On Thu, Oct 18, 2018 at 07:53:30PM +0200, Philippe Mathieu-Daudé wrote:
> Hi Daniel,
>
> On 09/10/2018 15:04, Daniel P. Berrangé wrote:
> > In many cases a single VM will just need to whilelist a single identity
> > as the allowed user of network services. This is especially the case for
> > TLS live migration (optionally with NBD storage) where we just need to
> > whitelist the x509 certificate distinguished name of the source QEMU
> > host.
> >
> > Via QMP this can be configured with:
> >
> > {
> > "execute": "object-add",
> > "arguments": {
> > "qom-type": "authz-simple",
> > "id": "authz0",
> > "parameters": {
> > "identity": "fred"
> > }
> > }
> > }
> >
> > Or via the command line
> >
> > -object authz-simple,id=authz0,identity=fred
> >
> > Signed-off-by: Daniel P. Berrange <berra...@redhat.com>
> > ---
> > authz/Makefile.objs | 1 +
> > authz/simple.c | 122 +++++++++++++++++++++++++++++++++++++++++
> > authz/trace-events | 3 +
> > include/authz/simple.h | 84 ++++++++++++++++++++++++++++
> > qemu-options.hx | 21 +++++++
> > 5 files changed, 231 insertions(+)
> > create mode 100644 authz/simple.c
> > create mode 100644 include/authz/simple.h
> > diff --git a/qemu-options.hx b/qemu-options.hx
> > index f139459e80..ef38ff19e2 100644
> > --- a/qemu-options.hx
> > +++ b/qemu-options.hx
> > @@ -4377,6 +4377,27 @@ e.g to launch a SEV guest
> > .....
> >
> > @end example
> > +
> > +
> > +@item -object authz-simple,id=@var{id},identity=@var{string}
> > +
> > +Create an authorization object that will control access to network
> > services.
> > +
> > +The @option{identity} parameter is identifies the user and its format
> > +depends on the network service that authorization object is associated
> > +with. For authorizing based on TLS x509 certificates, the identity must
> > +be the x509 distinguished name. Note that care must be taken to escape
> > +any commas in the distinguished name.
> > +
> > +An example authorization object to validate a x509 distinguished name
> > +would look like:
> > +@example
> > + # $QEMU \
> > + ...
> > + -object
> > authz-simple,id=auth0,identity=CN=laptop.example.com,,O=Example
> > Org,,L=London,,ST=London,,C=GB \
> > + ...
>
> This example does not work:
>
> $ x86_64-softmmu/qemu-system-x86_64 -trace qauthz\* -object
> authz-simple,id=auth0,identity=CN=laptop.example.com,,O=Example
> Org,,L=London,,ST=London,,C=GB
> qemu-system-x86_64: -object
> authz-simple,id=auth0,identity=CN=laptop.example.com,,O=Example: Could
> not open 'Org,,L=London,,ST=London,,C=GB': No such file or directory
>
> However escaping does:
>
> $ x86_64-softmmu/qemu-system-x86_64 -trace qauthz\* -object
> authz-simple,id=auth0,identity='CN=laptop.example.com,,O=Example
> Org,,L=London,,ST=London,,C=GB'
>
> With example fixed:
>
> Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com>
> Tested-by: Philippe Mathieu-Daudé <phi...@redhat.com>
I'll squash in:
diff --git a/qemu-options.hx b/qemu-options.hx
index ef38ff19e2..160db9c8d2 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -4394,10 +4394,13 @@ would look like:
@example
# $QEMU \
...
- -object authz-simple,id=auth0,identity=CN=laptop.example.com,,O=Example
Org,,L=London,,ST=London,,C=GB \
+ -object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,O=Example
Org,,L=London,,ST=London,,C=GB' \
...
@end example
+Note the use of quotes due to the x509 distinguished name containing
+whitespace, and escaping of ','.
+
@end table
ETEXI
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
