From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Eric Blake" <eblake@redhat.com>, "Kevin Wolf" <kwolf@redhat.com>,
"Max Reitz" <mreitz@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
qemu-block@nongnu.org,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Juan Quintela" <quintela@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 5/6] vnc: allow specifying a custom authorization object name
Date: Tue, 19 Jun 2018 13:57:34 +0100 [thread overview]
Message-ID: <20180619125734.GV20929@redhat.com> (raw)
In-Reply-To: <20180615155103.11924-6-berrange@redhat.com>
On Fri, Jun 15, 2018 at 04:51:02PM +0100, Daniel P. Berrangé wrote:
> From: "Daniel P. Berrange" <berrange@redhat.com>
>
> The VNC server has historically had support for ACLs to check both the
> SASL username and the TLS x509 distinguished name. The VNC server was
> responsible for creating the initial ACL, and the client app was then
> responsible for populating it with rules using the HMP 'acl_add' command.
>
> This is not satisfactory for a variety of reasons. There is no way to
> populate the ACLs from the command line, users are forced to use the
> HMP. With multiple network services all supporting TLS and ACLs now, it
> is desirable to be able to define a single ACL that is referenced by all
> services.
>
> To address these limitations, two new options are added to the VNC
> server CLI. The 'tls-authz' option takes the ID of a QAuthZ object to
> use for checking TLS x509 distinguished names, and the 'sasl-authz'
> option takes the ID of another object to use for checking SASL usernames.
>
> In this example, we setup two authorization rules. The first allows any
> client with a certificate issued by the 'RedHat' organization in the
> 'London' locality. The second ACL allows clients with either the
> 'joe@REDHAT.COM' or 'fred@REDHAT.COM' kerberos usernames. Both checks
> must pass for the user to be allowed.
>
> $QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
> endpoint=server,verify-peer=yes \
> -object authz-simple,id=authz0,policy=deny,\
> rules.0.match=O=RedHat,,L=London,rules.0.policy=allow \
> -object authz-simple,id=authz1,policy=deny,\
> rules.0.match=fred@REDHAT.COM,rules.0.policy=allow \
> rules.0.match=joe@REDHAT.COM,rules.0.policy=allow \
Opps this msg is outdated, since we don't have ability to express
such nested properties with -object since I dropped my hacky impl
of that.
> -vnc 0.0.0.0:1,tls-creds=tls0,tls-authz=authz0,
> sasl,sasl-authz=authz1 \
> ...other QEMU args...
>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
> qemu-doc.texi | 11 +++-------
> ui/vnc.c | 58 +++++++++++++++++++++++++++++++++++++++++++--------
> 2 files changed, 52 insertions(+), 17 deletions(-)
>
> diff --git a/qemu-doc.texi b/qemu-doc.texi
> index cd05760cac..5b7e3faab2 100644
> --- a/qemu-doc.texi
> +++ b/qemu-doc.texi
> @@ -2917,15 +2917,10 @@ The @code{-localtime} option has been replaced by @code{-rtc base=localtime}.
>
> The @code{-startdate} option has been replaced by @code{-rtc base=@var{date}}.
>
> -@subsection -virtioconsole (since 3.0.0)
> +@subsection -vnc acl (since 3.0.0)
>
> -Option @option{-virtioconsole} has been replaced by
> -@option{-device virtconsole}.
> -
> -@subsection -clock (since 3.0.0)
> -
> -The @code{-clock} option is ignored since QEMU version 1.7.0. There is no
> -replacement since it is not needed anymore.
> +The @code{acl} option to the @code{-vnc} argument has been replaced
> +by the @code{tls-authz} and @code{sasl-authz} options.
>
> @section QEMU Machine Protocol (QMP) commands
>
> diff --git a/ui/vnc.c b/ui/vnc.c
> index 9fb8430c35..2da9433ca7 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -3407,6 +3407,12 @@ static QemuOptsList qemu_vnc_opts = {
> },{
> .name = "acl",
> .type = QEMU_OPT_BOOL,
> + },{
> + .name = "tls-authz",
> + .type = QEMU_OPT_STRING,
> + },{
> + .name = "sasl-authz",
> + .type = QEMU_OPT_STRING,
> },{
> .name = "lossy",
> .type = QEMU_OPT_BOOL,
> @@ -3894,6 +3900,8 @@ void vnc_display_open(const char *id, Error **errp)
> int saslErr;
> #endif
> int acl = 0;
> + const char *tlsauthz;
> + const char *saslauthz;
> int lock_key_sync = 1;
> int key_delay_ms;
>
> @@ -3999,7 +4007,33 @@ void vnc_display_open(const char *id, Error **errp)
> }
> }
> }
> + if (qemu_opt_get(opts, "acl")) {
> + error_report("The 'acl' option to -vnc is deprecated. "
> + "Please use the 'tls-authz' and 'sasl-authz' "
> + "options instead");
> + }
> acl = qemu_opt_get_bool(opts, "acl", false);
> + tlsauthz = qemu_opt_get(opts, "tls-authz");
> + if (acl && tlsauthz) {
> + error_setg(errp, "'acl' option is mutually exclusive with the "
> + "'tls-authz' option");
> + goto fail;
> + }
> + if (tlsauthz && !vd->tlscreds) {
> + error_setg(errp, "'tls-authz' provided but TLS is not enabled");
> + goto fail;
> + }
> +
> + saslauthz = qemu_opt_get(opts, "sasl-authz");
> + if (acl && saslauthz) {
> + error_setg(errp, "'acl' option is mutually exclusive with the "
> + "'sasl-authz' option");
> + goto fail;
> + }
> + if (saslauthz && !sasl) {
> + error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
> + goto fail;
> + }
>
> share = qemu_opt_get(opts, "share");
> if (share) {
> @@ -4029,7 +4063,9 @@ void vnc_display_open(const char *id, Error **errp)
> vd->non_adaptive = true;
> }
>
> - if (acl) {
> + if (tlsauthz) {
> + vd->tlsauthzid = g_strdup(tlsauthz);
> + } else if (acl) {
> if (strcmp(vd->id, "default") == 0) {
> vd->tlsauthzid = g_strdup("vnc.x509dname");
> } else {
> @@ -4040,15 +4076,19 @@ void vnc_display_open(const char *id, Error **errp)
> &error_abort));
> }
> #ifdef CONFIG_VNC_SASL
> - if (acl && sasl) {
> - if (strcmp(vd->id, "default") == 0) {
> - vd->sasl.authzid = g_strdup("vnc.username");
> - } else {
> - vd->sasl.authzid = g_strdup_printf("vnc.%s.username", vd->id);
> + if (sasl) {
> + if (saslauthz) {
> + vd->sasl.authzid = g_strdup(saslauthz);
> + } else if (acl) {
> + if (strcmp(vd->id, "default") == 0) {
> + vd->sasl.authzid = g_strdup("vnc.username");
> + } else {
> + vd->sasl.authzid = g_strdup_printf("vnc.%s.username", vd->id);
> + }
> + vd->sasl.authz = QAUTHZ(qauthz_list_new(vd->sasl.authzid,
> + QAUTHZ_LIST_POLICY_DENY,
> + &error_abort));
> }
> - vd->sasl.authz = QAUTHZ(qauthz_list_new(vd->sasl.authzid,
> - QAUTHZ_LIST_POLICY_DENY,
> - &error_abort));
> }
> #endif
>
> --
> 2.17.0
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2018-06-19 12:57 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-15 15:50 [Qemu-devel] [PATCH 0/6] Add authorization support to all network services Daniel P. Berrangé
2018-06-15 15:50 ` [Qemu-devel] [PATCH 1/6] qemu-nbd: add support for authorization of TLS clients Daniel P. Berrangé
2018-06-19 20:06 ` Eric Blake
2018-06-20 8:42 ` Daniel P. Berrangé
2018-06-15 15:50 ` [Qemu-devel] [PATCH 2/6] nbd: allow authorization with nbd-server-start QMP command Daniel P. Berrangé
2018-06-19 20:10 ` Eric Blake
2018-06-19 22:07 ` Daniel P. Berrangé
2018-06-15 15:51 ` [Qemu-devel] [PATCH 3/6] migration: add support for a "tls-authz" migration parameter Daniel P. Berrangé
2018-06-15 17:54 ` Dr. David Alan Gilbert
2018-06-18 13:40 ` Daniel P. Berrangé
2018-06-20 10:03 ` Juan Quintela
2018-06-20 10:07 ` Daniel P. Berrangé
2018-06-20 10:11 ` Juan Quintela
2018-06-15 15:51 ` [Qemu-devel] [PATCH 4/6] chardev: add support for authorization for TLS clients Daniel P. Berrangé
2018-06-15 15:51 ` [Qemu-devel] [PATCH 5/6] vnc: allow specifying a custom authorization object name Daniel P. Berrangé
2018-06-19 12:57 ` Daniel P. Berrangé [this message]
2018-06-15 15:51 ` [Qemu-devel] [PATCH 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove Daniel P. Berrangé
2018-06-19 12:31 ` Dr. David Alan Gilbert
2018-06-19 12:52 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180619125734.GV20929@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=dgilbert@redhat.com \
--cc=eblake@redhat.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).