From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Kevin Wolf" <kwolf@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Juan Quintela" <quintela@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
libvir-list@redhat.com, qemu-block@nongnu.org,
"Max Reitz" <mreitz@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Daniel P. Berrange" <berrange@redhat.com>
Subject: [Qemu-devel] [PATCH v4 3/6] migration: add support for a "tls-authz" migration parameter
Date: Fri, 15 Feb 2019 17:14:33 +0000 [thread overview]
Message-ID: <20190215171436.30457-4-berrange@redhat.com> (raw)
In-Reply-To: <20190215171436.30457-1-berrange@redhat.com>
From: "Daniel P. Berrange" <berrange@redhat.com>
The QEMU instance that runs as the server for the migration data
transport (ie the target QEMU) needs to be able to configure access
control so it can prevent unauthorized clients initiating an incoming
migration. This adds a new 'tls-authz' migration parameter that is used
to provide the QOM ID of a QAuthZ subclass instance that provides the
access control check. This is checked against the x509 certificate
obtained during the TLS handshake.
For example, when starting a QEMU for incoming migration, it is
possible to give an example identity of the source QEMU that is
intended to be connecting later:
$QEMU \
-monitor stdio \
-incoming defer \
...other args...
(qemu) object_add tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
endpoint=server,verify-peer=yes \
(qemu) object_add authz-simple,id=auth0,identity=CN=laptop.example.com,,\
O=Example Org,,L=London,,ST=London,,C=GB \
(qemu) migrate_incoming tcp:localhost:9000
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
hmp.c | 9 +++++++++
migration/migration.c | 8 ++++++++
migration/tls.c | 2 +-
qapi/migration.json | 14 +++++++++++++-
4 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/hmp.c b/hmp.c
index c234634f8a..0aea14e9d4 100644
--- a/hmp.c
+++ b/hmp.c
@@ -398,6 +398,9 @@ void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict)
monitor_printf(mon, "%s: %" PRIu64 "\n",
MigrationParameter_str(MIGRATION_PARAMETER_MAX_POSTCOPY_BANDWIDTH),
params->max_postcopy_bandwidth);
+ monitor_printf(mon, " %s: '%s'\n",
+ MigrationParameter_str(MIGRATION_PARAMETER_TLS_AUTHZ),
+ params->has_tls_authz ? params->tls_authz : "");
}
qapi_free_MigrationParameters(params);
@@ -1709,6 +1712,12 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict)
p->tls_hostname->type = QTYPE_QSTRING;
visit_type_str(v, param, &p->tls_hostname->u.s, &err);
break;
+ case MIGRATION_PARAMETER_TLS_AUTHZ:
+ p->has_tls_authz = true;
+ p->tls_authz = g_new0(StrOrNull, 1);
+ p->tls_authz->type = QTYPE_QSTRING;
+ visit_type_str(v, param, &p->tls_authz->u.s, &err);
+ break;
case MIGRATION_PARAMETER_MAX_BANDWIDTH:
p->has_max_bandwidth = true;
/*
diff --git a/migration/migration.c b/migration/migration.c
index 37e06b76dc..3a2f0b6c54 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -721,6 +721,8 @@ MigrationParameters *qmp_query_migrate_parameters(Error **errp)
params->tls_creds = g_strdup(s->parameters.tls_creds);
params->has_tls_hostname = true;
params->tls_hostname = g_strdup(s->parameters.tls_hostname);
+ params->has_tls_authz = true;
+ params->tls_authz = g_strdup(s->parameters.tls_authz);
params->has_max_bandwidth = true;
params->max_bandwidth = s->parameters.max_bandwidth;
params->has_downtime_limit = true;
@@ -1234,6 +1236,12 @@ static void migrate_params_apply(MigrateSetParameters *params, Error **errp)
s->parameters.tls_hostname = g_strdup(params->tls_hostname->u.s);
}
+ if (params->has_tls_authz) {
+ g_free(s->parameters.tls_authz);
+ assert(params->tls_authz->type == QTYPE_QSTRING);
+ s->parameters.tls_authz = g_strdup(params->tls_authz->u.s);
+ }
+
if (params->has_max_bandwidth) {
s->parameters.max_bandwidth = params->max_bandwidth;
if (s->to_dst_file) {
diff --git a/migration/tls.c b/migration/tls.c
index 3b9e8c9263..5171afc6c4 100644
--- a/migration/tls.c
+++ b/migration/tls.c
@@ -94,7 +94,7 @@ void migration_tls_channel_process_incoming(MigrationState *s,
tioc = qio_channel_tls_new_server(
ioc, creds,
- NULL, /* XXX pass ACL name */
+ s->parameters.tls_authz,
errp);
if (!tioc) {
return;
diff --git a/qapi/migration.json b/qapi/migration.json
index 7a795ecc16..1ece4a8756 100644
--- a/qapi/migration.json
+++ b/qapi/migration.json
@@ -522,6 +522,12 @@
# hostname must be provided so that the server's x509
# certificate identity can be validated. (Since 2.7)
#
+# @tls-authz: ID of the 'authz' object subclass that provides access control
+# checking of the TLS x509 certificate distinguished name.
+# This object is only resolved at time of use, so can be deleted
+# and recreated on the fly while the migration server is active.
+# If missing, it will default to denying access (Since 3.1)
+#
# @max-bandwidth: to set maximum speed for migration. maximum speed in
# bytes per second. (Since 2.8)
#
@@ -563,7 +569,7 @@
'data': ['compress-level', 'compress-threads', 'decompress-threads',
'compress-wait-thread',
'cpu-throttle-initial', 'cpu-throttle-increment',
- 'tls-creds', 'tls-hostname', 'max-bandwidth',
+ 'tls-creds', 'tls-hostname', 'tls-authz', 'max-bandwidth',
'downtime-limit', 'x-checkpoint-delay', 'block-incremental',
'x-multifd-channels', 'x-multifd-page-count',
'xbzrle-cache-size', 'max-postcopy-bandwidth',
@@ -661,6 +667,7 @@
'*cpu-throttle-increment': 'int',
'*tls-creds': 'StrOrNull',
'*tls-hostname': 'StrOrNull',
+ '*tls-authz': 'StrOrNull',
'*max-bandwidth': 'int',
'*downtime-limit': 'int',
'*x-checkpoint-delay': 'int',
@@ -730,6 +737,10 @@
# associated with the migration URI, if any. (Since 2.9)
# Note: 2.8 reports this by omitting tls-hostname instead.
#
+# @tls-authz: ID of the 'authz' object subclass that provides access control
+# checking of the TLS x509 certificate distinguished name. (Since
+# 3.1)
+#
# @max-bandwidth: to set maximum speed for migration. maximum speed in
# bytes per second. (Since 2.8)
#
@@ -777,6 +788,7 @@
'*cpu-throttle-increment': 'uint8',
'*tls-creds': 'str',
'*tls-hostname': 'str',
+ '*tls-authz': 'str',
'*max-bandwidth': 'size',
'*downtime-limit': 'uint64',
'*x-checkpoint-delay': 'uint32',
--
2.20.1
next prev parent reply other threads:[~2019-02-15 17:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-15 17:14 [Qemu-devel] [PATCH v4 0/6] Add authorization support to all network services Daniel P. Berrangé
2019-02-15 17:14 ` [Qemu-devel] [PATCH v4 1/6] qemu-nbd: add support for authorization of TLS clients Daniel P. Berrangé
2019-02-15 17:14 ` [Qemu-devel] [PATCH v4 2/6] nbd: allow authorization with nbd-server-start QMP command Daniel P. Berrangé
2019-02-15 17:14 ` Daniel P. Berrangé [this message]
2019-02-15 17:14 ` [Qemu-devel] [PATCH v4 4/6] chardev: add support for authorization for TLS clients Daniel P. Berrangé
2019-02-15 17:14 ` [Qemu-devel] [PATCH v4 5/6] vnc: allow specifying a custom authorization object name Daniel P. Berrangé
2019-02-15 17:14 ` [Qemu-devel] [PATCH v4 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190215171436.30457-4-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=dgilbert@redhat.com \
--cc=eblake@redhat.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=libvir-list@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).