On 11/20/14, 14:17 , "Eric Blake" <eblake@xxxxxxxxxx> wrote: >On 11/20/2014 05:33 AM, Michal Privoznik wrote: > >>> I'm also hoping someone else (eblake?) can look at the >>>remote_protocol.x >>> changes to ensure they encompass everything they are supposed to. Also >>> that the usage of QEMU_JOB_QUERY not _MODIFY for the GetFSInfo seems >>> more appropriate and is in line with the various remote_protocol.x >>> settings (@acl/@generate stuff settings). >> >> >> @generate is correct, since both, client and server implementations are >> provided. >> @acl looks consistent to the rest. Correct, for querying domain info you >> need to have read permission and that's it. > >Oh, wait. This is an interaction with the guest agent. We have already >stated that ANY action that requires guest cooperation MUST require more >than plain domain:read privileges (for example, creating a snapshot >requires domain:fs_freeze if the quiesce flag is present; using >virDomainShutdownFlags requires domain:write if the guest agent is >involved). > >Since the main use of this API is to query the list of mountpoints that >then feed virDomainFSFreeze, I think this should be @acl >domain:fs_freeze, rather than domain:read. Even if it is a read-only >operation, it makes more sense to treat this command as a family where a >user is either given rights for all related freeze APIs or none of them. OK, I¹ll change this to '@acl domain:fs_freeze¹ and use QEMU_JOB_QUERY because this interact with qemu-guest-agent. -- Tomoki Sekiyama -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list