monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove
The various ACL related commands are obsolete now that the QAuthZ
framework for authorization is fully integrated throughout QEMU network
services. These only ever worked with VNC and were never used by libvirt.
Mark it as deprecated with no direct replacement to be provided.
Authorization is now provided by using 'object_add' together with
the 'tls-authz' or 'sasl-authz' parameters to the VNC server, and
equivalent for other network services.
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20190227145755.26556-3-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
diff --git a/monitor.c b/monitor.c
index defa129..72061d5 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2032,6 +2032,19 @@
return QAUTHZ_LIST(obj);
}
+static bool warn_acl;
+static void hmp_warn_acl(void)
+{
+ if (warn_acl) {
+ return;
+ }
+ error_report("The acl_show, acl_reset, acl_policy, acl_add, acl_remove "
+ "commands are deprecated with no replacement. Authorization "
+ "for VNC should be performed using the pluggable QAuthZ "
+ "objects");
+ warn_acl = true;
+}
+
static void hmp_acl_show(Monitor *mon, const QDict *qdict)
{
const char *aclname = qdict_get_str(qdict, "aclname");
@@ -2039,6 +2052,8 @@
QAuthZListRuleList *rules;
size_t i = 0;
+ hmp_warn_acl();
+
if (!auth) {
return;
}
@@ -2062,6 +2077,8 @@
const char *aclname = qdict_get_str(qdict, "aclname");
QAuthZList *auth = find_auth(mon, aclname);
+ hmp_warn_acl();
+
if (!auth) {
return;
}
@@ -2080,6 +2097,8 @@
int val;
Error *err = NULL;
+ hmp_warn_acl();
+
if (!auth) {
return;
}
@@ -2124,6 +2143,8 @@
QAuthZListFormat format;
size_t i = 0;
+ hmp_warn_acl();
+
if (!auth) {
return;
}
@@ -2169,6 +2190,8 @@
QAuthZList *auth = find_auth(mon, aclname);
ssize_t i = 0;
+ hmp_warn_acl();
+
if (!auth) {
return;
}