From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: qemu-devel@nongnu.org, "Eric Blake" <eblake@redhat.com>,
"Kevin Wolf" <kwolf@redhat.com>, "Max Reitz" <mreitz@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
qemu-block@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>,
"Juan Quintela" <quintela@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 3/6] migration: add support for a "tls-authz" migration parameter
Date: Mon, 18 Jun 2018 14:40:51 +0100 [thread overview]
Message-ID: <20180618134051.GH3589@redhat.com> (raw)
In-Reply-To: <20180615175423.GI2615@work-vm>
On Fri, Jun 15, 2018 at 06:54:23PM +0100, Dr. David Alan Gilbert wrote:
> * Daniel P. Berrangé (berrange@redhat.com) wrote:
> > From: "Daniel P. Berrange" <berrange@redhat.com>
> >
> > The QEMU instance that runs as the server for the migration data
> > transport (ie the target QEMU) needs to be able to configure access
> > control so it can prevent unauthorized clients initiating an incoming
> > migration. This adds a new 'tls-authz' migration parameter that is used
> > to provide the QOM ID of a QAuthZ subclass instance that provides the
> > access control check. This is checked against the x509 certificate
> > obtained during the TLS handshake.
> >
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
>
> I'd appreciate an example of using it, either in the migration docs or
> the commit message.
Hmm, yes, it's an oversight to have missed an example in this commit
message.
>
> > ---
> > hmp.c | 9 +++++++++
> > migration/migration.c | 8 ++++++++
> > migration/tls.c | 2 +-
> > qapi/migration.json | 12 +++++++++++-
> > 4 files changed, 29 insertions(+), 2 deletions(-)
> >
> > diff --git a/hmp.c b/hmp.c
> > index 74e18db103..bef8ea2531 100644
> > --- a/hmp.c
> > +++ b/hmp.c
> > @@ -370,6 +370,9 @@ void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict)
> > monitor_printf(mon, "%s: %" PRIu64 "\n",
> > MigrationParameter_str(MIGRATION_PARAMETER_XBZRLE_CACHE_SIZE),
> > params->xbzrle_cache_size);
> > + monitor_printf(mon, " %s: '%s'\n",
> > + MigrationParameter_str(MIGRATION_PARAMETER_TLS_AUTHZ),
> > + params->has_tls_authz ? params->tls_authz : "");
> > }
> >
> > qapi_free_MigrationParameters(params);
> > @@ -1632,6 +1635,12 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict)
> > p->tls_hostname->type = QTYPE_QSTRING;
> > visit_type_str(v, param, &p->tls_hostname->u.s, &err);
> > break;
> > + case MIGRATION_PARAMETER_TLS_AUTHZ:
> > + p->has_tls_authz = true;
> > + p->tls_authz = g_new0(StrOrNull, 1);
> > + p->tls_authz->type = QTYPE_QSTRING;
> > + visit_type_str(v, param, &p->tls_authz->u.s, &err);
> > + break;
> > case MIGRATION_PARAMETER_MAX_BANDWIDTH:
> > p->has_max_bandwidth = true;
> > /*
> > diff --git a/migration/migration.c b/migration/migration.c
> > index 1e99ec9b7e..d14c8d7003 100644
> > --- a/migration/migration.c
> > +++ b/migration/migration.c
> > @@ -645,6 +645,8 @@ MigrationParameters *qmp_query_migrate_parameters(Error **errp)
> > params->tls_creds = g_strdup(s->parameters.tls_creds);
> > params->has_tls_hostname = true;
> > params->tls_hostname = g_strdup(s->parameters.tls_hostname);
> > + params->has_tls_authz = true;
> > + params->tls_authz = g_strdup(s->parameters.tls_authz);
> > params->has_max_bandwidth = true;
> > params->max_bandwidth = s->parameters.max_bandwidth;
> > params->has_downtime_limit = true;
> > @@ -1106,6 +1108,12 @@ static void migrate_params_apply(MigrateSetParameters *params, Error **errp)
> > s->parameters.tls_hostname = g_strdup(params->tls_hostname->u.s);
> > }
> >
> > + if (params->has_tls_authz) {
> > + g_free(s->parameters.tls_authz);
> > + assert(params->tls_authz->type == QTYPE_QSTRING);
> > + s->parameters.tls_authz = g_strdup(params->tls_authz->u.s);
> > + }
> > +
> > if (params->has_max_bandwidth) {
> > s->parameters.max_bandwidth = params->max_bandwidth;
> > if (s->to_dst_file) {
> > diff --git a/migration/tls.c b/migration/tls.c
> > index 3b9e8c9263..5171afc6c4 100644
> > --- a/migration/tls.c
> > +++ b/migration/tls.c
> > @@ -94,7 +94,7 @@ void migration_tls_channel_process_incoming(MigrationState *s,
> >
> > tioc = qio_channel_tls_new_server(
> > ioc, creds,
> > - NULL, /* XXX pass ACL name */
> > + s->parameters.tls_authz,
> > errp);
> > if (!tioc) {
> > return;
> > diff --git a/qapi/migration.json b/qapi/migration.json
> > index f7e10ee90f..b9ba34e3a6 100644
> > --- a/qapi/migration.json
> > +++ b/qapi/migration.json
> > @@ -488,6 +488,10 @@
> > # hostname must be provided so that the server's x509
> > # certificate identity can be validated. (Since 2.7)
> > #
> > +# @tls-authz: ID of the 'authz' object subclass that provides access control
> > +# checking of the TLS x509 certificate distinguished name. (Since
> > +# 2.13)
> > +#
>
> Oops, 2.13 strikes again :-)
>
> Other than that, OK from migration and HMP.
>
> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
>
> > # @max-bandwidth: to set maximum speed for migration. maximum speed in
> > # bytes per second. (Since 2.8)
> > #
> > @@ -522,7 +526,7 @@
> > { 'enum': 'MigrationParameter',
> > 'data': ['compress-level', 'compress-threads', 'decompress-threads',
> > 'cpu-throttle-initial', 'cpu-throttle-increment',
> > - 'tls-creds', 'tls-hostname', 'max-bandwidth',
> > + 'tls-creds', 'tls-hostname', 'tls-authz', 'max-bandwidth',
> > 'downtime-limit', 'x-checkpoint-delay', 'block-incremental',
> > 'x-multifd-channels', 'x-multifd-page-count',
> > 'xbzrle-cache-size' ] }
> > @@ -605,6 +609,7 @@
> > '*cpu-throttle-increment': 'int',
> > '*tls-creds': 'StrOrNull',
> > '*tls-hostname': 'StrOrNull',
> > + '*tls-authz': 'StrOrNull',
> > '*max-bandwidth': 'int',
> > '*downtime-limit': 'int',
> > '*x-checkpoint-delay': 'int',
> > @@ -667,6 +672,10 @@
> > # associated with the migration URI, if any. (Since 2.9)
> > # Note: 2.8 reports this by omitting tls-hostname instead.
> > #
> > +# @tls-authz: ID of the 'authz' object subclass that provides access control
> > +# checking of the TLS x509 certificate distinguished name. (Since
> > +# 2.13)
> > +#
> > # @max-bandwidth: to set maximum speed for migration. maximum speed in
> > # bytes per second. (Since 2.8)
> > #
> > @@ -704,6 +713,7 @@
> > '*cpu-throttle-increment': 'uint8',
> > '*tls-creds': 'str',
> > '*tls-hostname': 'str',
> > + '*tls-authz': 'str',
> > '*max-bandwidth': 'size',
> > '*downtime-limit': 'uint64',
> > '*x-checkpoint-delay': 'uint32',
> > --
> > 2.17.0
> >
> --
> Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2018-06-18 13:41 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-15 15:50 [Qemu-devel] [PATCH 0/6] Add authorization support to all network services Daniel P. Berrangé
2018-06-15 15:50 ` [Qemu-devel] [PATCH 1/6] qemu-nbd: add support for authorization of TLS clients Daniel P. Berrangé
2018-06-19 20:06 ` Eric Blake
2018-06-20 8:42 ` Daniel P. Berrangé
2018-06-15 15:50 ` [Qemu-devel] [PATCH 2/6] nbd: allow authorization with nbd-server-start QMP command Daniel P. Berrangé
2018-06-19 20:10 ` Eric Blake
2018-06-19 22:07 ` Daniel P. Berrangé
2018-06-15 15:51 ` [Qemu-devel] [PATCH 3/6] migration: add support for a "tls-authz" migration parameter Daniel P. Berrangé
2018-06-15 17:54 ` Dr. David Alan Gilbert
2018-06-18 13:40 ` Daniel P. Berrangé [this message]
2018-06-20 10:03 ` Juan Quintela
2018-06-20 10:07 ` Daniel P. Berrangé
2018-06-20 10:11 ` Juan Quintela
2018-06-15 15:51 ` [Qemu-devel] [PATCH 4/6] chardev: add support for authorization for TLS clients Daniel P. Berrangé
2018-06-15 15:51 ` [Qemu-devel] [PATCH 5/6] vnc: allow specifying a custom authorization object name Daniel P. Berrangé
2018-06-19 12:57 ` Daniel P. Berrangé
2018-06-15 15:51 ` [Qemu-devel] [PATCH 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove Daniel P. Berrangé
2018-06-19 12:31 ` Dr. David Alan Gilbert
2018-06-19 12:52 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180618134051.GH3589@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=dgilbert@redhat.com \
--cc=eblake@redhat.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.