From: "Daniel P. Berrange" <berrange@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: qemu-block@nongnu.org, "Markus Armbruster" <armbru@redhat.com>,
qemu-devel@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>,
"Max Reitz" <mreitz@redhat.com>,
"Andreas Färber" <afaerber@suse.de>
Subject: Re: [Qemu-devel] [PATCH v3 07/10] qemu-nbd: add support for ACLs for TLS clients
Date: Wed, 23 Mar 2016 12:40:53 +0000 [thread overview]
Message-ID: <20160323124053.GO19338@redhat.com> (raw)
In-Reply-To: <56F18B83.1010404@redhat.com>
On Tue, Mar 22, 2016 at 12:14:27PM -0600, Eric Blake wrote:
> On 03/10/2016 11:59 AM, Daniel P. Berrange wrote:
> > Currently any client which can complete the TLS handshake
> > is able to use the NBD server. The server admin can turn
> > on the 'verify-peer' option for the x509 creds to require
> > the client to provide a x509 certificate. This means the
> > client will have to acquire a certificate from the CA before
> > they are permitted to use the NBD server. This is still a
> > fairly weak bar.
> >
> > This adds a '--tls-acl ACL-ID' option to the qemu-nbd command
> > which takes the ID of a previously added 'QAuthZ' object
> > instance. This ACL will be used to validate the client's
> > x509 distinguished name. Clients failing the ACL will not be
> > permitted to use the NBD server.
> >
> > For example to setup an ACL that only allows connection from
> > a client whose x509 certificate distinguished name contains
> > 'CN=fred', you would use:
> >
> > qemu-nbd -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
> > endpoint=server,verify-peer=yes \
> > -object authz-simple,id=acl0,policy=deny,\
> > rules.0.match=*CN=fred,rules.0.policy=allow \
> > -tls-creds tls0 \
> > -tls-acl acl0
> > ....other qemu-nbd args...
>
> Ah, so you are arguing that this is feature-completion of work started
> in 2.6, continuing work started before soft-freeze, and not a new
> feature to be delayed to 2.7.
Yes and v1 of this patch series was in fact posted just a few days
before the soft-freeze deadline.
That said, as mentioned in the earlier patch, I'm open minded about
whether this goes in 2.6 or 2.7. It would be nice to have in 2.6
but not the end of the world if it misses it, as overall we're still
waaaaaaaay better off compared to 2.5 even if this doesn't mege :-)
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2016-03-23 12:41 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-10 18:51 [Qemu-devel] [PATCH v3 00/10] Provide a QOM-based authorization API Daniel P. Berrange
2016-03-10 18:59 ` [Qemu-devel] [PATCH v3 01/10] qdict: implement a qdict_crumple method for un-flattening a dict Daniel P. Berrange
2016-03-10 18:59 ` [Qemu-devel] [PATCH v3 02/10] qapi: allow QmpInputVisitor to auto-cast types Daniel P. Berrange
2016-03-21 23:18 ` Eric Blake
2016-03-22 15:49 ` Daniel P. Berrange
2016-03-22 16:20 ` Eric Blake
2016-03-10 18:59 ` [Qemu-devel] [PATCH v3 03/10] qom: support arbitrary non-scalar properties with -object Daniel P. Berrange
2016-03-21 23:27 ` Eric Blake
2016-03-22 9:07 ` Markus Armbruster
2016-03-22 10:34 ` Daniel P. Berrange
2016-03-22 15:51 ` Daniel P. Berrange
2016-03-10 18:59 ` [Qemu-devel] [PATCH v3 04/10] util: add QAuthZ object as an authorization base class Daniel P. Berrange
2016-03-22 16:33 ` Eric Blake
2016-03-22 16:43 ` Daniel P. Berrange
2016-03-22 16:44 ` Daniel P. Berrange
2016-03-10 18:59 ` [Qemu-devel] [PATCH v3 05/10] util: add QAuthZSimple object type for a simple access control list Daniel P. Berrange
2016-03-22 17:38 ` Eric Blake
2016-03-23 12:38 ` Daniel P. Berrange
2016-03-10 18:59 ` [Qemu-devel] [PATCH v3 06/10] acl: delete existing ACL implementation Daniel P. Berrange
2016-03-22 17:58 ` Eric Blake
2016-03-10 18:59 ` [Qemu-devel] [PATCH v3 07/10] qemu-nbd: add support for ACLs for TLS clients Daniel P. Berrange
2016-03-22 18:14 ` Eric Blake
2016-03-23 12:40 ` Daniel P. Berrange [this message]
2016-03-10 18:59 ` [Qemu-devel] [PATCH v3 08/10] nbd: allow an ACL to be set with nbd-server-start QMP command Daniel P. Berrange
2016-03-22 18:19 ` Eric Blake
2016-03-10 18:59 ` [Qemu-devel] [PATCH v3 09/10] chardev: add support for ACLs for TLS clients Daniel P. Berrange
2016-03-22 21:26 ` Eric Blake
2016-03-10 18:59 ` [Qemu-devel] [PATCH v3 10/10] vnc: allow specifying a custom ACL object name Daniel P. Berrange
2016-03-22 21:38 ` Eric Blake
2016-03-23 12:43 ` Daniel P. Berrange
2016-03-21 22:45 ` [Qemu-devel] [PATCH v3 01/10] qdict: implement a qdict_crumple method for un-flattening a dict Eric Blake
2016-03-22 15:44 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160323124053.GO19338@redhat.com \
--to=berrange@redhat.com \
--cc=afaerber@suse.de \
--cc=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.