Re: [libvirt] API to upgrade read-only connection
On Thu, Jan 10, 2013 at 03:12:18AM +0200, Zeeshan Ali (Khattak) wrote: Hi, Once again, I'll be lazy and just copypaste an IRC conversation but please don't hesitate to ask if something needs clarification: zeenix am i missing something or there is no way to 'upgrade' a read-only connection to a normal one? eblake_out zeenix: looks like you have to create a new connection if you want new privileges eblake_out although you may want to float it by the list to see if a new API for upgrading an existing connection makes sense eblake_out especially in light of danpb's work-in-progress on adding fine-grained ACLs zeenix ah ok zeenix eblake_out: we'd like to connect to system libvirt as well by default in boxes zeenix but would be nice to avoid the polkit dialog until we really need full-access Really the concept of separate read-only vs read-write connections is completely flawed. In a world where you have proper access control on individual APIs, you'd just have a single connection you let anyone connect to, and then do the checks at API call time which would trigger auth as required Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] API to upgrade read-only connection
On Thu, Jan 10, 2013 at 12:14 PM, Daniel P. Berrange berra...@redhat.com wrote: On Thu, Jan 10, 2013 at 03:12:18AM +0200, Zeeshan Ali (Khattak) wrote: Hi, Once again, I'll be lazy and just copypaste an IRC conversation but please don't hesitate to ask if something needs clarification: zeenix am i missing something or there is no way to 'upgrade' a read-only connection to a normal one? eblake_out zeenix: looks like you have to create a new connection if you want new privileges eblake_out although you may want to float it by the list to see if a new API for upgrading an existing connection makes sense eblake_out especially in light of danpb's work-in-progress on adding fine-grained ACLs zeenix ah ok zeenix eblake_out: we'd like to connect to system libvirt as well by default in boxes zeenix but would be nice to avoid the polkit dialog until we really need full-access Really the concept of separate read-only vs read-write connections is completely flawed. In a world where you have proper access control on individual APIs, you'd just have a single connection you let anyone connect to, and then do the checks at API call time which would trigger auth as required Sounds reasonable. For the moment, I'll try to simulate the upgrade in Boxes that from an end-user's perspective will work the same way as you described above. -- Regards, Zeeshan Ali (Khattak) FSF member#5124 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
