Re: [libvirt] [PATCH 0/8] Filtering of object lists via ACLs
On Thu, Jun 27, 2013 at 05:57:17PM +0100, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange(a)redhat.com>
The current ACL checks validate access to the object being
passed in to the API calls.
There are a few APIs (all the virConnectList* / virConnectNum*
ones) which are used to get lists of objects in the first
place. Currently you could find out that there is a VM called
"foo", but you can't then do virDomainLookupByName since the
ACL check may block it.
This series introduces filtering in the object list APIs,
so you can't even see the existance of an object called
"foo", if you don't have permission over it.
This is not yet filtering the legacy Xen driver.
Daniel P. Berrange (8):
Add access control filtering of domain objects
Add access control filtering of network objects
Add access control filtering of node device objects
Add access control filtering of storage objects
Add access control filtering of secret objects
Add access control filtering of nwfilter objects
Add access control filtering of interface objects
Extend the ACL test case to validate filter rule checks
This series is a candidate for merging now the 1.1.0 release
is out, if someone can review it.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|