On Mon, Nov 05, 2018 at 04:41:09PM -0600, Eric Blake wrote:
> On 10/9/18 8:23 AM, Daniel P. Berrangé wrote:
> > From: "Daniel P. Berrange" <berra...@redhat.com>
> > 
> > Currently any client which can complete the TLS handshake is able to use
> > the NBD server. The server admin can turn on the 'verify-peer' option
> > for the x509 creds to require the client to provide a x509 certificate.
> > This means the client will have to acquire a certificate from the CA
> > before they are permitted to use the NBD server. This is still a fairly
> > low bar to cross.
> > 
> > This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which
> > takes the ID of a previously added 'QAuthZ' object instance. This will
> > be used to validate the client's x509 distinguished name. Clients
> > failing the authorization check will not be permitted to use the NBD
> > server.
> > 
> > For example to setup authorization that only allows connection from a client
> > whose x509 certificate distinguished name is
> > 
> >     CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB
> > 
> > use:
> > 
> >    qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
> >                      endpoint=server,verify-peer=yes \
> >             --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\
> >                      O=Example Org,,L=London,,ST=London,,C=GB \
> 
> Missing shell quoting around the space in 'Example Org'. It's also fairly
> obvious that actual shell commands can't have leading space between
> \-newline line continuations.
> 
> >             --tls-creds tls0 \
> >             --tls-authz authz0
> >        ....other qemu-nbd args...
> > 
> > Signed-off-by: Daniel P. Berrange <berra...@redhat.com>
> > ---
> >   include/block/nbd.h |  2 +-
> >   nbd/server.c        | 10 +++++-----
> >   qemu-nbd.c          | 13 ++++++++++++-
> >   qemu-nbd.texi       |  4 ++++
> >   4 files changed, 22 insertions(+), 7 deletions(-)
> > 
> 
> > +++ b/qemu-nbd.c
> > @@ -52,6 +52,7 @@
> >   #define QEMU_NBD_OPT_TLSCREDS      261
> >   #define QEMU_NBD_OPT_IMAGE_OPTS    262
> >   #define QEMU_NBD_OPT_FORK          263
> > +#define QEMU_NBD_OPT_TLSAUTHZ      264
> 
> > @@ -532,6 +534,7 @@ int main(int argc, char **argv)
> >           { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
> >           { "trace", required_argument, NULL, 'T' },
> >           { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK },
> > +        { "tls-authz", no_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ },
> >           { NULL, 0, NULL, 0 }
> >       };
> 
> Missing a change to qemu-nbd --help to describe the new option.

Yes, and it should be 'required_argument' too, not 'no_argument'.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to