[libvirt] [PATCH 0/8] Filtering of object lists via ACLs

Daniel P. Berrange berrange at redhat.com
Tue Jul 2 10:26:39 UTC 2013


On Thu, Jun 27, 2013 at 05:57:17PM +0100, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
> 
> The current ACL checks validate access to the object being
> passed in to the API calls.
> 
> There are a few APIs (all the virConnectList* / virConnectNum*
> ones) which are used to get lists of objects in the first
> place. Currently you could find out that there is a VM called
> "foo", but you can't then do virDomainLookupByName since the
> ACL check may block it.
> 
> This series introduces filtering in the object list APIs,
> so you can't even see the existance of an object called
> "foo", if you don't have permission over it.
> 
> This is not yet filtering the legacy Xen driver.
> 
> Daniel P. Berrange (8):
>   Add access control filtering of domain objects
>   Add access control filtering of network objects
>   Add access control filtering of node device objects
>   Add access control filtering of storage objects
>   Add access control filtering of secret objects
>   Add access control filtering of nwfilter objects
>   Add access control filtering of interface objects
>   Extend the ACL test case to validate filter rule checks

This series is a candidate for merging now the 1.1.0 release
is out, if someone can review it.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list