[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] b25e12: qemu-nbd: add support for authorizati
From: |
Peter Maydell |
Subject: |
[Qemu-commits] [qemu/qemu] b25e12: qemu-nbd: add support for authorization of TLS cli... |
Date: |
Sun, 10 Mar 2019 04:38:38 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: b25e12daff2c3e5ba933f85e8ba278f5bcba8f4d
https://github.com/qemu/qemu/commit/b25e12daff2c3e5ba933f85e8ba278f5bcba8f4d
Author: Daniel P. Berrange <address@hidden>
Date: 2019-03-06 (Wed, 06 Mar 2019)
Changed paths:
M include/block/nbd.h
M nbd/server.c
M qemu-nbd.c
M qemu-nbd.texi
M tests/qemu-iotests/233
M tests/qemu-iotests/233.out
Log Message:
-----------
qemu-nbd: add support for authorization of TLS clients
Currently any client which can complete the TLS handshake is able to use
the NBD server. The server admin can turn on the 'verify-peer' option
for the x509 creds to require the client to provide a x509 certificate.
This means the client will have to acquire a certificate from the CA
before they are permitted to use the NBD server. This is still a fairly
low bar to cross.
This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which
takes the ID of a previously added 'QAuthZ' object instance. This will
be used to validate the client's x509 distinguished name. Clients
failing the authorization check will not be permitted to use the NBD
server.
For example to setup authorization that only allows connection from a client
whose x509 certificate distinguished name is
CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB
escape the commas in the name and use:
qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
endpoint=server,verify-peer=yes \
--object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\
O=Example Org,,L=London,,ST=London,,C=GB' \
--tls-creds tls0 \
--tls-authz authz0 \
....other qemu-nbd args...
NB: a real shell command line would not have leading whitespace after
the line continuation, it is just included here for clarity.
Reviewed-by: Juan Quintela <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
[eblake: split long line in --help text, tweak 233 to show that whitespace
after ,, in identity= portion is actually okay]
Signed-off-by: Eric Blake <address@hidden>
Commit: 000194556b65970a19ca437cd96b804a3f069f11
https://github.com/qemu/qemu/commit/000194556b65970a19ca437cd96b804a3f069f11
Author: Daniel P. Berrange <address@hidden>
Date: 2019-03-06 (Wed, 06 Mar 2019)
Changed paths:
M blockdev-nbd.c
M hmp.c
M include/block/nbd.h
M qapi/block.json
Log Message:
-----------
nbd: allow authorization with nbd-server-start QMP command
As with the previous patch to qemu-nbd, the nbd-server-start QMP command
also needs to be able to specify authorization when enabling TLS encryption.
First the client must create a QAuthZ object instance using the
'object-add' command:
{
'execute': 'object-add',
'arguments': {
'qom-type': 'authz-list',
'id': 'authz0',
'parameters': {
'policy': 'deny',
'rules': [
{
'match': '*CN=fred',
'policy': 'allow'
}
]
}
}
}
They can then reference this in the new 'tls-authz' parameter when
executing the 'nbd-server-start' command:
{
'execute': 'nbd-server-start',
'arguments': {
'addr': {
'type': 'inet',
'host': '127.0.0.1',
'port': '9000'
},
'tls-creds': 'tls0',
'tls-authz': 'authz0'
}
}
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Juan Quintela <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Eric Blake <address@hidden>
Commit: ab7c5d940b223586caafc034551a5389944e0d6a
https://github.com/qemu/qemu/commit/ab7c5d940b223586caafc034551a5389944e0d6a
Author: Daniel P. Berrangé <address@hidden>
Date: 2019-03-06 (Wed, 06 Mar 2019)
Changed paths:
M qapi/block.json
Log Message:
-----------
nbd: fix outdated qapi docs syntax for tls-creds
Signed-off-by: Daniel P. Berrangé <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Eric Blake <address@hidden>
Commit: 054be3605459d4342e9ee5a82ae0fcffeeb09e4d
https://github.com/qemu/qemu/commit/054be3605459d4342e9ee5a82ae0fcffeeb09e4d
Author: Eric Blake <address@hidden>
Date: 2019-03-06 (Wed, 06 Mar 2019)
Changed paths:
M tests/qemu-iotests/223
M tests/qemu-iotests/223.out
Log Message:
-----------
iotests: Wait for qemu to end in 223
When iotest 223 was first written, it didn't matter if we waited for
the qemu process to clean up. But with the introduction of a later
qemu-nbd process trying to reuse the same file, there is a race where
even though the asynchronous qemu process has responded to "quit", it
has not yet had time to unlock the file and exit, resulting in:
-[{ "start": 0, "length": 65536, "depth": 0, "zero": false, "data": false},
-{ "start": 65536, "length": 2031616, "depth": 0, "zero": false, "data": true},
-{ "start": 2097152, "length": 2097152, "depth": 0, "zero": false, "data":
false}]
+qemu-nbd: Failed to blk_new_open 'tests/qemu-iotests/scratch/t.qcow2': Failed
to get shared "write" lock
+Is another process using the image [tests/qemu-iotests/scratch/t.qcow2]?
+qemu-img: Could not open
'driver=nbd,server.type=unix,server.path=tests/qemu-iotests/scratch/qemu-nbd.sock,x-dirty-bitmap=qemu:dirty-bitmap:b':
Failed to connect socket tests/qemu-iotests/scratch/qemu-nbd.sock: Connection
refused
+./common.nbd: line 33: kill: (11122) - No such process
Fixes: ddd09448
Reported-by: Alberto Garcia <address@hidden>
Signed-off-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>
Tested-by: Alberto Garcia <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Commit: e2a18635a400b0e68679614132e9ef6316105590
https://github.com/qemu/qemu/commit/e2a18635a400b0e68679614132e9ef6316105590
Author: Peter Maydell <address@hidden>
Date: 2019-03-09 (Sat, 09 Mar 2019)
Changed paths:
M blockdev-nbd.c
M hmp.c
M include/block/nbd.h
M nbd/server.c
M qapi/block.json
M qemu-nbd.c
M qemu-nbd.texi
M tests/qemu-iotests/223
M tests/qemu-iotests/223.out
M tests/qemu-iotests/233
M tests/qemu-iotests/233.out
Log Message:
-----------
Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2019-03-08' into
staging
nbd patches for 2019-03-08
- support TLS client authorization in NBD servers
- iotest 223 race fix
# gpg: Signature made Fri 08 Mar 2019 17:37:59 GMT
# gpg: using RSA key A7A16B4A2527436A
# gpg: Good signature from "Eric Blake <address@hidden>" [full]
# gpg: aka "Eric Blake (Free Software Programmer)
<address@hidden>" [full]
# gpg: aka "[jpeg image of size 6874]" [full]
# Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2 F3AA A7A1 6B4A 2527 436A
* remotes/ericb/tags/pull-nbd-2019-03-08:
iotests: Wait for qemu to end in 223
nbd: fix outdated qapi docs syntax for tls-creds
nbd: allow authorization with nbd-server-start QMP command
qemu-nbd: add support for authorization of TLS clients
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/f5b4c31030f4...e2a18635a400
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] b25e12: qemu-nbd: add support for authorization of TLS cli...,
Peter Maydell <=