On Tue, Jun 19, 2018 at 01:31:40PM +0100, Dr. David Alan Gilbert wrote: > * Daniel P. Berrangé (berra...@redhat.com) wrote: > > The various ACL related commands are obsolete now that the QAuthZ > > framework for authorization is fully integrated throughout QEMU network > > services. Mark it as deprecated with no replacement to be provided. > > > > Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> > > OK, so I can do all these by using object_add/object_del with the right > type and parameters?
It is a different paradigm for the way you manage it, but the end result allows the same thing to be achieved, in a more flexible way. With the old way, we precreated an ACL object for VNC, and then you had to use these commands to add/remove individual match rules and or change the policy, etc. You could never create/delete the ACL itself. With the new way, we have 4 different ACL implementations (so far) and you can choose which to use. So you create the entire ACL with all its rules populated atomically with object_add. There's no create/delete of individual rules within the ACL, so if you want to change rules you just delete the entire ACL & create it again. It has failsafe to reject in case a client connects between the time you delete and recreate. One of the ACL impls allows storing the rules in a standalone text file which we monitor with inotify. So in fact using that you can update rules on the fly without needing QEMU interaction - just change the content whenever needed. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
