Re: [libvirt] [PATCH v3 1/6] qemu-nbd: add support for authorization of TLS clients
On Mon, Nov 05, 2018 at 04:41:09PM -0600, Eric Blake wrote: > On 10/9/18 8:23 AM, Daniel P. Berrangé wrote: > > From: "Daniel P. Berrange" > > > > Currently any client which can complete the TLS handshake is able to use > > the NBD server. The server admin can turn on the 'verify-peer' option > > for the x509 creds to require the client to provide a x509 certificate. > > This means the client will have to acquire a certificate from the CA > > before they are permitted to use the NBD server. This is still a fairly > > low bar to cross. > > > > This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which > > takes the ID of a previously added 'QAuthZ' object instance. This will > > be used to validate the client's x509 distinguished name. Clients > > failing the authorization check will not be permitted to use the NBD > > server. > > > > For example to setup authorization that only allows connection from a client > > whose x509 certificate distinguished name is > > > > CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB > > > > use: > > > >qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ > > endpoint=server,verify-peer=yes \ > > --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\ > > O=Example Org,,L=London,,ST=London,,C=GB \ > > Missing shell quoting around the space in 'Example Org'. It's also fairly > obvious that actual shell commands can't have leading space between > \-newline line continuations. > > > --tls-creds tls0 \ > > --tls-authz authz0 > >other qemu-nbd args... > > > > Signed-off-by: Daniel P. Berrange > > --- > > include/block/nbd.h | 2 +- > > nbd/server.c| 10 +- > > qemu-nbd.c | 13 - > > qemu-nbd.texi | 4 > > 4 files changed, 22 insertions(+), 7 deletions(-) > > > > > +++ b/qemu-nbd.c > > @@ -52,6 +52,7 @@ > > #define QEMU_NBD_OPT_TLSCREDS 261 > > #define QEMU_NBD_OPT_IMAGE_OPTS262 > > #define QEMU_NBD_OPT_FORK 263 > > +#define QEMU_NBD_OPT_TLSAUTHZ 264 > > > @@ -532,6 +534,7 @@ int main(int argc, char **argv) > > { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, > > { "trace", required_argument, NULL, 'T' }, > > { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK }, > > +{ "tls-authz", no_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, > > { NULL, 0, NULL, 0 } > > }; > > Missing a change to qemu-nbd --help to describe the new option. Yes, and it should be 'required_argument' too, not 'no_argument'. Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v3 1/6] qemu-nbd: add support for authorization of TLS clients
On Mon, Nov 05, 2018 at 04:41:09PM -0600, Eric Blake wrote: > On 10/9/18 8:23 AM, Daniel P. Berrangé wrote: > > From: "Daniel P. Berrange" > > > > Currently any client which can complete the TLS handshake is able to use > > the NBD server. The server admin can turn on the 'verify-peer' option > > for the x509 creds to require the client to provide a x509 certificate. > > This means the client will have to acquire a certificate from the CA > > before they are permitted to use the NBD server. This is still a fairly > > low bar to cross. > > > > This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which > > takes the ID of a previously added 'QAuthZ' object instance. This will > > be used to validate the client's x509 distinguished name. Clients > > failing the authorization check will not be permitted to use the NBD > > server. > > > > For example to setup authorization that only allows connection from a client > > whose x509 certificate distinguished name is > > > > CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB > > > > use: > > > >qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ > > endpoint=server,verify-peer=yes \ > > --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\ > > O=Example Org,,L=London,,ST=London,,C=GB \ > > Missing shell quoting around the space in 'Example Org'. It's also fairly > obvious that actual shell commands can't have leading space between > \-newline line continuations. Yep, leading space is the tradeoff of sticking to sensible line length while maintaining clarity. > > > --tls-creds tls0 \ > > --tls-authz authz0 > >other qemu-nbd args... > > > > Signed-off-by: Daniel P. Berrange > > --- > > include/block/nbd.h | 2 +- > > nbd/server.c| 10 +- > > qemu-nbd.c | 13 - > > qemu-nbd.texi | 4 > > 4 files changed, 22 insertions(+), 7 deletions(-) > > > > > +++ b/qemu-nbd.c > > @@ -52,6 +52,7 @@ > > #define QEMU_NBD_OPT_TLSCREDS 261 > > #define QEMU_NBD_OPT_IMAGE_OPTS262 > > #define QEMU_NBD_OPT_FORK 263 > > +#define QEMU_NBD_OPT_TLSAUTHZ 264 > > > @@ -532,6 +534,7 @@ int main(int argc, char **argv) > > { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, > > { "trace", required_argument, NULL, 'T' }, > > { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK }, > > +{ "tls-authz", no_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, > > { NULL, 0, NULL, 0 } > > }; > > Missing a change to qemu-nbd --help to describe the new option. Opps, yes. Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v3 1/6] qemu-nbd: add support for authorization of TLS clients
On 10/9/18 8:23 AM, Daniel P. Berrangé wrote: From: "Daniel P. Berrange" Currently any client which can complete the TLS handshake is able to use the NBD server. The server admin can turn on the 'verify-peer' option for the x509 creds to require the client to provide a x509 certificate. This means the client will have to acquire a certificate from the CA before they are permitted to use the NBD server. This is still a fairly low bar to cross. This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which takes the ID of a previously added 'QAuthZ' object instance. This will be used to validate the client's x509 distinguished name. Clients failing the authorization check will not be permitted to use the NBD server. For example to setup authorization that only allows connection from a client whose x509 certificate distinguished name is CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB use: qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ endpoint=server,verify-peer=yes \ --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\ O=Example Org,,L=London,,ST=London,,C=GB \ Missing shell quoting around the space in 'Example Org'. It's also fairly obvious that actual shell commands can't have leading space between \-newline line continuations. --tls-creds tls0 \ --tls-authz authz0 other qemu-nbd args... Signed-off-by: Daniel P. Berrange --- include/block/nbd.h | 2 +- nbd/server.c| 10 +- qemu-nbd.c | 13 - qemu-nbd.texi | 4 4 files changed, 22 insertions(+), 7 deletions(-) +++ b/qemu-nbd.c @@ -52,6 +52,7 @@ #define QEMU_NBD_OPT_TLSCREDS 261 #define QEMU_NBD_OPT_IMAGE_OPTS262 #define QEMU_NBD_OPT_FORK 263 +#define QEMU_NBD_OPT_TLSAUTHZ 264 @@ -532,6 +534,7 @@ int main(int argc, char **argv) { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, { "trace", required_argument, NULL, 'T' }, { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK }, +{ "tls-authz", no_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, { NULL, 0, NULL, 0 } }; Missing a change to qemu-nbd --help to describe the new option. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v3 1/6] qemu-nbd: add support for authorization of TLS clients
Daniel P. Berrangé wrote: > From: "Daniel P. Berrange" > > Currently any client which can complete the TLS handshake is able to use > the NBD server. The server admin can turn on the 'verify-peer' option > for the x509 creds to require the client to provide a x509 certificate. > This means the client will have to acquire a certificate from the CA > before they are permitted to use the NBD server. This is still a fairly > low bar to cross. > > This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which > takes the ID of a previously added 'QAuthZ' object instance. This will > be used to validate the client's x509 distinguished name. Clients > failing the authorization check will not be permitted to use the NBD > server. > > For example to setup authorization that only allows connection from a client > whose x509 certificate distinguished name is > >CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB > > use: > > qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ > endpoint=server,verify-peer=yes \ >--object authz-simple,id=auth0,identity=CN=laptop.example.com,,\ > O=Example Org,,L=London,,ST=London,,C=GB \ >--tls-creds tls0 \ >--tls-authz authz0 > other qemu-nbd args... > > Signed-off-by: Daniel P. Berrange Reviewed-by: Juan Quintela -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH v3 1/6] qemu-nbd: add support for authorization of TLS clients
From: "Daniel P. Berrange" Currently any client which can complete the TLS handshake is able to use the NBD server. The server admin can turn on the 'verify-peer' option for the x509 creds to require the client to provide a x509 certificate. This means the client will have to acquire a certificate from the CA before they are permitted to use the NBD server. This is still a fairly low bar to cross. This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which takes the ID of a previously added 'QAuthZ' object instance. This will be used to validate the client's x509 distinguished name. Clients failing the authorization check will not be permitted to use the NBD server. For example to setup authorization that only allows connection from a client whose x509 certificate distinguished name is CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB use: qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ endpoint=server,verify-peer=yes \ --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\ O=Example Org,,L=London,,ST=London,,C=GB \ --tls-creds tls0 \ --tls-authz authz0 other qemu-nbd args... Signed-off-by: Daniel P. Berrange --- include/block/nbd.h | 2 +- nbd/server.c| 10 +- qemu-nbd.c | 13 - qemu-nbd.texi | 4 4 files changed, 22 insertions(+), 7 deletions(-) diff --git a/include/block/nbd.h b/include/block/nbd.h index 6a5bfe5d55..d7aa6b24d0 100644 --- a/include/block/nbd.h +++ b/include/block/nbd.h @@ -312,7 +312,7 @@ void nbd_export_close_all(void); void nbd_client_new(QIOChannelSocket *sioc, QCryptoTLSCreds *tlscreds, -const char *tlsaclname, +const char *tlsauthz, void (*close_fn)(NBDClient *, bool)); void nbd_client_get(NBDClient *client); void nbd_client_put(NBDClient *client); diff --git a/nbd/server.c b/nbd/server.c index a1eda0114f..138a35f838 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -111,7 +111,7 @@ struct NBDClient { NBDExport *exp; QCryptoTLSCreds *tlscreds; -char *tlsaclname; +char *tlsauthz; QIOChannelSocket *sioc; /* The underlying data channel */ QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */ @@ -687,7 +687,7 @@ static QIOChannel *nbd_negotiate_handle_starttls(NBDClient *client, tioc = qio_channel_tls_new_server(ioc, client->tlscreds, - client->tlsaclname, + client->tlsauthz, errp); if (!tioc) { return NULL; @@ -1353,7 +1353,7 @@ void nbd_client_put(NBDClient *client) if (client->tlscreds) { object_unref(OBJECT(client->tlscreds)); } -g_free(client->tlsaclname); +g_free(client->tlsauthz); if (client->exp) { QTAILQ_REMOVE(>exp->clients, client, next); nbd_export_put(client->exp); @@ -2403,7 +2403,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque) */ void nbd_client_new(QIOChannelSocket *sioc, QCryptoTLSCreds *tlscreds, -const char *tlsaclname, +const char *tlsauthz, void (*close_fn)(NBDClient *, bool)) { NBDClient *client; @@ -2415,7 +2415,7 @@ void nbd_client_new(QIOChannelSocket *sioc, if (tlscreds) { object_ref(OBJECT(client->tlscreds)); } -client->tlsaclname = g_strdup(tlsaclname); +client->tlsauthz = g_strdup(tlsauthz); client->sioc = sioc; object_ref(OBJECT(client->sioc)); client->ioc = QIO_CHANNEL(sioc); diff --git a/qemu-nbd.c b/qemu-nbd.c index e76fe3082a..61fe0fb5b9 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -52,6 +52,7 @@ #define QEMU_NBD_OPT_TLSCREDS 261 #define QEMU_NBD_OPT_IMAGE_OPTS262 #define QEMU_NBD_OPT_FORK 263 +#define QEMU_NBD_OPT_TLSAUTHZ 264 #define MBR_SIZE 512 @@ -65,6 +66,7 @@ static int shared = 1; static int nb_fds; static QIONetListener *server; static QCryptoTLSCreds *tlscreds; +static const char *tlsauthz; static void usage(const char *name) { @@ -354,7 +356,7 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc, nb_fds++; nbd_update_server_watch(); -nbd_client_new(cioc, tlscreds, NULL, nbd_client_closed); +nbd_client_new(cioc, tlscreds, tlsauthz, nbd_client_closed); } static void nbd_update_server_watch(void) @@ -532,6 +534,7 @@ int main(int argc, char **argv) { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, { "trace", required_argument, NULL, 'T' }, { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK }, +{ "tls-authz", no_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, { NULL, 0, NULL, 0 }