[Qemu-devel] [PATCH v1 08/10] nbd: allow an ACL to be set with nbd-server-start QMP command

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Paolo Bonzini" <pbonzini@redhat.com>,
	"Markus Armbruster" <armbru@redhat.com>,
	"Andreas Färber" <afaerber@suse.de>
Subject: [Qemu-devel] [PATCH v1 08/10] nbd: allow an ACL to be set with nbd-server-start QMP command
Date: Fri, 19 Feb 2016 16:47:41 +0000	[thread overview]
Message-ID: <1455900463-16007-9-git-send-email-berrange@redhat.com> (raw)
In-Reply-To: <1455900463-16007-1-git-send-email-berrange@redhat.com>

As with the previous patch to qemu-nbd, the nbd-server-start
QMP command also needs to be able to specify an ACL when
enabling TLS encryption.

First the client must create a QAuthZ object instance using
the 'object-add' command:

   {
     'execute': 'object-add',
     'arguments': {
       'qom-type': 'authz-simple',
       'id': 'tls0',
       'parameters': {
         'policy': 'deny',
         'rules': [
           {
             'match': '*CN=fred',
             'policy': 'allow'
           }
         ]
       }
     }
   }

They can then reference this in the new 'tls-acl' parameter
when executing the 'nbd-server-start' command.

   {
     'execute': 'nbd-server-start',
     'arguments': {
       'addr': {
           'type': 'inet',
           'host': '127.0.0.1',
           'port': '9000'
       },
       'tls-creds': 'tls0',
       'tls-acl': 'tlsacl0'
     }
   }

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 blockdev-nbd.c  | 10 +++++++++-
 hmp.c           |  2 +-
 qapi/block.json |  4 +++-
 qmp-commands.hx |  2 +-
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/blockdev-nbd.c b/blockdev-nbd.c
index 12cae0e..ae5335e 100644
--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
@@ -24,6 +24,7 @@ typedef struct NBDServerData {
     QIOChannelSocket *listen_ioc;
     int watch;
     QCryptoTLSCreds *tlscreds;
+    char *tlsacl;
 } NBDServerData;
 
 static NBDServerData *nbd_server;
@@ -45,7 +46,8 @@ static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition,
     }
 
     nbd_client_new(NULL, cioc,
-                   nbd_server->tlscreds, NULL,
+                   nbd_server->tlscreds,
+                   nbd_server->tlsacl,
                    nbd_client_put);
     object_unref(OBJECT(cioc));
     return TRUE;
@@ -65,6 +67,7 @@ static void nbd_server_free(NBDServerData *server)
     if (server->tlscreds) {
         object_unref(OBJECT(server->tlscreds));
     }
+    g_free(server->tlsacl);
 
     g_free(server);
 }
@@ -101,6 +104,7 @@ static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp)
 
 void qmp_nbd_server_start(SocketAddress *addr,
                           bool has_tls_creds, const char *tls_creds,
+                          bool has_tls_acl, const char *tls_acl,
                           Error **errp)
 {
     if (nbd_server) {
@@ -128,6 +132,10 @@ void qmp_nbd_server_start(SocketAddress *addr,
         }
     }
 
+    if (has_tls_acl) {
+        nbd_server->tlsacl = g_strdup(tls_acl);
+    }
+
     nbd_server->watch = qio_channel_add_watch(
         QIO_CHANNEL(nbd_server->listen_ioc),
         G_IO_IN,
diff --git a/hmp.c b/hmp.c
index 614bbf8..4fc6f06 100644
--- a/hmp.c
+++ b/hmp.c
@@ -1785,7 +1785,7 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict)
         goto exit;
     }
 
-    qmp_nbd_server_start(addr, false, NULL, &local_err);
+    qmp_nbd_server_start(addr, false, NULL, false, NULL, &local_err);
     qapi_free_SocketAddress(addr);
     if (local_err != NULL) {
         goto exit;
diff --git a/qapi/block.json b/qapi/block.json
index 58e6b30..6b209e1 100644
--- a/qapi/block.json
+++ b/qapi/block.json
@@ -147,6 +147,7 @@
 #
 # @addr: Address on which to listen.
 # @tls-creds: (optional) ID of the TLS credentials object. Since 2.6
+# @tls-acl: (optional) ID of the QAuthZ authorization object. Since 2.6
 #
 # Returns: error if the server is already running.
 #
@@ -154,7 +155,8 @@
 ##
 { 'command': 'nbd-server-start',
   'data': { 'addr': 'SocketAddress',
-            '*tls-creds': 'str'} }
+            '*tls-creds': 'str',
+            '*tls-acl': 'str'} }
 
 ##
 # @nbd-server-add:
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 9fb0d78..f601c51 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -3825,7 +3825,7 @@ EQMP
 
     {
         .name       = "nbd-server-start",
-        .args_type  = "addr:q,tls-creds:s?",
+        .args_type  = "addr:q,tls-creds:s?,tls-acl:s?",
         .mhandler.cmd_new = qmp_marshal_nbd_server_start,
     },
     {
-- 
2.5.0

next prev parent reply	other threads:[~2016-02-19 16:48 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-19 16:47 [Qemu-devel] [PATCH v1 00/10] Provide a QOM-based authorization API Daniel P. Berrange
2016-02-19 16:47 ` [Qemu-devel] [PATCH v1 01/10] qdict: implement a qdict_crumple method for un-flattening a dict Daniel P. Berrange
2016-02-19 17:01   ` Eric Blake
2016-02-19 17:08     ` Daniel P. Berrange
2016-03-02 16:13   ` Max Reitz
2016-03-03 11:01     ` Daniel P. Berrange
2016-03-05 15:15       ` Max Reitz
2016-03-07 15:06         ` Daniel P. Berrange
2016-03-07 15:49           ` Eric Blake
2016-02-19 16:47 ` [Qemu-devel] [PATCH v1 02/10] qapi: allow QmpInputVisitor to auto-cast types Daniel P. Berrange
2016-02-19 16:47 ` [Qemu-devel] [PATCH v1 03/10] qom: support arbitrary non-scalar properties with -object Daniel P. Berrange
2016-02-19 16:47 ` [Qemu-devel] [PATCH v1 04/10] util: add QAuthZ object as an authorization base class Daniel P. Berrange
2016-02-19 16:47 ` [Qemu-devel] [PATCH v1 05/10] util: add QAuthZSimple object type for a simple access control list Daniel P. Berrange
2016-02-19 16:47 ` [Qemu-devel] [PATCH v1 06/10] acl: delete existing ACL implementation Daniel P. Berrange
2016-02-19 16:47 ` [Qemu-devel] [PATCH v1 07/10] qemu-nbd: add support for ACLs for TLS clients Daniel P. Berrange
2016-02-19 16:47 ` Daniel P. Berrange [this message]
2016-02-19 16:47 ` [Qemu-devel] [PATCH v1 09/10] chardev: " Daniel P. Berrange
2016-02-19 16:47 ` [Qemu-devel] [PATCH v1 10/10] vnc: allow specifying a custom ACL object name Daniel P. Berrange

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:12cae0e dfblob:ae5335e dfblob:614bbf8 dfblob:4fc6f06
dfblob:58e6b30 dfblob:6b209e1 dfblob:9fb0d78 dfblob:f601c51 )
 OR (
bs:"[Qemu-devel] [PATCH v1 08/10] nbd: allow an ACL to be set with nbd-server-start QMP command" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1455900463-16007-9-git-send-email-berrange@redhat.com \
    --to=berrange@redhat.com \
    --cc=afaerber@suse.de \
    --cc=armbru@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.