qemu-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] b25e12: qemu-nbd: add support for authorizati

From: Peter Maydell
Subject: [Qemu-commits] [qemu/qemu] b25e12: qemu-nbd: add support for authorization of TLS cli...
Date: Sun, 10 Mar 2019 04:38:38 -0700 
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: b25e12daff2c3e5ba933f85e8ba278f5bcba8f4d
      
https://github.com/qemu/qemu/commit/b25e12daff2c3e5ba933f85e8ba278f5bcba8f4d
  Author: Daniel P. Berrange <address@hidden>
  Date:   2019-03-06 (Wed, 06 Mar 2019)

  Changed paths:
    M include/block/nbd.h
    M nbd/server.c
    M qemu-nbd.c
    M qemu-nbd.texi
    M tests/qemu-iotests/233
    M tests/qemu-iotests/233.out

  Log Message:
  -----------
  qemu-nbd: add support for authorization of TLS clients

Currently any client which can complete the TLS handshake is able to use
the NBD server. The server admin can turn on the 'verify-peer' option
for the x509 creds to require the client to provide a x509 certificate.
This means the client will have to acquire a certificate from the CA
before they are permitted to use the NBD server. This is still a fairly
low bar to cross.

This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which
takes the ID of a previously added 'QAuthZ' object instance. This will
be used to validate the client's x509 distinguished name. Clients
failing the authorization check will not be permitted to use the NBD
server.

For example to setup authorization that only allows connection from a client
whose x509 certificate distinguished name is

   CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB

escape the commas in the name and use:

  qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
                    endpoint=server,verify-peer=yes \
           --object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\
                     O=Example Org,,L=London,,ST=London,,C=GB' \
           --tls-creds tls0 \
           --tls-authz authz0 \
           ....other qemu-nbd args...

NB: a real shell command line would not have leading whitespace after
the line continuation, it is just included here for clarity.

Reviewed-by: Juan Quintela <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
[eblake: split long line in --help text, tweak 233 to show that whitespace
after ,, in identity= portion is actually okay]
Signed-off-by: Eric Blake <address@hidden>


  Commit: 000194556b65970a19ca437cd96b804a3f069f11
      
https://github.com/qemu/qemu/commit/000194556b65970a19ca437cd96b804a3f069f11
  Author: Daniel P. Berrange <address@hidden>
  Date:   2019-03-06 (Wed, 06 Mar 2019)

  Changed paths:
    M blockdev-nbd.c
    M hmp.c
    M include/block/nbd.h
    M qapi/block.json

  Log Message:
  -----------
  nbd: allow authorization with nbd-server-start QMP command

As with the previous patch to qemu-nbd, the nbd-server-start QMP command
also needs to be able to specify authorization when enabling TLS encryption.

First the client must create a QAuthZ object instance using the
'object-add' command:

   {
     'execute': 'object-add',
     'arguments': {
       'qom-type': 'authz-list',
       'id': 'authz0',
       'parameters': {
         'policy': 'deny',
         'rules': [
           {
             'match': '*CN=fred',
             'policy': 'allow'
           }
         ]
       }
     }
   }

They can then reference this in the new 'tls-authz' parameter when
executing the 'nbd-server-start' command:

   {
     'execute': 'nbd-server-start',
     'arguments': {
       'addr': {
           'type': 'inet',
           'host': '127.0.0.1',
           'port': '9000'
       },
       'tls-creds': 'tls0',
       'tls-authz': 'authz0'
     }
   }

Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Juan Quintela <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Eric Blake <address@hidden>


  Commit: ab7c5d940b223586caafc034551a5389944e0d6a
      
https://github.com/qemu/qemu/commit/ab7c5d940b223586caafc034551a5389944e0d6a
  Author: Daniel P. Berrangé <address@hidden>
  Date:   2019-03-06 (Wed, 06 Mar 2019)

  Changed paths:
    M qapi/block.json

  Log Message:
  -----------
  nbd: fix outdated qapi docs syntax for tls-creds

Signed-off-by: Daniel P. Berrangé <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Eric Blake <address@hidden>


  Commit: 054be3605459d4342e9ee5a82ae0fcffeeb09e4d
      
https://github.com/qemu/qemu/commit/054be3605459d4342e9ee5a82ae0fcffeeb09e4d
  Author: Eric Blake <address@hidden>
  Date:   2019-03-06 (Wed, 06 Mar 2019)

  Changed paths:
    M tests/qemu-iotests/223
    M tests/qemu-iotests/223.out

  Log Message:
  -----------
  iotests: Wait for qemu to end in 223

When iotest 223 was first written, it didn't matter if we waited for
the qemu process to clean up. But with the introduction of a later
qemu-nbd process trying to reuse the same file, there is a race where
even though the asynchronous qemu process has responded to "quit", it
has not yet had time to unlock the file and exit, resulting in:

-[{ "start": 0, "length": 65536, "depth": 0, "zero": false, "data": false},
-{ "start": 65536, "length": 2031616, "depth": 0, "zero": false, "data": true},
-{ "start": 2097152, "length": 2097152, "depth": 0, "zero": false, "data": 
false}]
+qemu-nbd: Failed to blk_new_open 'tests/qemu-iotests/scratch/t.qcow2': Failed 
to get shared "write" lock
+Is another process using the image [tests/qemu-iotests/scratch/t.qcow2]?
+qemu-img: Could not open 
'driver=nbd,server.type=unix,server.path=tests/qemu-iotests/scratch/qemu-nbd.sock,x-dirty-bitmap=qemu:dirty-bitmap:b':
 Failed to connect socket tests/qemu-iotests/scratch/qemu-nbd.sock: Connection 
refused
+./common.nbd: line 33: kill: (11122) - No such process

Fixes: ddd09448
Reported-by: Alberto Garcia <address@hidden>
Signed-off-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>
Tested-by: Alberto Garcia <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>


  Commit: e2a18635a400b0e68679614132e9ef6316105590
      
https://github.com/qemu/qemu/commit/e2a18635a400b0e68679614132e9ef6316105590
  Author: Peter Maydell <address@hidden>
  Date:   2019-03-09 (Sat, 09 Mar 2019)

  Changed paths:
    M blockdev-nbd.c
    M hmp.c
    M include/block/nbd.h
    M nbd/server.c
    M qapi/block.json
    M qemu-nbd.c
    M qemu-nbd.texi
    M tests/qemu-iotests/223
    M tests/qemu-iotests/223.out
    M tests/qemu-iotests/233
    M tests/qemu-iotests/233.out

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2019-03-08' into 
staging

nbd patches for 2019-03-08

- support TLS client authorization in NBD servers
- iotest 223 race fix

# gpg: Signature made Fri 08 Mar 2019 17:37:59 GMT
# gpg:                using RSA key A7A16B4A2527436A
# gpg: Good signature from "Eric Blake <address@hidden>" [full]
# gpg:                 aka "Eric Blake (Free Software Programmer) 
<address@hidden>" [full]
# gpg:                 aka "[jpeg image of size 6874]" [full]
# Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2  F3AA A7A1 6B4A 2527 436A

* remotes/ericb/tags/pull-nbd-2019-03-08:
  iotests: Wait for qemu to end in 223
  nbd: fix outdated qapi docs syntax for tls-creds
  nbd: allow authorization with nbd-server-start QMP command
  qemu-nbd: add support for authorization of TLS clients

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/f5b4c31030f4...e2a18635a400
reply via email to
[Prev in Thread] Current Thread [Next in Thread]