From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org, "Eric Blake" <eblake@redhat.com>,
"Kevin Wolf" <kwolf@redhat.com>, "Max Reitz" <mreitz@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
qemu-block@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>,
"Juan Quintela" <quintela@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 3/6] migration: add support for a "tls-authz" migration parameter
Date: Fri, 15 Jun 2018 18:54:23 +0100 [thread overview]
Message-ID: <20180615175423.GI2615@work-vm> (raw)
In-Reply-To: <20180615155103.11924-4-berrange@redhat.com>
* Daniel P. Berrangé (berrange@redhat.com) wrote:
> From: "Daniel P. Berrange" <berrange@redhat.com>
>
> The QEMU instance that runs as the server for the migration data
> transport (ie the target QEMU) needs to be able to configure access
> control so it can prevent unauthorized clients initiating an incoming
> migration. This adds a new 'tls-authz' migration parameter that is used
> to provide the QOM ID of a QAuthZ subclass instance that provides the
> access control check. This is checked against the x509 certificate
> obtained during the TLS handshake.
>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
I'd appreciate an example of using it, either in the migration docs or
the commit message.
> ---
> hmp.c | 9 +++++++++
> migration/migration.c | 8 ++++++++
> migration/tls.c | 2 +-
> qapi/migration.json | 12 +++++++++++-
> 4 files changed, 29 insertions(+), 2 deletions(-)
>
> diff --git a/hmp.c b/hmp.c
> index 74e18db103..bef8ea2531 100644
> --- a/hmp.c
> +++ b/hmp.c
> @@ -370,6 +370,9 @@ void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict)
> monitor_printf(mon, "%s: %" PRIu64 "\n",
> MigrationParameter_str(MIGRATION_PARAMETER_XBZRLE_CACHE_SIZE),
> params->xbzrle_cache_size);
> + monitor_printf(mon, " %s: '%s'\n",
> + MigrationParameter_str(MIGRATION_PARAMETER_TLS_AUTHZ),
> + params->has_tls_authz ? params->tls_authz : "");
> }
>
> qapi_free_MigrationParameters(params);
> @@ -1632,6 +1635,12 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict)
> p->tls_hostname->type = QTYPE_QSTRING;
> visit_type_str(v, param, &p->tls_hostname->u.s, &err);
> break;
> + case MIGRATION_PARAMETER_TLS_AUTHZ:
> + p->has_tls_authz = true;
> + p->tls_authz = g_new0(StrOrNull, 1);
> + p->tls_authz->type = QTYPE_QSTRING;
> + visit_type_str(v, param, &p->tls_authz->u.s, &err);
> + break;
> case MIGRATION_PARAMETER_MAX_BANDWIDTH:
> p->has_max_bandwidth = true;
> /*
> diff --git a/migration/migration.c b/migration/migration.c
> index 1e99ec9b7e..d14c8d7003 100644
> --- a/migration/migration.c
> +++ b/migration/migration.c
> @@ -645,6 +645,8 @@ MigrationParameters *qmp_query_migrate_parameters(Error **errp)
> params->tls_creds = g_strdup(s->parameters.tls_creds);
> params->has_tls_hostname = true;
> params->tls_hostname = g_strdup(s->parameters.tls_hostname);
> + params->has_tls_authz = true;
> + params->tls_authz = g_strdup(s->parameters.tls_authz);
> params->has_max_bandwidth = true;
> params->max_bandwidth = s->parameters.max_bandwidth;
> params->has_downtime_limit = true;
> @@ -1106,6 +1108,12 @@ static void migrate_params_apply(MigrateSetParameters *params, Error **errp)
> s->parameters.tls_hostname = g_strdup(params->tls_hostname->u.s);
> }
>
> + if (params->has_tls_authz) {
> + g_free(s->parameters.tls_authz);
> + assert(params->tls_authz->type == QTYPE_QSTRING);
> + s->parameters.tls_authz = g_strdup(params->tls_authz->u.s);
> + }
> +
> if (params->has_max_bandwidth) {
> s->parameters.max_bandwidth = params->max_bandwidth;
> if (s->to_dst_file) {
> diff --git a/migration/tls.c b/migration/tls.c
> index 3b9e8c9263..5171afc6c4 100644
> --- a/migration/tls.c
> +++ b/migration/tls.c
> @@ -94,7 +94,7 @@ void migration_tls_channel_process_incoming(MigrationState *s,
>
> tioc = qio_channel_tls_new_server(
> ioc, creds,
> - NULL, /* XXX pass ACL name */
> + s->parameters.tls_authz,
> errp);
> if (!tioc) {
> return;
> diff --git a/qapi/migration.json b/qapi/migration.json
> index f7e10ee90f..b9ba34e3a6 100644
> --- a/qapi/migration.json
> +++ b/qapi/migration.json
> @@ -488,6 +488,10 @@
> # hostname must be provided so that the server's x509
> # certificate identity can be validated. (Since 2.7)
> #
> +# @tls-authz: ID of the 'authz' object subclass that provides access control
> +# checking of the TLS x509 certificate distinguished name. (Since
> +# 2.13)
> +#
Oops, 2.13 strikes again :-)
Other than that, OK from migration and HMP.
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> # @max-bandwidth: to set maximum speed for migration. maximum speed in
> # bytes per second. (Since 2.8)
> #
> @@ -522,7 +526,7 @@
> { 'enum': 'MigrationParameter',
> 'data': ['compress-level', 'compress-threads', 'decompress-threads',
> 'cpu-throttle-initial', 'cpu-throttle-increment',
> - 'tls-creds', 'tls-hostname', 'max-bandwidth',
> + 'tls-creds', 'tls-hostname', 'tls-authz', 'max-bandwidth',
> 'downtime-limit', 'x-checkpoint-delay', 'block-incremental',
> 'x-multifd-channels', 'x-multifd-page-count',
> 'xbzrle-cache-size' ] }
> @@ -605,6 +609,7 @@
> '*cpu-throttle-increment': 'int',
> '*tls-creds': 'StrOrNull',
> '*tls-hostname': 'StrOrNull',
> + '*tls-authz': 'StrOrNull',
> '*max-bandwidth': 'int',
> '*downtime-limit': 'int',
> '*x-checkpoint-delay': 'int',
> @@ -667,6 +672,10 @@
> # associated with the migration URI, if any. (Since 2.9)
> # Note: 2.8 reports this by omitting tls-hostname instead.
> #
> +# @tls-authz: ID of the 'authz' object subclass that provides access control
> +# checking of the TLS x509 certificate distinguished name. (Since
> +# 2.13)
> +#
> # @max-bandwidth: to set maximum speed for migration. maximum speed in
> # bytes per second. (Since 2.8)
> #
> @@ -704,6 +713,7 @@
> '*cpu-throttle-increment': 'uint8',
> '*tls-creds': 'str',
> '*tls-hostname': 'str',
> + '*tls-authz': 'str',
> '*max-bandwidth': 'size',
> '*downtime-limit': 'uint64',
> '*x-checkpoint-delay': 'uint32',
> --
> 2.17.0
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2018-06-15 17:54 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-15 15:50 [Qemu-devel] [PATCH 0/6] Add authorization support to all network services Daniel P. Berrangé
2018-06-15 15:50 ` [Qemu-devel] [PATCH 1/6] qemu-nbd: add support for authorization of TLS clients Daniel P. Berrangé
2018-06-19 20:06 ` Eric Blake
2018-06-20 8:42 ` Daniel P. Berrangé
2018-06-15 15:50 ` [Qemu-devel] [PATCH 2/6] nbd: allow authorization with nbd-server-start QMP command Daniel P. Berrangé
2018-06-19 20:10 ` Eric Blake
2018-06-19 22:07 ` Daniel P. Berrangé
2018-06-15 15:51 ` [Qemu-devel] [PATCH 3/6] migration: add support for a "tls-authz" migration parameter Daniel P. Berrangé
2018-06-15 17:54 ` Dr. David Alan Gilbert [this message]
2018-06-18 13:40 ` Daniel P. Berrangé
2018-06-20 10:03 ` Juan Quintela
2018-06-20 10:07 ` Daniel P. Berrangé
2018-06-20 10:11 ` Juan Quintela
2018-06-15 15:51 ` [Qemu-devel] [PATCH 4/6] chardev: add support for authorization for TLS clients Daniel P. Berrangé
2018-06-15 15:51 ` [Qemu-devel] [PATCH 5/6] vnc: allow specifying a custom authorization object name Daniel P. Berrangé
2018-06-19 12:57 ` Daniel P. Berrangé
2018-06-15 15:51 ` [Qemu-devel] [PATCH 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove Daniel P. Berrangé
2018-06-19 12:31 ` Dr. David Alan Gilbert
2018-06-19 12:52 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180615175423.GI2615@work-vm \
--to=dgilbert@redhat.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).