mis-fire.
Ignore this one, I used the wrong base branch to git-publish and didn't
interrupt it quickly enough
Re-posted v4 with correct base.
On Fri, Feb 15, 2019 at 05:13:28PM +0000, Daniel P. Berrangé wrote:
> v1: https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg04482.html
> v2: https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg05727.html
> v3: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg01639.html
>
> This series builds on the core authorization framework:
>
> v8: https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg04253.html
>
> enabling its use with the VNC, chardev, NBD and migration network servers.
>
> In combination with TLS x509 client certificates, this allows these
> services to whitelist specific clients, which avoids the need to setup
> restricted child certificate authorities.
>
> In VNC it also allows whitelisting based on SASL user names.
>
> Changed in v4:
>
> - Update deprecation versions to 4.0
> - Rebased to latest git
>
> Changed in v3:
>
> - Rebased to latest git master
>
> Changed in v2:
>
> - Document that authz objects are resolved at time of use, not
> time of network service activation
> - Improve docs for tls-authz parameters on services
> - Fix 2.13 -> 3.0 version tags
> - Remove redundant conditionals around g_strdup
> - Fix arg syntax for qemu-nbd s/-/--/
> - Remove QAPI (optional) annotation
> - Fix some outdated usage example
>
> Based-on: <20190215155709.15777-1-berrange@redhat.com>
>
> Daniel P. Berrangé (17):
> util: add helper APIs for dealing with inotify in portable manner
> qom: don't require user creatable objects to be registered
> hw/usb: don't set IN_ISDIR for inotify watch in MTP driver
> hw/usb: fix const-ness for string params in MTP driver
> hw/usb: switch MTP to use new inotify APIs
> authz: add QAuthZ object as an authorization base class
> authz: add QAuthZSimple object type for easy whitelist auth checks
> authz: add QAuthZList object type for an access control list
> authz: add QAuthZListFile object type for a file access control list
> authz: add QAuthZPAM object type for authorizing using PAM
> authz: delete existing ACL implementation
> qemu-nbd: add support for authorization of TLS clients
> nbd: allow authorization with nbd-server-start QMP command
> migration: add support for a "tls-authz" migration parameter
> chardev: add support for authorization for TLS clients
> vnc: allow specifying a custom authorization object name
> monitor: deprecate acl_show, acl_reset, acl_policy, acl_add,
> acl_remove
>
> MAINTAINERS | 15 +
> Makefile | 10 +-
> Makefile.objs | 10 +-
> Makefile.target | 2 +
> authz/Makefile.objs | 7 +
> authz/base.c | 82 ++++
> authz/list.c | 271 +++++++++++++
> authz/listfile.c | 283 ++++++++++++++
> authz/pamacct.c | 149 +++++++
> authz/simple.c | 115 ++++++
> authz/trace-events | 18 +
> blockdev-nbd.c | 11 +-
> chardev/char-socket.c | 12 +-
> chardev/char.c | 3 +
> configure | 54 ++-
> crypto/tlssession.c | 35 +-
> crypto/trace-events | 2 +-
> hmp.c | 11 +-
> hw/usb/dev-mtp.c | 281 ++++++--------
> hw/usb/trace-events | 2 +-
> include/authz/base.h | 112 ++++++
> include/authz/list.h | 106 +++++
> include/authz/listfile.h | 111 ++++++
> include/authz/pamacct.h | 100 +++++
> include/authz/simple.h | 84 ++++
> include/block/nbd.h | 4 +-
> include/qemu/acl.h | 66 ----
> include/qemu/filemonitor.h | 128 ++++++
> migration/migration.c | 8 +
> migration/tls.c | 2 +-
> monitor.c | 202 +++++++---
> nbd/server.c | 10 +-
> qapi/authz.json | 58 +++
> qapi/block.json | 8 +-
> qapi/char.json | 6 +
> qapi/migration.json | 14 +-
> qapi/qapi-schema.json | 1 +
> qemu-deprecated.texi | 11 +
> qemu-nbd.c | 14 +-
> qemu-nbd.texi | 4 +
> qemu-options.hx | 149 ++++++-
> qom/object.c | 12 +-
> qom/object_interfaces.c | 16 +-
> tests/Makefile.include | 16 +-
> tests/qemu-iotests/233 | 31 +-
> tests/qemu-iotests/233.out | 11 +
> tests/test-authz-list.c | 159 ++++++++
> tests/test-authz-listfile.c | 195 ++++++++++
> tests/test-authz-pam.c | 124 ++++++
> tests/test-authz-simple.c | 50 +++
> tests/test-crypto-tlssession.c | 15 +-
> tests/test-io-channel-tls.c | 16 +-
> tests/test-util-filemonitor.c | 685 +++++++++++++++++++++++++++++++++
> ui/vnc-auth-sasl.c | 23 +-
> ui/vnc-auth-sasl.h | 5 +-
> ui/vnc-auth-vencrypt.c | 2 +-
> ui/vnc-ws.c | 2 +-
> ui/vnc.c | 85 +++-
> ui/vnc.h | 4 +-
> util/Makefile.objs | 4 +-
> util/acl.c | 179 ---------
> util/filemonitor-inotify.c | 338 ++++++++++++++++
> util/filemonitor-stub.c | 59 +++
> util/trace-events | 9 +
> 64 files changed, 4013 insertions(+), 598 deletions(-)
> create mode 100644 authz/Makefile.objs
> create mode 100644 authz/base.c
> create mode 100644 authz/list.c
> create mode 100644 authz/listfile.c
> create mode 100644 authz/pamacct.c
> create mode 100644 authz/simple.c
> create mode 100644 authz/trace-events
> create mode 100644 include/authz/base.h
> create mode 100644 include/authz/list.h
> create mode 100644 include/authz/listfile.h
> create mode 100644 include/authz/pamacct.h
> create mode 100644 include/authz/simple.h
> delete mode 100644 include/qemu/acl.h
> create mode 100644 include/qemu/filemonitor.h
> create mode 100644 qapi/authz.json
> create mode 100644 tests/test-authz-list.c
> create mode 100644 tests/test-authz-listfile.c
> create mode 100644 tests/test-authz-pam.c
> create mode 100644 tests/test-authz-simple.c
> create mode 100644 tests/test-util-filemonitor.c
> delete mode 100644 util/acl.c
> create mode 100644 util/filemonitor-inotify.c
> create mode 100644 util/filemonitor-stub.c
>
> --
> 2.20.1
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|