On 06/15/2018 10:50 AM, Daniel P. Berrangé wrote:
From: "Daniel P. Berrange" <berra...@redhat.com>
As with the previous patch to qemu-nbd, the nbd-server-start QMP command
also needs to be able to specify authorization when enabling TLS encryption.
First the client must create a QAuthZ object instance using the
'object-add' command:
{
'execute': 'object-add',
'arguments': {
'qom-type': 'authz-simple',
'id': 'authz0',
'parameters': {
'policy': 'deny',
'rules': [
{
'match': '*CN=fred',
'policy': 'allow'
}
]
}
}
}
They can then reference this in the new 'tls-authz' parameter when
executing the 'nbd-server-start' command:
{
'execute': 'nbd-server-start',
'arguments': {
'addr': {
'type': 'inet',
'host': '127.0.0.1',
'port': '9000'
},
'tls-creds': 'tls0',
'tls-authz': 'authz0'
}
}
Is it worth using a discriminated union (string vs. QAuthZ) so that one
could specify the authz policy inline rather than as a separate object,
for convenience? But that would be fine as a followup patch, if we even
want it.
Signed-off-by: Daniel P. Berrange <berra...@redhat.com>
---
blockdev-nbd.c | 14 +++++++++++---
hmp.c | 2 +-
include/block/nbd.h | 2 +-
qapi/block.json | 4 +++-
4 files changed, 16 insertions(+), 6 deletions(-)
@@ -118,6 +121,10 @@ void nbd_server_start(SocketAddress *addr, const char
*tls_creds,
}
}
+ if (tls_authz) {
+ nbd_server->tlsauthz = g_strdup(tls_authz);
+ }
Pointless 'if'; g_strdup() does the right thing.
+++ b/qapi/block.json
@@ -197,6 +197,7 @@
#
# @addr: Address on which to listen.
# @tls-creds: (optional) ID of the TLS credentials object. Since 2.6
+# @tls-authz: (optional) ID of the QAuthZ authorization object. Since 2.13
No need for the string '(optional)' (I thought we killed those uses when
we automated the documentation generation - but obviously a few were
left behind).
s/2.13/3.0/
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
