monitor: Refactor acl commnds
Refactor the ACL monitor interface to make full use of the monitor command dispatcher. This also gives proper help formatting and command completion. Note that 'acl allow' and 'acl deny' were combined to 'acl_add aclname match allow|deny [index]' for consistency reasons. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This commit is contained in:
parent
f3353c6bc3
commit
15dfcd454c
96
monitor.c
96
monitor.c
@ -1579,60 +1579,79 @@ static void do_info_balloon(Monitor *mon)
|
|||||||
monitor_printf(mon, "balloon: actual=%d\n", (int)(actual >> 20));
|
monitor_printf(mon, "balloon: actual=%d\n", (int)(actual >> 20));
|
||||||
}
|
}
|
||||||
|
|
||||||
static void do_acl(Monitor *mon,
|
static qemu_acl *find_acl(Monitor *mon, const char *name)
|
||||||
const char *command,
|
|
||||||
const char *aclname,
|
|
||||||
const char *match,
|
|
||||||
int has_index,
|
|
||||||
int index)
|
|
||||||
{
|
{
|
||||||
qemu_acl *acl;
|
qemu_acl *acl = qemu_acl_find(name);
|
||||||
|
|
||||||
acl = qemu_acl_find(aclname);
|
|
||||||
if (!acl) {
|
if (!acl) {
|
||||||
monitor_printf(mon, "acl: unknown list '%s'\n", aclname);
|
monitor_printf(mon, "acl: unknown list '%s'\n", name);
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
return acl;
|
||||||
|
}
|
||||||
|
|
||||||
if (strcmp(command, "show") == 0) {
|
static void do_acl_show(Monitor *mon, const char *aclname)
|
||||||
int i = 0;
|
{
|
||||||
qemu_acl_entry *entry;
|
qemu_acl *acl = find_acl(mon, aclname);
|
||||||
|
qemu_acl_entry *entry;
|
||||||
|
int i = 0;
|
||||||
|
|
||||||
|
if (acl) {
|
||||||
monitor_printf(mon, "policy: %s\n",
|
monitor_printf(mon, "policy: %s\n",
|
||||||
acl->defaultDeny ? "deny" : "allow");
|
acl->defaultDeny ? "deny" : "allow");
|
||||||
TAILQ_FOREACH(entry, &acl->entries, next) {
|
TAILQ_FOREACH(entry, &acl->entries, next) {
|
||||||
i++;
|
i++;
|
||||||
monitor_printf(mon, "%d: %s %s\n", i,
|
monitor_printf(mon, "%d: %s %s\n", i,
|
||||||
entry->deny ? "deny" : "allow",
|
entry->deny ? "deny" : "allow", entry->match);
|
||||||
entry->match);
|
|
||||||
}
|
}
|
||||||
} else if (strcmp(command, "reset") == 0) {
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void do_acl_reset(Monitor *mon, const char *aclname)
|
||||||
|
{
|
||||||
|
qemu_acl *acl = find_acl(mon, aclname);
|
||||||
|
|
||||||
|
if (acl) {
|
||||||
qemu_acl_reset(acl);
|
qemu_acl_reset(acl);
|
||||||
monitor_printf(mon, "acl: removed all rules\n");
|
monitor_printf(mon, "acl: removed all rules\n");
|
||||||
} else if (strcmp(command, "policy") == 0) {
|
}
|
||||||
if (!match) {
|
}
|
||||||
monitor_printf(mon, "acl: missing policy parameter\n");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (strcmp(match, "allow") == 0) {
|
static void do_acl_policy(Monitor *mon, const char *aclname,
|
||||||
|
const char *policy)
|
||||||
|
{
|
||||||
|
qemu_acl *acl = find_acl(mon, aclname);
|
||||||
|
|
||||||
|
if (acl) {
|
||||||
|
if (strcmp(policy, "allow") == 0) {
|
||||||
acl->defaultDeny = 0;
|
acl->defaultDeny = 0;
|
||||||
monitor_printf(mon, "acl: policy set to 'allow'\n");
|
monitor_printf(mon, "acl: policy set to 'allow'\n");
|
||||||
} else if (strcmp(match, "deny") == 0) {
|
} else if (strcmp(policy, "deny") == 0) {
|
||||||
acl->defaultDeny = 1;
|
acl->defaultDeny = 1;
|
||||||
monitor_printf(mon, "acl: policy set to 'deny'\n");
|
monitor_printf(mon, "acl: policy set to 'deny'\n");
|
||||||
} else {
|
} else {
|
||||||
monitor_printf(mon, "acl: unknown policy '%s', expected 'deny' or 'allow'\n", match);
|
monitor_printf(mon, "acl: unknown policy '%s', "
|
||||||
|
"expected 'deny' or 'allow'\n", policy);
|
||||||
}
|
}
|
||||||
} else if ((strcmp(command, "allow") == 0) ||
|
}
|
||||||
(strcmp(command, "deny") == 0)) {
|
}
|
||||||
int deny = strcmp(command, "deny") == 0 ? 1 : 0;
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
if (!match) {
|
static void do_acl_add(Monitor *mon, const char *aclname,
|
||||||
monitor_printf(mon, "acl: missing match parameter\n");
|
const char *match, const char *policy,
|
||||||
|
int has_index, int index)
|
||||||
|
{
|
||||||
|
qemu_acl *acl = find_acl(mon, aclname);
|
||||||
|
int deny, ret;
|
||||||
|
|
||||||
|
if (acl) {
|
||||||
|
if (strcmp(policy, "allow") == 0) {
|
||||||
|
deny = 0;
|
||||||
|
} else if (strcmp(policy, "deny") == 0) {
|
||||||
|
deny = 1;
|
||||||
|
} else {
|
||||||
|
monitor_printf(mon, "acl: unknown policy '%s', "
|
||||||
|
"expected 'deny' or 'allow'\n", policy);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (has_index)
|
if (has_index)
|
||||||
ret = qemu_acl_insert(acl, deny, match, index);
|
ret = qemu_acl_insert(acl, deny, match, index);
|
||||||
else
|
else
|
||||||
@ -1641,21 +1660,20 @@ static void do_acl(Monitor *mon,
|
|||||||
monitor_printf(mon, "acl: unable to add acl entry\n");
|
monitor_printf(mon, "acl: unable to add acl entry\n");
|
||||||
else
|
else
|
||||||
monitor_printf(mon, "acl: added rule at position %d\n", ret);
|
monitor_printf(mon, "acl: added rule at position %d\n", ret);
|
||||||
} else if (strcmp(command, "remove") == 0) {
|
}
|
||||||
int ret;
|
}
|
||||||
|
|
||||||
if (!match) {
|
static void do_acl_remove(Monitor *mon, const char *aclname, const char *match)
|
||||||
monitor_printf(mon, "acl: missing match parameter\n");
|
{
|
||||||
return;
|
qemu_acl *acl = find_acl(mon, aclname);
|
||||||
}
|
int ret;
|
||||||
|
|
||||||
|
if (acl) {
|
||||||
ret = qemu_acl_remove(acl, match);
|
ret = qemu_acl_remove(acl, match);
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
monitor_printf(mon, "acl: no matching acl entry\n");
|
monitor_printf(mon, "acl: no matching acl entry\n");
|
||||||
else
|
else
|
||||||
monitor_printf(mon, "acl: removed rule at position %d\n", ret);
|
monitor_printf(mon, "acl: removed rule at position %d\n", ret);
|
||||||
} else {
|
|
||||||
monitor_printf(mon, "acl: unknown command '%s'\n", command);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -569,48 +569,50 @@ STEXI
|
|||||||
Change watchdog action.
|
Change watchdog action.
|
||||||
ETEXI
|
ETEXI
|
||||||
|
|
||||||
{ "acl", "sss?i?", do_acl, "<command> <aclname> [<match> [<index>]]\n",
|
{ "acl_show", "s", do_acl_show, "aclname",
|
||||||
"acl show vnc.username\n"
|
"list rules in the access control list" },
|
||||||
"acl policy vnc.username deny\n"
|
|
||||||
"acl allow vnc.username fred\n"
|
|
||||||
"acl deny vnc.username bob\n"
|
|
||||||
"acl reset vnc.username\n" },
|
|
||||||
STEXI
|
STEXI
|
||||||
@item acl @var{subcommand} @var{aclname} @var{match} @var{index}
|
@item acl_show @var{aclname}
|
||||||
|
List all the matching rules in the access control list, and the default
|
||||||
|
policy. There are currently two named access control lists,
|
||||||
|
@var{vnc.x509dname} and @var{vnc.username} matching on the x509 client
|
||||||
|
certificate distinguished name, and SASL username respectively.
|
||||||
|
ETEXI
|
||||||
|
|
||||||
Manage access control lists for network services. There are currently
|
{ "acl_policy", "ss", do_acl_policy, "aclname allow|deny",
|
||||||
two named access control lists, @var{vnc.x509dname} and @var{vnc.username}
|
"set default access control list policy" },
|
||||||
matching on the x509 client certificate distinguished name, and SASL
|
STEXI
|
||||||
username respectively.
|
@item acl_policy @var{aclname] @code{allow|deny}
|
||||||
|
Set the default access control list policy, used in the event that
|
||||||
@table @option
|
|
||||||
@item acl show <aclname>
|
|
||||||
list all the match rules in the access control list, and the default
|
|
||||||
policy
|
|
||||||
@item acl policy <aclname> @code{allow|deny}
|
|
||||||
set the default access control list policy, used in the event that
|
|
||||||
none of the explicit rules match. The default policy at startup is
|
none of the explicit rules match. The default policy at startup is
|
||||||
always @code{deny}
|
always @code{deny}.
|
||||||
@item acl allow <aclname> <match> [<index>]
|
ETEXI
|
||||||
add a match to the access control list, allowing access. The match will
|
|
||||||
normally be an exact username or x509 distinguished name, but can
|
{ "acl_add", "sssi?", do_acl_add, "aclname match allow|deny [index]",
|
||||||
optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to allow
|
"add a match rule to the access control list" },
|
||||||
all users in the @code{EXAMPLE.COM} kerberos realm. The match will
|
STEXI
|
||||||
|
@item acl_allow @var{aclname} @var{match} @code{allow|deny} [@var{index}]
|
||||||
|
Add a match rule to the access control list, allowing or denying access.
|
||||||
|
The match will normally be an exact username or x509 distinguished name,
|
||||||
|
but can optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to
|
||||||
|
allow all users in the @code{EXAMPLE.COM} kerberos realm. The match will
|
||||||
normally be appended to the end of the ACL, but can be inserted
|
normally be appended to the end of the ACL, but can be inserted
|
||||||
earlier in the list if the optional @code{index} parameter is supplied.
|
earlier in the list if the optional @var{index} parameter is supplied.
|
||||||
@item acl deny <aclname> <match> [<index>]
|
ETEXI
|
||||||
add a match to the access control list, denying access. The match will
|
|
||||||
normally be an exact username or x509 distinguished name, but can
|
{ "acl_remove", "ss", do_acl_remove, "aclname match",
|
||||||
optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to allow
|
"remove a match rule from the access control list" },
|
||||||
all users in the @code{EXAMPLE.COM} kerberos realm. The match will
|
STEXI
|
||||||
normally be appended to the end of the ACL, but can be inserted
|
@item acl_remove @var{aclname} @var{match}
|
||||||
earlier in the list if the optional @code{index} parameter is supplied.
|
Remove the specified match rule from the access control list.
|
||||||
@item acl remove <aclname> <match>
|
ETEXI
|
||||||
remove the specified match rule from the access control list.
|
|
||||||
@item acl reset <aclname>
|
{ "acl_reset", "s", do_acl_reset, "aclname",
|
||||||
remove all matches from the access control list, and set the default
|
"reset the access control list" },
|
||||||
|
STEXI
|
||||||
|
@item acl_remove @var{aclname} @var{match}
|
||||||
|
Remove all matches from the access control list, and set the default
|
||||||
policy back to @code{deny}.
|
policy back to @code{deny}.
|
||||||
@end table
|
|
||||||
ETEXI
|
ETEXI
|
||||||
|
|
||||||
STEXI
|
STEXI
|
||||||
|
Loading…
Reference in New Issue
Block a user