From: Eric Blake <eblake@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>, qemu-devel@nongnu.org
Cc: "Paolo Bonzini" <pbonzini@redhat.com>,
qemu-block@nongnu.org, libvir-list@redhat.com,
"Kevin Wolf" <kwolf@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Juan Quintela" <quintela@redhat.com>,
"Max Reitz" <mreitz@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v3 1/6] qemu-nbd: add support for authorization of TLS clients
Date: Mon, 5 Nov 2018 16:41:09 -0600 [thread overview]
Message-ID: <1baede2d-7113-be2c-62dd-9f5ce6425bb1@redhat.com> (raw)
In-Reply-To: <20181009132330.7549-2-berrange@redhat.com>
On 10/9/18 8:23 AM, Daniel P. Berrangé wrote:
> From: "Daniel P. Berrange" <berrange@redhat.com>
>
> Currently any client which can complete the TLS handshake is able to use
> the NBD server. The server admin can turn on the 'verify-peer' option
> for the x509 creds to require the client to provide a x509 certificate.
> This means the client will have to acquire a certificate from the CA
> before they are permitted to use the NBD server. This is still a fairly
> low bar to cross.
>
> This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which
> takes the ID of a previously added 'QAuthZ' object instance. This will
> be used to validate the client's x509 distinguished name. Clients
> failing the authorization check will not be permitted to use the NBD
> server.
>
> For example to setup authorization that only allows connection from a client
> whose x509 certificate distinguished name is
>
> CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB
>
> use:
>
> qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
> endpoint=server,verify-peer=yes \
> --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\
> O=Example Org,,L=London,,ST=London,,C=GB \
Missing shell quoting around the space in 'Example Org'. It's also
fairly obvious that actual shell commands can't have leading space
between \-newline line continuations.
> --tls-creds tls0 \
> --tls-authz authz0
> ....other qemu-nbd args...
>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
> include/block/nbd.h | 2 +-
> nbd/server.c | 10 +++++-----
> qemu-nbd.c | 13 ++++++++++++-
> qemu-nbd.texi | 4 ++++
> 4 files changed, 22 insertions(+), 7 deletions(-)
>
> +++ b/qemu-nbd.c
> @@ -52,6 +52,7 @@
> #define QEMU_NBD_OPT_TLSCREDS 261
> #define QEMU_NBD_OPT_IMAGE_OPTS 262
> #define QEMU_NBD_OPT_FORK 263
> +#define QEMU_NBD_OPT_TLSAUTHZ 264
>
> @@ -532,6 +534,7 @@ int main(int argc, char **argv)
> { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
> { "trace", required_argument, NULL, 'T' },
> { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK },
> + { "tls-authz", no_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ },
> { NULL, 0, NULL, 0 }
> };
Missing a change to qemu-nbd --help to describe the new option.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
next prev parent reply other threads:[~2018-11-05 22:51 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-09 13:23 [Qemu-devel] [PATCH v3 0/6] Add authorization support to all network services Daniel P. Berrangé
2018-10-09 13:23 ` [Qemu-devel] [PATCH v3 1/6] qemu-nbd: add support for authorization of TLS clients Daniel P. Berrangé
2018-10-17 12:24 ` Juan Quintela
2018-11-05 22:41 ` Eric Blake [this message]
2018-11-15 10:35 ` Daniel P. Berrangé
2018-11-15 10:47 ` Daniel P. Berrangé
2018-10-09 13:23 ` [Qemu-devel] [PATCH v3 2/6] nbd: allow authorization with nbd-server-start QMP command Daniel P. Berrangé
2018-10-17 12:28 ` Juan Quintela
2018-10-09 13:23 ` [Qemu-devel] [PATCH v3 3/6] migration: add support for a "tls-authz" migration parameter Daniel P. Berrangé
2018-10-17 12:30 ` Juan Quintela
2018-10-09 13:23 ` [Qemu-devel] [PATCH v3 4/6] chardev: add support for authorization for TLS clients Daniel P. Berrangé
2018-10-17 12:32 ` Juan Quintela
2018-10-09 13:23 ` [Qemu-devel] [PATCH v3 5/6] vnc: allow specifying a custom authorization object name Daniel P. Berrangé
2018-11-05 14:21 ` Juan Quintela
2018-10-09 13:23 ` [Qemu-devel] [PATCH v3 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove Daniel P. Berrangé
2018-11-05 14:22 ` Juan Quintela
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1baede2d-7113-be2c-62dd-9f5ce6425bb1@redhat.com \
--to=eblake@redhat.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=dgilbert@redhat.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=libvir-list@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).