From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Eric Blake" <eblake@redhat.com>, "Max Reitz" <mreitz@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Andreas Färber" <afaerber@suse.de>,
"Paolo Bonzini" <pbonzini@redhat.com>,
qemu-block@nongnu.org, "Daniel P. Berrange" <berrange@redhat.com>
Subject: [Qemu-devel] [PATCH v5 09/11] migration: add support for a "tls-acl" migration parameter
Date: Thu, 2 Jun 2016 17:46:25 +0100 [thread overview]
Message-ID: <1464885987-4039-10-git-send-email-berrange@redhat.com> (raw)
In-Reply-To: <1464885987-4039-1-git-send-email-berrange@redhat.com>
The QEMU instance that runs as the server for the migration data
transport (ie the target QEMU) needs to be able to configure access
control so it can prevent unauthorized clients initiating an incoming
migration. This adds a new 'tls-acl' migration parameter that is used
to provide the QOM ID of a QAuthZ subclass instance that provides the
access control check. This ACL is checked against the x509 certificate
obtained during the TLS handshake.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
hmp.c | 8 ++++++++
migration/migration.c | 7 +++++++
migration/tls.c | 2 +-
qapi-schema.json | 20 +++++++++++++++++---
4 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/hmp.c b/hmp.c
index e0d0d8c..4cbf37c 100644
--- a/hmp.c
+++ b/hmp.c
@@ -300,6 +300,9 @@ void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict)
monitor_printf(mon, " %s: '%s'",
MigrationParameter_lookup[MIGRATION_PARAMETER_TLS_HOSTNAME],
params->tls_hostname ? : "");
+ monitor_printf(mon, " %s: '%s'",
+ MigrationParameter_lookup[MIGRATION_PARAMETER_TLS_ACL],
+ params->tls_acl ? : "");
monitor_printf(mon, "\n");
}
@@ -1259,6 +1262,7 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict)
bool has_cpu_throttle_increment = false;
bool has_tls_creds = false;
bool has_tls_hostname = false;
+ bool has_tls_acl = false;
bool use_int_value = false;
int i;
@@ -1290,6 +1294,9 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict)
case MIGRATION_PARAMETER_TLS_HOSTNAME:
has_tls_hostname = true;
break;
+ case MIGRATION_PARAMETER_TLS_ACL:
+ has_tls_acl = true;
+ break;
}
if (use_int_value) {
@@ -1307,6 +1314,7 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict)
has_cpu_throttle_increment, valueint,
has_tls_creds, valuestr,
has_tls_hostname, valuestr,
+ has_tls_acl, valuestr,
&err);
break;
}
diff --git a/migration/migration.c b/migration/migration.c
index 7ecbade..b5e8e2f 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -566,6 +566,7 @@ MigrationParameters *qmp_query_migrate_parameters(Error **errp)
params->cpu_throttle_increment = s->parameters.cpu_throttle_increment;
params->tls_creds = g_strdup(s->parameters.tls_creds);
params->tls_hostname = g_strdup(s->parameters.tls_hostname);
+ params->tls_acl = g_strdup(s->parameters.tls_acl);
return params;
}
@@ -771,6 +772,8 @@ void qmp_migrate_set_parameters(bool has_compress_level,
const char *tls_creds,
bool has_tls_hostname,
const char *tls_hostname,
+ bool has_tls_acl,
+ const char *tls_acl,
Error **errp)
{
MigrationState *s = migrate_get_current();
@@ -830,6 +833,10 @@ void qmp_migrate_set_parameters(bool has_compress_level,
g_free(s->parameters.tls_hostname);
s->parameters.tls_hostname = g_strdup(tls_hostname);
}
+ if (has_tls_acl) {
+ g_free(s->parameters.tls_acl);
+ s->parameters.tls_acl = g_strdup(tls_acl);
+ }
}
diff --git a/migration/tls.c b/migration/tls.c
index 75f959f..968fe16 100644
--- a/migration/tls.c
+++ b/migration/tls.c
@@ -92,7 +92,7 @@ void migration_tls_set_incoming_channel(MigrationState *s,
tioc = qio_channel_tls_new_server(
ioc, creds,
- NULL, /* XXX pass ACL name */
+ s->parameters.tls_acl,
errp);
if (!tioc) {
return;
diff --git a/qapi-schema.json b/qapi-schema.json
index 337a6ce..e7ec2a1 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -636,12 +636,16 @@
# hostname must be provided so that the server's x509
# certificate identity canbe validated. (Since 2.7)
#
+# @tls-acl: ID of the 'authz' object subclass that provides access control
+# checking of the TLS x509 certificate distinguished name. (Since
+# 2.7)
+#
# Since: 2.4
##
{ 'enum': 'MigrationParameter',
'data': ['compress-level', 'compress-threads', 'decompress-threads',
'cpu-throttle-initial', 'cpu-throttle-increment',
- 'tls-creds', 'tls-hostname'] }
+ 'tls-creds', 'tls-hostname', 'tls-acl'] }
#
# @migrate-set-parameters
@@ -677,6 +681,10 @@
# hostname must be provided so that the server's x509
# certificate identity canbe validated. (Since 2.7)
#
+# @tls-acl: ID of the 'authz' object subclass that provides access control
+# checking of the TLS x509 certificate distinguished name. (Since
+# 2.7)
+#
# Since: 2.4
##
{ 'command': 'migrate-set-parameters',
@@ -686,7 +694,8 @@
'*cpu-throttle-initial': 'int',
'*cpu-throttle-increment': 'int',
'*tls-creds': 'str',
- '*tls-hostname': 'str'} }
+ '*tls-hostname': 'str',
+ '*tls-acl': 'str'} }
#
# @MigrationParameters
@@ -720,6 +729,10 @@
# hostname must be provided so that the server's x509
# certificate identity canbe validated. (Since 2.6)
#
+# @tls-acl: ID of the 'authz' object subclass that provides access control
+# checking of the TLS x509 certificate distinguished name. (Since
+# 2.7)
+#
# Since: 2.4
##
{ 'struct': 'MigrationParameters',
@@ -729,7 +742,8 @@
'cpu-throttle-initial': 'int',
'cpu-throttle-increment': 'int',
'tls-creds': 'str',
- 'tls-hostname': 'str'} }
+ 'tls-hostname': 'str',
+ 'tls-acl': 'str'} }
##
# @query-migrate-parameters
#
--
2.5.5
next prev parent reply other threads:[~2016-06-02 16:47 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-02 16:46 [Qemu-devel] [PATCH v5 00/11] Provide a QOM-based authorization API Daniel P. Berrange
2016-06-02 16:46 ` [Qemu-devel] [PATCH v5 01/11] qdict: implement a qdict_crumple method for un-flattening a dict Daniel P. Berrange
2016-06-09 13:20 ` Markus Armbruster
2016-06-09 13:28 ` Daniel P. Berrange
2016-06-14 11:39 ` Daniel P. Berrange
2016-06-16 9:16 ` Markus Armbruster
2016-06-02 16:46 ` [Qemu-devel] [PATCH v5 02/11] qapi: allow QmpInputVisitor to auto-cast types Daniel P. Berrange
2016-06-08 12:01 ` Paolo Bonzini
2016-06-14 14:10 ` Daniel P. Berrange
2016-06-09 14:03 ` Markus Armbruster
2016-06-14 13:25 ` Daniel P. Berrange
2016-06-16 9:23 ` Markus Armbruster
2016-06-02 16:46 ` [Qemu-devel] [PATCH v5 03/11] qom: support arbitrary non-scalar properties with -object Daniel P. Berrange
2016-06-09 14:43 ` Markus Armbruster
2016-06-14 14:16 ` Daniel P. Berrange
2016-06-02 16:46 ` [Qemu-devel] [PATCH v5 04/11] util: add QAuthZ object as an authorization base class Daniel P. Berrange
2016-06-02 16:46 ` [Qemu-devel] [PATCH v5 05/11] util: add QAuthZSimple object type for a simple access control list Daniel P. Berrange
2016-06-02 16:46 ` [Qemu-devel] [PATCH v5 06/11] acl: delete existing ACL implementation Daniel P. Berrange
2016-06-02 16:46 ` [Qemu-devel] [PATCH v5 07/11] qemu-nbd: add support for ACLs for TLS clients Daniel P. Berrange
2016-06-02 16:46 ` [Qemu-devel] [PATCH v5 08/11] nbd: allow an ACL to be set with nbd-server-start QMP command Daniel P. Berrange
2016-06-02 16:46 ` Daniel P. Berrange [this message]
2016-06-02 16:46 ` [Qemu-devel] [PATCH v5 10/11] chardev: add support for ACLs for TLS clients Daniel P. Berrange
2016-06-02 16:46 ` [Qemu-devel] [PATCH v5 11/11] vnc: allow specifying a custom ACL object name Daniel P. Berrange
2016-06-08 11:53 ` [Qemu-devel] [PATCH v5 00/11] Provide a QOM-based authorization API Daniel P. Berrange
2016-06-08 14:26 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1464885987-4039-10-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=afaerber@suse.de \
--cc=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).