From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43083)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1aiQp8-0002dC-Eh
	for qemu-devel@nongnu.org; Tue, 22 Mar 2016 14:14:35 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1aiQp7-0006jb-8q
	for qemu-devel@nongnu.org; Tue, 22 Mar 2016 14:14:34 -0400
References: <1457635927-23045-1-git-send-email-berrange@redhat.com>
	<1457636396-24983-1-git-send-email-berrange@redhat.com>
	<1457636396-24983-7-git-send-email-berrange@redhat.com>
From: Eric Blake <eblake@redhat.com>
Message-ID: <56F18B83.1010404@redhat.com>
Date: Tue, 22 Mar 2016 12:14:27 -0600
MIME-Version: 1.0
In-Reply-To: <1457636396-24983-7-git-send-email-berrange@redhat.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="nFwx2VdQGfawcD1V18bnNTVN8hWOMm0AC"
Subject: Re: [Qemu-devel] [PATCH v3 07/10] qemu-nbd: add support for ACLs
	for TLS clients
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>, qemu-block@nongnu.org, Markus Armbruster <armbru@redhat.com>, =?UTF-8?Q?Andreas_F=c3=a4rber?= <afaerber@suse.de>, Max Reitz <mreitz@redhat.com>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--nFwx2VdQGfawcD1V18bnNTVN8hWOMm0AC
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 03/10/2016 11:59 AM, Daniel P. Berrange wrote:
> Currently any client which can complete the TLS handshake
> is able to use the NBD server. The server admin can turn
> on the 'verify-peer' option for the x509 creds to require
> the client to provide a x509 certificate. This means the
> client will have to acquire a certificate from the CA before
> they are permitted to use the NBD server. This is still a
> fairly weak bar.
>=20
> This adds a '--tls-acl ACL-ID' option to the qemu-nbd command
> which takes the ID of a previously added 'QAuthZ' object
> instance. This ACL will be used to validate the client's
> x509 distinguished name. Clients failing the ACL will not be
> permitted to use the NBD server.
>=20
> For example to setup an ACL that only allows connection from
> a client whose x509 certificate distinguished name contains
> 'CN=3Dfred', you would use:
>=20
>   qemu-nbd -object tls-creds-x509,id=3Dtls0,dir=3D/home/berrange/qemutl=
s,\
>                    endpoint=3Dserver,verify-peer=3Dyes \
>            -object authz-simple,id=3Dacl0,policy=3Ddeny,\
> 	           rules.0.match=3D*CN=3Dfred,rules.0.policy=3Dallow \
>            -tls-creds tls0 \
>            -tls-acl acl0
> 	   ....other qemu-nbd args...

Ah, so you are arguing that this is feature-completion of work started
in 2.6, continuing work started before soft-freeze, and not a new
feature to be delayed to 2.7.

>=20
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
>  qemu-nbd.c    | 13 ++++++++++++-
>  qemu-nbd.texi |  4 ++++
>  2 files changed, 16 insertions(+), 1 deletion(-)
>=20

> +++ b/qemu-nbd.texi
> @@ -86,6 +86,10 @@ the new style NBD protocol negotiation
>  Enable mandatory TLS encryption for the server by setting the ID
>  of the TLS credentials object previously created with the --object
>  option.
> +@item --tls-acl=3DID
> +Specify the ID of a qauthz object previously created with the
> +--object option. This will be used to authorize users who
> +connect against their x509 distinguish name.

s/distinguish/distinguished/

Reviewed-by: Eric Blake <eblake@redhat.com>

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--nFwx2VdQGfawcD1V18bnNTVN8hWOMm0AC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJW8YuDAAoJEKeha0olJ0NqPjgH/Azm5qQsyUstuYbjQPgeUN36
IdOE4chL6ufkbi6BvfEHojQL1kZOHfFUut5rxoTKpaDBdl2/eDvlZHgjPz8r4lxE
rFMioh5w8teltlhO4xm2O5S7K3ongOV5QyJo2SgCDAYGFK2mwi1roRtQ7XR0cjL4
+k8pwS6V+pgvMz2KsTDylFq61tR+GO2JHy+NEFS3YXjYjxgxBsZvZrdqWu9Kn2wT
23anMcd+iKkkNVt+27akgPfYu6cGLdtrzfil3/nuthJtB5MnDT9lKLXOgo75OEUD
/h4hcL/4zRKlZ2JEJDlAnmigwTUcvZGjqcYOoVxyfAurIL/7yR4eem1liMj6EuQ=
=ptUQ
-----END PGP SIGNATURE-----

--nFwx2VdQGfawcD1V18bnNTVN8hWOMm0AC--