From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org, "Kevin Wolf" <kwolf@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Max Reitz" <mreitz@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
qemu-block@nongnu.org,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Juan Quintela" <quintela@redhat.com>,
"Eric Blake" <eblake@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization of TLS clients
Date: Wed, 20 Jun 2018 15:45:01 +0100 [thread overview]
Message-ID: <20180620144500.GN2549@work-vm> (raw)
In-Reply-To: <20180620142644.GR3441@redhat.com>
* Daniel P. Berrangé (berrange@redhat.com) wrote:
> On Wed, Jun 20, 2018 at 03:22:53PM +0100, Dr. David Alan Gilbert wrote:
> > * Daniel P. Berrangé (berrange@redhat.com) wrote:
> > > From: "Daniel P. Berrange" <berrange@redhat.com>
> > >
> > > Currently any client which can complete the TLS handshake is able to use
> > > the NBD server. The server admin can turn on the 'verify-peer' option
> > > for the x509 creds to require the client to provide a x509 certificate.
> > > This means the client will have to acquire a certificate from the CA
> > > before they are permitted to use the NBD server. This is still a fairly
> > > low bar to cross.
> > >
> > > This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which
> > > takes the ID of a previously added 'QAuthZ' object instance. This will
> > > be used to validate the client's x509 distinguished name. Clients
> > > failing the authorization check will not be permitted to use the NBD
> > > server.
> > >
> > > For example to setup authorization that only allows connection from a client
> > > whose x509 certificate distinguished name is
> > >
> > > CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB
> > >
> > > use:
> > >
> > > qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
> > > endpoint=server,verify-peer=yes \
> > > --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\
> > > O=Example Org,,L=London,,ST=London,,C=GB \
> >
> > I'm confused about how that gets parsed, what differentiates the ,s
> > that separate the arguments (e.g. ,id= ,identity=) and the ,s that
> > separate the options within the identity string (e.g. the ,ST=London)
>
> That's why I've doubled up - eg ',,' must be used when you need to
> include a literal ',' in a value without it being interpreted as
> starting a new option
OK, yeh I forgot about the obscure double-comma rule.
> > Would:
> > --object authz-simple,identity=CN=laptop.example.com,,O=Example Org,,L=London,,ST=London,,C=GB,id=auth0
> >
> > be equivalent?
>
> Yes
OK.
Dave
>
>
> Regards,
> Daniel
> --
> |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o- https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2018-06-20 14:45 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-20 12:14 [Qemu-devel] [PATCH v2 0/6] Add authorization support to all network services Daniel P. Berrangé
2018-06-20 12:14 ` [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization of TLS clients Daniel P. Berrangé
2018-06-20 13:58 ` Eric Blake
2018-06-20 14:03 ` Daniel P. Berrangé
2018-06-20 14:22 ` Dr. David Alan Gilbert
2018-06-20 14:26 ` Daniel P. Berrangé
2018-06-20 14:45 ` Dr. David Alan Gilbert [this message]
2018-06-20 14:28 ` Eric Blake
2018-06-20 12:14 ` [Qemu-devel] [PATCH v2 2/6] nbd: allow authorization with nbd-server-start QMP command Daniel P. Berrangé
2018-06-20 14:05 ` Eric Blake
2018-06-20 14:07 ` Daniel P. Berrangé
2018-06-20 12:14 ` [Qemu-devel] [PATCH v2 3/6] migration: add support for a "tls-authz" migration parameter Daniel P. Berrangé
2018-06-20 12:14 ` [Qemu-devel] [PATCH v2 4/6] chardev: add support for authorization for TLS clients Daniel P. Berrangé
2018-06-20 12:14 ` [Qemu-devel] [PATCH v2 5/6] vnc: allow specifying a custom authorization object name Daniel P. Berrangé
2018-06-20 12:14 ` [Qemu-devel] [PATCH v2 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180620144500.GN2549@work-vm \
--to=dgilbert@redhat.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).