From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Markus Armbruster" <armbru@redhat.com>,
"Andreas Färber" <afaerber@suse.de>,
"Laurent Vivier" <laurent@vivier.eu>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
qemu-trivial@nongnu.org,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Michael Tokarev" <mjt@tls.msk.ru>
Subject: [Qemu-devel] [PATCH 0/8] Add a standard authorization framework
Date: Fri, 8 Jun 2018 18:09:25 +0100 [thread overview]
Message-ID: <20180608170933.9137-1-berrange@redhat.com> (raw)
The current network services now support encryption via TLS and in some
cases support authentication via SASL. In cases where SASL is not
available, x509 client certificates can be used as a crude authorization
scheme, but using a sub-CA and controlling who you give certs to. In
general this is not very flexible though, so this series introduces a
new standard authorization framework.
It comes with four initial authorization mechanisms
- Simple - an exact username match. This is useful when there is
exactly one user that is known to connect. For example when live
migrating from one QEMU to another with TLS, libvirt would use
the simple scheme to whitelist the TLS cert of the source QEMU.
- List - an full access control list, with optional regex matching.
This is more flexible and is used to provide 100% backcompat with
the existing HMP ACL commands. The caveat is that we can't create
these via the CLI -object arg yet.
- ListFile - the same as List, but with the rules stored in JSON
format in an external file. This avoids the -object limitation
while also allowing the admin to change list entries on the file.
QEMU uses inotify to notice these changes and auto-reload the
file contents. This is likely a good default choice for most
network services, if the "simple" mechanism isn't sufficient.
- PAM - delegate the username lookup to a PAM module, which opens
the door to many options including things like SQL/LDAP lookups.
A later series that follows will integrate this framework into the VNC,
NBD, migration, and character device servers.
Daniel P. Berrangé (8):
util: add helper APIs for dealing with inotify
hw/usb: switch MTP to use new inotify APIs
authz: add QAuthZ object as an authorization base class
authz: add QAuthZSimple object type for trivial auth checks
authz: add QAuthZList object type for an access control list
authz: add QAuthZListFile object type for a file access control list
authz: add QAuthZPAM object type for authorizing using PAM
authz: delete existing ACL implementation
.gitignore | 4 +
MAINTAINERS | 14 ++
Makefile | 17 +-
Makefile.objs | 10 ++
Makefile.target | 2 +
authz/Makefile.objs | 7 +
authz/base.c | 82 +++++++++
authz/list.c | 315 +++++++++++++++++++++++++++++++++
authz/listfile.c | 252 ++++++++++++++++++++++++++
authz/pam.c | 149 ++++++++++++++++
authz/simple.c | 122 +++++++++++++
authz/trace-events | 18 ++
configure | 36 ++++
crypto/tlssession.c | 35 ++--
crypto/trace-events | 2 +-
hw/usb/dev-mtp.c | 238 ++++++++++---------------
include/authz/base.h | 112 ++++++++++++
include/authz/list.h | 106 +++++++++++
include/authz/listfile.h | 104 +++++++++++
include/authz/pam.h | 84 +++++++++
include/authz/simple.h | 81 +++++++++
include/qemu/acl.h | 66 -------
include/qemu/inotify.h | 49 +++++
monitor.c | 180 ++++++++++++-------
qapi/authz.json | 58 ++++++
qapi/qapi-schema.json | 1 +
qom/object.c | 12 +-
qom/object_interfaces.c | 16 +-
tests/.gitignore | 1 +
tests/Makefile.include | 8 +-
tests/test-authz-list.c | 171 ++++++++++++++++++
tests/test-crypto-tlssession.c | 15 +-
tests/test-io-channel-tls.c | 16 +-
ui/vnc-auth-sasl.c | 23 ++-
ui/vnc-auth-sasl.h | 5 +-
ui/vnc-auth-vencrypt.c | 2 +-
ui/vnc-ws.c | 2 +-
ui/vnc.c | 37 ++--
ui/vnc.h | 4 +-
util/Makefile.objs | 2 +-
util/acl.c | 179 -------------------
util/inotify.c | 138 +++++++++++++++
42 files changed, 2258 insertions(+), 517 deletions(-)
create mode 100644 authz/Makefile.objs
create mode 100644 authz/base.c
create mode 100644 authz/list.c
create mode 100644 authz/listfile.c
create mode 100644 authz/pam.c
create mode 100644 authz/simple.c
create mode 100644 authz/trace-events
create mode 100644 include/authz/base.h
create mode 100644 include/authz/list.h
create mode 100644 include/authz/listfile.h
create mode 100644 include/authz/pam.h
create mode 100644 include/authz/simple.h
delete mode 100644 include/qemu/acl.h
create mode 100644 include/qemu/inotify.h
create mode 100644 qapi/authz.json
create mode 100644 tests/test-authz-list.c
delete mode 100644 util/acl.c
create mode 100644 util/inotify.c
--
2.17.0
next reply other threads:[~2018-06-08 17:09 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-08 17:09 Daniel P. Berrangé [this message]
2018-06-08 17:09 ` [Qemu-devel] [PATCH 1/8] util: add helper APIs for dealing with inotify Daniel P. Berrangé
2018-06-12 10:05 ` Gerd Hoffmann
2018-06-08 17:09 ` [Qemu-devel] [PATCH 2/8] hw/usb: switch MTP to use new inotify APIs Daniel P. Berrangé
2018-06-12 10:06 ` Gerd Hoffmann
2018-06-08 17:09 ` [Qemu-devel] [PATCH 3/8] authz: add QAuthZ object as an authorization base class Daniel P. Berrangé
2018-06-08 17:09 ` [Qemu-devel] [PATCH 4/8] authz: add QAuthZSimple object type for trivial auth checks Daniel P. Berrangé
2018-06-08 17:09 ` [Qemu-devel] [PATCH 5/8] authz: add QAuthZList object type for an access control list Daniel P. Berrangé
2018-06-08 17:09 ` [Qemu-devel] [PATCH 6/8] authz: add QAuthZListFile object type for a file " Daniel P. Berrangé
2018-06-08 17:09 ` [Qemu-devel] [PATCH 7/8] authz: add QAuthZPAM object type for authorizing using PAM Daniel P. Berrangé
2018-06-08 17:09 ` [Qemu-devel] [PATCH 8/8] authz: delete existing ACL implementation Daniel P. Berrangé
2018-06-08 17:38 ` [Qemu-devel] [PATCH 0/8] Add a standard authorization framework no-reply
2018-06-08 20:28 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180608170933.9137-1-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=afaerber@suse.de \
--cc=armbru@redhat.com \
--cc=dgilbert@redhat.com \
--cc=eblake@redhat.com \
--cc=kraxel@redhat.com \
--cc=laurent@vivier.eu \
--cc=mjt@tls.msk.ru \
--cc=qemu-devel@nongnu.org \
--cc=qemu-trivial@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).