From: Anthony Liguori <aliguori@us.ibm.com>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] PATCH: 8/9: Support ACLs for controlling VNC access
Date: Thu, 26 Feb 2009 16:05:18 -0600 [thread overview]
Message-ID: <49A7121E.9030901@us.ibm.com> (raw)
In-Reply-To: <20090226115730.GN22494@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2596 bytes --]
Daniel P. Berrange wrote:
> This patch introduces a generic internal API for access control lists
> to be used by network servers in QEMU. It adds support for checking
> these ACL in the VNC server, in two places. The first ACL is for the
> SASL authentication mechanism, checking the SASL username. This ACL
> is called 'vnc.username'. The second is for the TLS authentication
> mechanism, when x509 client certificates are turned on, checking against
> the Distinguished Name of the client. This ACL is called 'vnc.x509dname'
>
> The internal API provides for an ACL with the following characteristics
>
> - A unique name, eg vnc.username, and vnc.x509dname.
> - A default policy, allow or deny
> - An ordered series of match rules, with allow or deny policy
>
> If none of the match rules apply, then the default policy is
> used.
>
> There is a monitor API to manipulate the ACLs, which I'll describe via
> examples
>
> (qemu) acl show vnc.username
> policy: allow
> (qemu) acl policy vnc.username denya
> acl: policy set to 'deny'
> (qemu) acl allow vnc.username fred
> acl: added rule at position 1
> (qemu) acl allow vnc.username bob
> acl: added rule at position 2
> (qemu) acl allow vnc.username joe 1
> acl: added rule at position 1
> (qemu) acl show vnc.username
> policy: deny
> 0: allow fred
> 1: allow joe
> 2: allow bob
>
>
> (qemu) acl show vnc.x509dname
> policy: allow
> (qemu) acl policy vnc.x509dname deny
> acl: policy set to 'deny'
> (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=*
> acl: added rule at position 1
> (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob
> acl: added rule at position 2
> (qemu) acl show vnc.x509dname
> policy: deny
> 0: allow C=GB,O=ACME,L=London,CN=*
> 1: allow C=GB,O=ACME,L=Boston,CN=bob
>
> At startup the ACLs currently default to an allow policy. The
> next patch will provide a way to load a pre-defined ACL when
> starting up
>
>
> Makefile | 6 +-
> b/acl.c | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> b/acl.h | 74 ++++++++++++++++++++++++
> monitor.c | 95 +++++++++++++++++++++++++++++++
> vnc-auth-sasl.c | 16 ++++-
> vnc-auth-sasl.h | 7 ++
> vnc-tls.c | 19 ++++++
> vnc-tls.h | 3 +
> vnc.c | 14 ++++
> vnc.h | 3 +
> 10 files changed, 398 insertions(+), 7 deletions(-)
>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
>
This breaks the build on win32. Attached are the build log and config info.
Regards,
Anthony Liguori
[-- Attachment #2: config-host.mak --]
[-- Type: text/plain, Size: 1245 bytes --]
# Automatically generated by configure - do not modify
# Configured with: '/home/anthony/git/qemu/configure' '--cross-prefix=i686-pc-mingw32-' '--target-list=x86_64-softmmu'
prefix=c:\\Program Files\\Qemu
bindir=${prefix}
mandir=${prefix}
datadir=${prefix}
docdir=${prefix}
MAKE=make
INSTALL=install
CC=i686-pc-mingw32-gcc
HOST_CC=gcc
AR=i686-pc-mingw32-ar
STRIP=i686-pc-mingw32-strip -s -R .comment -R .note
OS_CFLAGS=
OS_LDFLAGS=
ARCH_CFLAGS=-m32
ARCH_LDFLAGS=-m32
CFLAGS= -O2 -g -fno-strict-aliasing -Wall -Wundef -Wendif-labels -Wwrite-strings -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls
LDFLAGS= -g -Wl,--warn-common
EXESUF=.exe
AIOLIBS=
ARCH=i386
CONFIG_WIN32=yes
CONFIG_GDBSTUB=yes
CONFIG_SLIRP=yes
CONFIG_AC97=yes
CONFIG_ES1370=yes
CONFIG_SB16=yes
CONFIG_VNC_TLS=yes
CONFIG_VNC_TLS_CFLAGS=-I/usr/i686-pc-mingw32/sys-root/mingw/include
CONFIG_VNC_TLS_LIBS=-L/usr/i686-pc-mingw32/sys-root/mingw/lib -lgnutls
VERSION=0.9.1
SRC_PATH=/home/anthony/git/qemu
VPATH=/home/anthony/git/qemu
TARGET_DIRS=x86_64-softmmu
CONFIG_SDL=yes
SDL_LIBS=-lmingw32 -lSDLmain -lSDL -mwindows
SDL_CFLAGS=-I/usr/i686-pc-mingw32/sys-root/mingw/include/SDL -D_GNU_SOURCE=1 -Dmain=SDL_main
INSTALL_BLOBS=yes
HOST_USB=stub
TOOLS=qemu-img$(EXESUF)
[-- Attachment #3: config-log --]
[-- Type: text/plain, Size: 1255 bytes --]
Install prefix c:\\Program Files\\Qemu
BIOS directory c:\\Program Files\\Qemu
binary directory c:\\Program Files\\Qemu
Source path /home/anthony/git/qemu
C compiler i686-pc-mingw32-gcc
Host C compiler gcc
ARCH_CFLAGS -m32
make make
install install
host CPU i386
host big endian no
target list x86_64-softmmu
gprof enabled no
sparse enabled no
profiler no
static build no
-Werror enabled no
SDL support yes
SDL static link yes
curses support no
mingw32 support yes
Audio drivers
Extra audio cards ac97 es1370 sb16
Mixer emulation no
VNC TLS support yes
TLS CFLAGS -I/usr/i686-pc-mingw32/sys-root/mingw/include
TLS LIBS -L/usr/i686-pc-mingw32/sys-root/mingw/lib -lgnutls
VNC SASL support no
kqemu support yes
brlapi support no
Documentation no
NPTL support no
vde support no
AIO support no
Install blobs yes
KVM support no - (linux/kvm.h: No such file or directory, #error Invalid KVM version, #error Missing KVM capability KVM_CAP_USER_MEMORY, #error Missing KVM capability KVM_CAP_SET_TSS_ADDR, #error Missing KVM capability KVM_CAP_DESTROY_MEMORY_REGION_WORKS)
fdt support no
next prev parent reply other threads:[~2009-02-26 22:05 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-26 11:39 [Qemu-devel] PATCH: 0/9: Support SASL authentication in VNC server (version 3) Daniel P. Berrange
2009-02-26 11:52 ` [Qemu-devel] PATCH: 1/9: Fix bug in TLS authenticataion Daniel P. Berrange
2009-02-26 11:52 ` [Qemu-devel] PATCH: 2/9: Enhance 'info vnc' monitor output Daniel P. Berrange
2009-02-26 11:53 ` [Qemu-devel] PATCH: 3/9: Refactor keymap code to avoid duplication Daniel P. Berrange
2009-02-26 11:53 ` [Qemu-devel] PATCH: 4/9: Move VNC structs into header file Daniel P. Berrange
2009-02-26 11:55 ` [Qemu-devel] PATCH: 5/9: Move TLS auth into separate file Daniel P. Berrange
2009-02-26 11:56 ` [Qemu-devel] PATCH: 6/9: Add SASL authentication support Daniel P. Berrange
2009-02-26 18:57 ` Blue Swirl
2009-02-26 20:33 ` Daniel P. Berrange
2009-02-26 21:34 ` Anthony Liguori
2009-02-27 10:46 ` Daniel P. Berrange
2009-02-27 11:14 ` John Haxby
2009-02-26 11:56 ` [Qemu-devel] PATCH: 7/9: Include auth credentials in 'info vnc' Daniel P. Berrange
2009-02-26 11:57 ` [Qemu-devel] PATCH: 8/9: Support ACLs for controlling VNC access Daniel P. Berrange
2009-02-26 22:05 ` Anthony Liguori [this message]
2009-02-26 22:07 ` Anthony Liguori
2009-02-27 10:42 ` Daniel P. Berrange
2009-02-26 11:57 ` [Qemu-devel] PATCH: 9/9: Persist ACLs in external files Daniel P. Berrange
-- strict thread matches above, loose matches on Subject: below --
2009-03-02 12:31 [Qemu-devel] PATCH: 0/9: Support SASL authentication in VNC server (version 4) Daniel P. Berrange
2009-03-02 12:42 ` [Qemu-devel] PATCH: 8/9: Support ACLs for controlling VNC access Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49A7121E.9030901@us.ibm.com \
--to=aliguori@us.ibm.com \
--cc=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).