subject:"\[Qemu\-devel\] \[PATCH 0\/8\] Add a standard authorization framework"

Re: [Qemu-devel] [PATCH 0/8] Add a standard authorization framework

2018-06-08 Thread no-reply

Hi,

This series failed docker-mingw@fedora build test. Please find the testing 
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

Type: series
Message-id: 20180608170933.9137-1-berra...@redhat.com
Subject: [Qemu-devel] [PATCH 0/8] Add a standard authorization framework

=== TEST SCRIPT BEGIN ===
#!/bin/bash
set -e
git submodule update --init dtc
# Let docker tests dump environment info
export SHOW_ENV=1
export J=8
time make docker-test-mingw@fedora
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 t [tag update]patchew/20180608131604.16826-1-berra...@redhat.com 
-> patchew/20180608131604.16826-1-berra...@redhat.com
 t [tag update]patchew/20180608170231.27912-1-arm...@redhat.com -> 
patchew/20180608170231.27912-1-arm...@redhat.com
Switched to a new branch 'test'
18b4855a37 authz: delete existing ACL implementation
2260400d3f authz: add QAuthZPAM object type for authorizing using PAM
fb8d6ec821 authz: add QAuthZListFile object type for a file access control list
bbade7aba7 authz: add QAuthZList object type for an access control list
817a4f0ca3 authz: add QAuthZSimple object type for trivial auth checks
95dc3e5ca6 authz: add QAuthZ object as an authorization base class
3e592c8583 hw/usb: switch MTP to use new inotify APIs
2c60f59c2f util: add helper APIs for dealing with inotify

=== OUTPUT BEGIN ===
Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 'dtc'
Cloning into '/var/tmp/patchew-tester-tmp-jh1g_f88/src/dtc'...
Submodule path 'dtc': checked out 'e54388015af1fb4bf04d0bca99caba1074d9cc42'
  BUILD   fedora
make[1]: Entering directory '/var/tmp/patchew-tester-tmp-jh1g_f88/src'
  GEN 
/var/tmp/patchew-tester-tmp-jh1g_f88/src/docker-src.2018-06-08-13.36.52.24177/qemu.tar
Cloning into 
'/var/tmp/patchew-tester-tmp-jh1g_f88/src/docker-src.2018-06-08-13.36.52.24177/qemu.tar.vroot'...
done.
Checking out files:  46% (2925/6232)   
Checking out files:  47% (2930/6232)   
Checking out files:  48% (2992/6232)   
Checking out files:  49% (3054/6232)   
Checking out files:  50% (3116/6232)   
Checking out files:  51% (3179/6232)   
Checking out files:  52% (3241/6232)   
Checking out files:  53% (3303/6232)   
Checking out files:  54% (3366/6232)   
Checking out files:  55% (3428/6232)   
Checking out files:  56% (3490/6232)   
Checking out files:  57% (3553/6232)   
Checking out files:  58% (3615/6232)   
Checking out files:  59% (3677/6232)   
Checking out files:  60% (3740/6232)   
Checking out files:  61% (3802/6232)   
Checking out files:  62% (3864/6232)   
Checking out files:  63% (3927/6232)   
Checking out files:  64% (3989/6232)   
Checking out files:  65% (4051/6232)   
Checking out files:  66% (4114/6232)   
Checking out files:  67% (4176/6232)   
Checking out files:  68% (4238/6232)   
Checking out files:  69% (4301/6232)   
Checking out files:  70% (4363/6232)   
Checking out files:  71% (4425/6232)   
Checking out files:  72% (4488/6232)   
Checking out files:  73% (4550/6232)   
Checking out files:  74% (4612/6232)   
Checking out files:  75% (4674/6232)   
Checking out files:  76% (4737/6232)   
Checking out files:  77% (4799/6232)   
Checking out files:  78% (4861/6232)   
Checking out files:  79% (4924/6232)   
Checking out files:  80% (4986/6232)   
Checking out files:  81% (5048/6232)   
Checking out files:  82% (5111/6232)   
Checking out files:  83% (5173/6232)   
Checking out files:  84% (5235/6232)   
Checking out files:  85% (5298/6232)   
Checking out files:  86% (5360/6232)   
Checking out files:  87% (5422/6232)   
Checking out files:  88% (5485/6232)   
Checking out files:  89% (5547/6232)   
Checking out files:  90% (5609/6232)   
Checking out files:  91% (5672/6232)   
Checking out files:  92% (5734/6232)   
Checking out files:  93% (5796/6232)   
Checking out files:  94% (5859/6232)   
Checking out files:  95% (5921/6232)   
Checking out files:  96% (5983/6232)   
Checking out files:  97% (6046/6232)   
Checking out files:  98% (6108/6232)   
Checking out files:  99% (6170/6232)   
Checking out files: 100% (6232/6232)   
Checking out files: 100% (6232/6232), done.
Your branch is up-to-date with 'origin/test'.
Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 'dtc'
Cloning into 
'/var/tmp/patchew-tester-tmp-jh1g_f88/src/docker-src.2018-06-08-13.36.52.24177/qemu.tar.vroot/dtc'...
Submodule path 'dtc': checked out 'e54388015af1fb4bf04d0bca99caba1074d9cc42'
Submodule 'ui/keycodemapdb' (git://git.qemu.org/keycodemapdb.git) registered 
for path 'ui/keycodemapdb'
Cloning into 
'/var/tmp/patchew-tester-tmp-jh1g_f88/src/docker-src.2018-06-08-13.36.52.24177/qemu.tar.vroot/ui/keycodemapdb'...
Submodule path 'ui/keycodemapdb': checked out 
'6b3d716e2b6472eb7189d3220552280ef3d832ce'
  COPYRUNNER
RUN test-mingw in qemu:fedora 
Packages installed:
SDL2-devel-2.0.8-5.fc28.x86_64
bc-1.07.1-

[Qemu-devel] [PATCH 0/8] Add a standard authorization framework

2018-06-08 Thread Daniel P . Berrangé

The current network services now support encryption via TLS and in some
cases support authentication via SASL. In cases where SASL is not
available, x509 client certificates can be used as a crude authorization
scheme, but using a sub-CA and controlling who you give certs to. In
general this is not very flexible though, so this series introduces a
new standard authorization framework.

It comes with four initial authorization mechanisms

 - Simple - an exact username match. This is useful when there is
   exactly one user that is known to connect. For example when live
   migrating from one QEMU to another with TLS, libvirt would use
   the simple scheme to whitelist the TLS cert of the source QEMU.

 - List - an full access control list, with optional regex matching.
   This is more flexible and is used to provide 100% backcompat with
   the existing HMP ACL commands. The caveat is that we can't create
   these via the CLI -object arg yet.

 - ListFile - the same as List, but with the rules stored in JSON
   format in an external file. This avoids the -object limitation
   while also allowing the admin to change list entries on the file.
   QEMU uses inotify to notice these changes and auto-reload the
   file contents. This is likely a good default choice for most
   network services, if the "simple" mechanism isn't sufficient.

 - PAM - delegate the username lookup to a PAM module, which opens
   the door to many options including things like SQL/LDAP lookups.

A later series that follows will integrate this framework into the VNC,
NBD, migration, and character device servers.

Daniel P. Berrangé (8):
  util: add helper APIs for dealing with inotify
  hw/usb: switch MTP to use new inotify APIs
  authz: add QAuthZ object as an authorization base class
  authz: add QAuthZSimple object type for trivial auth checks
  authz: add QAuthZList object type for an access control list
  authz: add QAuthZListFile object type for a file access control list
  authz: add QAuthZPAM object type for authorizing using PAM
  authz: delete existing ACL implementation

 .gitignore |   4 +
 MAINTAINERS|  14 ++
 Makefile   |  17 +-
 Makefile.objs  |  10 ++
 Makefile.target|   2 +
 authz/Makefile.objs|   7 +
 authz/base.c   |  82 +
 authz/list.c   | 315 +
 authz/listfile.c   | 252 ++
 authz/pam.c| 149 
 authz/simple.c | 122 +
 authz/trace-events |  18 ++
 configure  |  36 
 crypto/tlssession.c|  35 ++--
 crypto/trace-events|   2 +-
 hw/usb/dev-mtp.c   | 238 ++---
 include/authz/base.h   | 112 
 include/authz/list.h   | 106 +++
 include/authz/listfile.h   | 104 +++
 include/authz/pam.h|  84 +
 include/authz/simple.h |  81 +
 include/qemu/acl.h |  66 ---
 include/qemu/inotify.h |  49 +
 monitor.c  | 180 ---
 qapi/authz.json|  58 ++
 qapi/qapi-schema.json  |   1 +
 qom/object.c   |  12 +-
 qom/object_interfaces.c|  16 +-
 tests/.gitignore   |   1 +
 tests/Makefile.include |   8 +-
 tests/test-authz-list.c| 171 ++
 tests/test-crypto-tlssession.c |  15 +-
 tests/test-io-channel-tls.c|  16 +-
 ui/vnc-auth-sasl.c |  23 ++-
 ui/vnc-auth-sasl.h |   5 +-
 ui/vnc-auth-vencrypt.c |   2 +-
 ui/vnc-ws.c|   2 +-
 ui/vnc.c   |  37 ++--
 ui/vnc.h   |   4 +-
 util/Makefile.objs |   2 +-
 util/acl.c | 179 ---
 util/inotify.c | 138 +++
 42 files changed, 2258 insertions(+), 517 deletions(-)
 create mode 100644 authz/Makefile.objs
 create mode 100644 authz/base.c
 create mode 100644 authz/list.c
 create mode 100644 authz/listfile.c
 create mode 100644 authz/pam.c
 create mode 100644 authz/simple.c
 create mode 100644 authz/trace-events
 create mode 100644 include/authz/base.h
 create mode 100644 include/authz/list.h
 create mode 100644 include/authz/listfile.h
 create mode 100644 include/authz/pam.h
 create mode 100644 include/authz/simple.h
 delete mode 100644 include/qemu/acl.h
 create mode 100644 include/qemu/inotify.h
 create mode 100644 qapi/authz.json
 create mode 100644 tests/test-authz-list.c
 delete mode 100644 util/acl.c
 create mode 100644 util/inotify.c

-- 
2.17.0

Re: [Qemu-devel] [PATCH 0/8] Add a standard authorization framework

[Qemu-devel] [PATCH 0/8] Add a standard authorization framework

2 matches

Site Navigation

Mail list logo

Footer information