From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: qemu-devel@nongnu.org, "Eric Blake" <eblake@redhat.com>,
"Kevin Wolf" <kwolf@redhat.com>, "Max Reitz" <mreitz@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
qemu-block@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>,
"Juan Quintela" <quintela@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 3/6] migration: add support for a "tls-authz" migration parameter
Date: Mon, 18 Jun 2018 14:40:51 +0100 [thread overview]
Message-ID: <20180618134051.GH3589@redhat.com> (raw)
In-Reply-To: <20180615175423.GI2615@work-vm>
On Fri, Jun 15, 2018 at 06:54:23PM +0100, Dr. David Alan Gilbert wrote:
> * Daniel P. Berrangé (berrange@redhat.com) wrote:
> > From: "Daniel P. Berrange" <berrange@redhat.com>
> >
> > The QEMU instance that runs as the server for the migration data
> > transport (ie the target QEMU) needs to be able to configure access
> > control so it can prevent unauthorized clients initiating an incoming
> > migration. This adds a new 'tls-authz' migration parameter that is used
> > to provide the QOM ID of a QAuthZ subclass instance that provides the
> > access control check. This is checked against the x509 certificate
> > obtained during the TLS handshake.
> >
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
>
> I'd appreciate an example of using it, either in the migration docs or
> the commit message.
Hmm, yes, it's an oversight to have missed an example in this commit
message.
>
> > ---
> > hmp.c | 9 +++++++++
> > migration/migration.c | 8 ++++++++
> > migration/tls.c | 2 +-
> > qapi/migration.json | 12 +++++++++++-
> > 4 files changed, 29 insertions(+), 2 deletions(-)
> >
> > diff --git a/hmp.c b/hmp.c
> > index 74e18db103..bef8ea2531 100644
> > --- a/hmp.c
> > +++ b/hmp.c
> > @@ -370,6 +370,9 @@ void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict)
> > monitor_printf(mon, "%s: %" PRIu64 "\n",
> > MigrationParameter_str(MIGRATION_PARAMETER_XBZRLE_CACHE_SIZE),
> > params->xbzrle_cache_size);
> > + monitor_printf(mon, " %s: '%s'\n",
> > + MigrationParameter_str(MIGRATION_PARAMETER_TLS_AUTHZ),
> > + params->has_tls_authz ? params->tls_authz : "");
> > }
> >
> > qapi_free_MigrationParameters(params);
> > @@ -1632,6 +1635,12 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict)
> > p->tls_hostname->type = QTYPE_QSTRING;
> > visit_type_str(v, param, &p->tls_hostname->u.s, &err);
> > break;
> > + case MIGRATION_PARAMETER_TLS_AUTHZ:
> > + p->has_tls_authz = true;
> > + p->tls_authz = g_new0(StrOrNull, 1);
> > + p->tls_authz->type = QTYPE_QSTRING;
> > + visit_type_str(v, param, &p->tls_authz->u.s, &err);
> > + break;
> > case MIGRATION_PARAMETER_MAX_BANDWIDTH:
> > p->has_max_bandwidth = true;
> > /*
> > diff --git a/migration/migration.c b/migration/migration.c
> > index 1e99ec9b7e..d14c8d7003 100644
> > --- a/migration/migration.c
> > +++ b/migration/migration.c
> > @@ -645,6 +645,8 @@ MigrationParameters *qmp_query_migrate_parameters(Error **errp)
> > params->tls_creds = g_strdup(s->parameters.tls_creds);
> > params->has_tls_hostname = true;
> > params->tls_hostname = g_strdup(s->parameters.tls_hostname);
> > + params->has_tls_authz = true;
> > + params->tls_authz = g_strdup(s->parameters.tls_authz);
> > params->has_max_bandwidth = true;
> > params->max_bandwidth = s->parameters.max_bandwidth;
> > params->has_downtime_limit = true;
> > @@ -1106,6 +1108,12 @@ static void migrate_params_apply(MigrateSetParameters *params, Error **errp)
> > s->parameters.tls_hostname = g_strdup(params->tls_hostname->u.s);
> > }
> >
> > + if (params->has_tls_authz) {
> > + g_free(s->parameters.tls_authz);
> > + assert(params->tls_authz->type == QTYPE_QSTRING);
> > + s->parameters.tls_authz = g_strdup(params->tls_authz->u.s);
> > + }
> > +
> > if (params->has_max_bandwidth) {
> > s->parameters.max_bandwidth = params->max_bandwidth;
> > if (s->to_dst_file) {
> > diff --git a/migration/tls.c b/migration/tls.c
> > index 3b9e8c9263..5171afc6c4 100644
> > --- a/migration/tls.c
> > +++ b/migration/tls.c
> > @@ -94,7 +94,7 @@ void migration_tls_channel_process_incoming(MigrationState *s,
> >
> > tioc = qio_channel_tls_new_server(
> > ioc, creds,
> > - NULL, /* XXX pass ACL name */
> > + s->parameters.tls_authz,
> > errp);
> > if (!tioc) {
> > return;
> > diff --git a/qapi/migration.json b/qapi/migration.json
> > index f7e10ee90f..b9ba34e3a6 100644
> > --- a/qapi/migration.json
> > +++ b/qapi/migration.json
> > @@ -488,6 +488,10 @@
> > # hostname must be provided so that the server's x509
> > # certificate identity can be validated. (Since 2.7)
> > #
> > +# @tls-authz: ID of the 'authz' object subclass that provides access control
> > +# checking of the TLS x509 certificate distinguished name. (Since
> > +# 2.13)
> > +#
>
> Oops, 2.13 strikes again :-)
>
> Other than that, OK from migration and HMP.
>
> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
>
> > # @max-bandwidth: to set maximum speed for migration. maximum speed in
> > # bytes per second. (Since 2.8)
> > #
> > @@ -522,7 +526,7 @@
> > { 'enum': 'MigrationParameter',
> > 'data': ['compress-level', 'compress-threads', 'decompress-threads',
> > 'cpu-throttle-initial', 'cpu-throttle-increment',
> > - 'tls-creds', 'tls-hostname', 'max-bandwidth',
> > + 'tls-creds', 'tls-hostname', 'tls-authz', 'max-bandwidth',
> > 'downtime-limit', 'x-checkpoint-delay', 'block-incremental',
> > 'x-multifd-channels', 'x-multifd-page-count',
> > 'xbzrle-cache-size' ] }
> > @@ -605,6 +609,7 @@
> > '*cpu-throttle-increment': 'int',
> > '*tls-creds': 'StrOrNull',
> > '*tls-hostname': 'StrOrNull',
> > + '*tls-authz': 'StrOrNull',
> > '*max-bandwidth': 'int',
> > '*downtime-limit': 'int',
> > '*x-checkpoint-delay': 'int',
> > @@ -667,6 +672,10 @@
> > # associated with the migration URI, if any. (Since 2.9)
> > # Note: 2.8 reports this by omitting tls-hostname instead.
> > #
> > +# @tls-authz: ID of the 'authz' object subclass that provides access control
> > +# checking of the TLS x509 certificate distinguished name. (Since
> > +# 2.13)
> > +#
> > # @max-bandwidth: to set maximum speed for migration. maximum speed in
> > # bytes per second. (Since 2.8)
> > #
> > @@ -704,6 +713,7 @@
> > '*cpu-throttle-increment': 'uint8',
> > '*tls-creds': 'str',
> > '*tls-hostname': 'str',
> > + '*tls-authz': 'str',
> > '*max-bandwidth': 'size',
> > '*downtime-limit': 'uint64',
> > '*x-checkpoint-delay': 'uint32',
> > --
> > 2.17.0
> >
> --
> Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2018-06-18 13:41 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-15 15:50 [Qemu-devel] [PATCH 0/6] Add authorization support to all network services Daniel P. Berrangé
2018-06-15 15:50 ` [Qemu-devel] [PATCH 1/6] qemu-nbd: add support for authorization of TLS clients Daniel P. Berrangé
2018-06-19 20:06 ` Eric Blake
2018-06-20 8:42 ` Daniel P. Berrangé
2018-06-15 15:50 ` [Qemu-devel] [PATCH 2/6] nbd: allow authorization with nbd-server-start QMP command Daniel P. Berrangé
2018-06-19 20:10 ` Eric Blake
2018-06-19 22:07 ` Daniel P. Berrangé
2018-06-15 15:51 ` [Qemu-devel] [PATCH 3/6] migration: add support for a "tls-authz" migration parameter Daniel P. Berrangé
2018-06-15 17:54 ` Dr. David Alan Gilbert
2018-06-18 13:40 ` Daniel P. Berrangé [this message]
2018-06-20 10:03 ` Juan Quintela
2018-06-20 10:07 ` Daniel P. Berrangé
2018-06-20 10:11 ` Juan Quintela
2018-06-15 15:51 ` [Qemu-devel] [PATCH 4/6] chardev: add support for authorization for TLS clients Daniel P. Berrangé
2018-06-15 15:51 ` [Qemu-devel] [PATCH 5/6] vnc: allow specifying a custom authorization object name Daniel P. Berrangé
2018-06-19 12:57 ` Daniel P. Berrangé
2018-06-15 15:51 ` [Qemu-devel] [PATCH 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove Daniel P. Berrangé
2018-06-19 12:31 ` Dr. David Alan Gilbert
2018-06-19 12:52 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180618134051.GH3589@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=dgilbert@redhat.com \
--cc=eblake@redhat.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).