From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: qemu-devel@nongnu.org, "Markus Armbruster" <armbru@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Andreas Färber" <afaerber@suse.de>
Subject: Re: [Qemu-devel] [PATCH v5 07/11] authz: add QAuthZSimple object type for easy whitelist auth checks
Date: Fri, 19 Oct 2018 13:31:08 +0100 [thread overview]
Message-ID: <20181019123108.GO13722@redhat.com> (raw)
In-Reply-To: <26a77c1f-10e1-7d9e-49d6-7c2ac4a5f318@redhat.com>
On Thu, Oct 18, 2018 at 07:53:30PM +0200, Philippe Mathieu-Daudé wrote:
> Hi Daniel,
>
> On 09/10/2018 15:04, Daniel P. Berrangé wrote:
> > In many cases a single VM will just need to whilelist a single identity
> > as the allowed user of network services. This is especially the case for
> > TLS live migration (optionally with NBD storage) where we just need to
> > whitelist the x509 certificate distinguished name of the source QEMU
> > host.
> >
> > Via QMP this can be configured with:
> >
> > {
> > "execute": "object-add",
> > "arguments": {
> > "qom-type": "authz-simple",
> > "id": "authz0",
> > "parameters": {
> > "identity": "fred"
> > }
> > }
> > }
> >
> > Or via the command line
> >
> > -object authz-simple,id=authz0,identity=fred
> >
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > ---
> > authz/Makefile.objs | 1 +
> > authz/simple.c | 122 +++++++++++++++++++++++++++++++++++++++++
> > authz/trace-events | 3 +
> > include/authz/simple.h | 84 ++++++++++++++++++++++++++++
> > qemu-options.hx | 21 +++++++
> > 5 files changed, 231 insertions(+)
> > create mode 100644 authz/simple.c
> > create mode 100644 include/authz/simple.h
> > diff --git a/qemu-options.hx b/qemu-options.hx
> > index f139459e80..ef38ff19e2 100644
> > --- a/qemu-options.hx
> > +++ b/qemu-options.hx
> > @@ -4377,6 +4377,27 @@ e.g to launch a SEV guest
> > .....
> >
> > @end example
> > +
> > +
> > +@item -object authz-simple,id=@var{id},identity=@var{string}
> > +
> > +Create an authorization object that will control access to network services.
> > +
> > +The @option{identity} parameter is identifies the user and its format
> > +depends on the network service that authorization object is associated
> > +with. For authorizing based on TLS x509 certificates, the identity must
> > +be the x509 distinguished name. Note that care must be taken to escape
> > +any commas in the distinguished name.
> > +
> > +An example authorization object to validate a x509 distinguished name
> > +would look like:
> > +@example
> > + # $QEMU \
> > + ...
> > + -object authz-simple,id=auth0,identity=CN=laptop.example.com,,O=Example Org,,L=London,,ST=London,,C=GB \
> > + ...
>
> This example does not work:
>
> $ x86_64-softmmu/qemu-system-x86_64 -trace qauthz\* -object
> authz-simple,id=auth0,identity=CN=laptop.example.com,,O=Example
> Org,,L=London,,ST=London,,C=GB
> qemu-system-x86_64: -object
> authz-simple,id=auth0,identity=CN=laptop.example.com,,O=Example: Could
> not open 'Org,,L=London,,ST=London,,C=GB': No such file or directory
>
> However escaping does:
>
> $ x86_64-softmmu/qemu-system-x86_64 -trace qauthz\* -object
> authz-simple,id=auth0,identity='CN=laptop.example.com,,O=Example
> Org,,L=London,,ST=London,,C=GB'
>
> With example fixed:
>
> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
I'll squash in:
diff --git a/qemu-options.hx b/qemu-options.hx
index ef38ff19e2..160db9c8d2 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -4394,10 +4394,13 @@ would look like:
@example
# $QEMU \
...
- -object authz-simple,id=auth0,identity=CN=laptop.example.com,,O=Example Org,,L=London,,ST=London,,C=GB \
+ -object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,O=Example Org,,L=London,,ST=London,,C=GB' \
...
@end example
+Note the use of quotes due to the x509 distinguished name containing
+whitespace, and escaping of ','.
+
@end table
ETEXI
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2018-10-19 12:31 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-09 13:04 [Qemu-devel] [PATCH v5 00/11] Add a standard authorization framework Daniel P. Berrangé
2018-10-09 13:04 ` [Qemu-devel] [PATCH v5 01/11] util: add helper APIs for dealing with inotify in portable manner Daniel P. Berrangé
2018-10-09 13:04 ` [Qemu-devel] [PATCH v5 02/11] qom: don't require user creatable objects to be registered Daniel P. Berrangé
2018-10-10 15:11 ` Philippe Mathieu-Daudé
2018-10-18 18:04 ` Philippe Mathieu-Daudé
2018-10-09 13:04 ` [Qemu-devel] [PATCH v5 03/11] hw/usb: don't set IN_ISDIR for inotify watch in MTP driver Daniel P. Berrangé
2018-10-10 17:00 ` Philippe Mathieu-Daudé
2018-10-09 13:04 ` [Qemu-devel] [PATCH v5 04/11] hw/usb: fix const-ness for string params " Daniel P. Berrangé
2018-10-10 15:12 ` Philippe Mathieu-Daudé
2018-10-09 13:04 ` [Qemu-devel] [PATCH v5 05/11] hw/usb: switch MTP to use new inotify APIs Daniel P. Berrangé
2018-10-09 13:04 ` [Qemu-devel] [PATCH v5 06/11] authz: add QAuthZ object as an authorization base class Daniel P. Berrangé
2018-10-18 18:03 ` Philippe Mathieu-Daudé
2018-10-09 13:04 ` [Qemu-devel] [PATCH v5 07/11] authz: add QAuthZSimple object type for easy whitelist auth checks Daniel P. Berrangé
2018-10-18 17:53 ` Philippe Mathieu-Daudé
2018-10-19 12:31 ` Daniel P. Berrangé [this message]
2018-10-19 9:56 ` Philippe Mathieu-Daudé
2018-10-19 12:32 ` Daniel P. Berrangé
2018-10-09 13:04 ` [Qemu-devel] [PATCH v5 08/11] authz: add QAuthZList object type for an access control list Daniel P. Berrangé
2018-10-19 9:18 ` Philippe Mathieu-Daudé
2018-10-19 9:20 ` Daniel P. Berrangé
2018-10-19 9:33 ` Philippe Mathieu-Daudé
2018-10-19 13:13 ` Daniel P. Berrangé
2018-10-19 9:57 ` Philippe Mathieu-Daudé
2018-10-19 12:41 ` Daniel P. Berrangé
2018-10-19 12:55 ` Philippe Mathieu-Daudé
2018-10-09 13:04 ` [Qemu-devel] [PATCH v5 09/11] authz: add QAuthZListFile object type for a file " Daniel P. Berrangé
2018-10-19 9:41 ` Philippe Mathieu-Daudé
2018-10-19 12:53 ` Daniel P. Berrangé
2018-10-19 12:57 ` Philippe Mathieu-Daudé
2018-10-09 13:04 ` [Qemu-devel] [PATCH v5 10/11] authz: add QAuthZPAM object type for authorizing using PAM Daniel P. Berrangé
2018-10-19 10:02 ` Philippe Mathieu-Daudé
2018-10-19 11:04 ` Daniel P. Berrangé
2018-10-19 11:54 ` Philippe Mathieu-Daudé
2018-10-19 12:55 ` Daniel P. Berrangé
2018-10-19 12:58 ` Philippe Mathieu-Daudé
2018-10-09 13:04 ` [Qemu-devel] [PATCH v5 11/11] authz: delete existing ACL implementation Daniel P. Berrangé
2018-10-19 6:10 ` Philippe Mathieu-Daudé
2018-10-18 15:19 ` [Qemu-devel] [PATCH v5 00/11] Add a standard authorization framework Daniel P. Berrangé
2018-10-19 10:06 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181019123108.GO13722@redhat.com \
--to=berrange@redhat.com \
--cc=afaerber@suse.de \
--cc=armbru@redhat.com \
--cc=dgilbert@redhat.com \
--cc=kraxel@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).