7:12 p.m.
Hi,
Once again, I'll be lazy and just copy&paste an IRC conversation but
please don't hesitate to ask if something needs clarification:
<zeenix> am i missing something or there is no way to 'upgrade' a
read-only connection to a normal one?
<eblake_out> zeenix: looks like you have to create a new connection if
you want new privileges
<eblake_out> although you may want to float it by the list to see if a
new API for upgrading an existing connection makes sense
<eblake_out> especially in light of danpb's work-in-progress on adding
fine-grained ACLs
<zeenix> ah ok
<zeenix> eblake_out: we'd like to connect to system libvirt as well by
default in boxes
<zeenix> but would be nice to avoid the polkit dialog until we really
need full-access
--
Regards,
Zeeshan Ali (Khattak)
FSF member#5124
4:14 a.m.
On Thu, Jan 10, 2013 at 03:12:18AM +0200, Zeeshan Ali (Khattak) wrote:
Hi,
Once again, I'll be lazy and just copy&paste an IRC conversation but
please don't hesitate to ask if something needs clarification:
<zeenix> am i missing something or there is no way to 'upgrade' a
read-only connection to a normal one?
<eblake_out> zeenix: looks like you have to create a new connection if
you want new privileges
<eblake_out> although you may want to float it by the list to see if a
new API for upgrading an existing connection makes sense
<eblake_out> especially in light of danpb's work-in-progress on adding
fine-grained ACLs
<zeenix> ah ok
<zeenix> eblake_out: we'd like to connect to system libvirt as well by
default in boxes
<zeenix> but would be nice to avoid the polkit dialog until we really
need full-access
Really the concept of separate read-only vs read-write connections is
completely flawed. In a world where you have proper access control on
individual APIs, you'd just have a single connection you let anyone
connect to, and then do the checks at API call time which would trigger
auth as required
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
7:46 a.m.
On Thu, Jan 10, 2013 at 12:14 PM, Daniel P. Berrange
<berrange(a)redhat.com> wrote:
On Thu, Jan 10, 2013 at 03:12:18AM +0200, Zeeshan Ali (Khattak)
wrote:
> Hi,
> Once again, I'll be lazy and just copy&paste an IRC conversation but
> please don't hesitate to ask if something needs clarification:
>
> <zeenix> am i missing something or there is no way to 'upgrade' a
> read-only connection to a normal one?
> <eblake_out> zeenix: looks like you have to create a new connection if
> you want new privileges
> <eblake_out> although you may want to float it by the list to see if a
> new API for upgrading an existing connection makes sense
> <eblake_out> especially in light of danpb's work-in-progress on adding
> fine-grained ACLs
> <zeenix> ah ok
> <zeenix> eblake_out: we'd like to connect to system libvirt as well by
> default in boxes
> <zeenix> but would be nice to avoid the polkit dialog until we really
> need full-access
Really the concept of separate read-only vs read-write connections is
completely flawed. In a world where you have proper access control on
individual APIs, you'd just have a single connection you let anyone
connect to, and then do the checks at API call time which would trigger
auth as required
Sounds reasonable. For the moment, I'll try to simulate the "upgrade"
in Boxes that from an end-user's perspective will work the same way as
you described above.
--
Regards,
Zeeshan Ali (Khattak)
FSF member#5124
4335
days inactive
4335
days old
2 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Zeeshan Ali (Khattak)