Lureau wrote:
> On Fri, Oct 19, 2018 at 5:42 PM Daniel P. Berrangé <address@hidden> wrote:
> >
> > Add a QAuthZListFile object type that implements the QAuthZ interface. This
> > built-in implementation is a proxy around the QAtuhZList object type,
> > initializing it from an external file, and optionally, automatically
> > reloading it whenever it changes.
> >
> > To create an instance of this object via the QMP monitor, the syntax
> > used would be:
> >
> >       {
> >         "execute": "object-add",
> >         "arguments": {
> >           "qom-type": "authz-list-file",
> >           "id": "authz0",
> >           "parameters": {
> >             "filename": "/etc/qemu/vnc.acl",
> >             "refresh": "yes"
> >           }
> >         }
> >       }
> >
> > If "refresh" is "yes", inotify is used to monitor the file,
> > automatically reloading changes. If an error occurs during reloading,
> > all authorizations will fail until the file is next successfully
> > loaded.
> >
> > The /etc/qemu/vnc.acl file would contain a JSON representation of a
> > QAuthZList object
> >
> >     {
> >       "rules": [
> >          { "match": "fred", "policy": "allow", "format": "exact" },
> >          { "match": "bob", "policy": "allow", "format": "exact" },
> >          { "match": "danb", "policy": "deny", "format": "glob" },
> >          { "match": "dan*", "policy": "allow", "format": "exact" },
> >       ],
> >       "policy": "deny"
> >     }
> >
> > This sets up an authorization rule that allows 'fred', 'bob' and anyone
> > whose name starts with 'dan', except for 'danb'. Everyone unmatched is
> > denied.
> >
> > The object can be loaded on the comand line using
> >
> >    -object authz-list-file,id=authz0,filename=/etc/qemu/vnc.acl,refresh=yes
> >
> > Signed-off-by: Daniel P. Berrangé <address@hidden>
> > ---
> >  include/authz/listfile.h | 110 +++++++++++++++
> >  authz/listfile.c         | 286 +++++++++++++++++++++++++++++++++++++++
> >  authz/Makefile.objs      |   1 +
> >  authz/trace-events       |   4 +
> >  qemu-options.hx          |  46 +++++++
> >  5 files changed, 447 insertions(+)
> >  create mode 100644 include/authz/listfile.h
> >  create mode 100644 authz/listfile.c

> > +static void
> > +qauthz_list_file_prop_set_filename(Object *obj,
> > +                                   const char *value,
> > +                                   Error **errp G_GNUC_UNUSED)
> > +{
> > +    QAuthZListFile *fauthz = QAUTHZ_LIST_FILE(obj);
> > +
> > +    fauthz->filename = g_strdup(value);
> 
> Either prevent from modifying the filename, or free the exisiting value.

I'm freeing existing value.

> 
> other than that (and the lack of test)

...and adding a test

> Reviewed-by: Marc-André Lureau <address@hidden>

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
reply via email to
[Prev in Thread] Current Thread [Next in Thread]