qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 2/6] nbd: allow authorization with nbd-server-st

From: Eric Blake
Subject: Re: [Qemu-devel] [PATCH 2/6] nbd: allow authorization with nbd-server-start QMP command
Date: Tue, 19 Jun 2018 15:10:12 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 
On 06/15/2018 10:50 AM, Daniel P. Berrangé wrote:

From: "Daniel P. Berrange" <address@hidden>

As with the previous patch to qemu-nbd, the nbd-server-start QMP command
also needs to be able to specify authorization when enabling TLS encryption.

First the client must create a QAuthZ object instance using the
'object-add' command:

    {
      'execute': 'object-add',
      'arguments': {
        'qom-type': 'authz-simple',
        'id': 'authz0',
        'parameters': {
          'policy': 'deny',
          'rules': [
            {
              'match': '*CN=fred',
              'policy': 'allow'
            }
          ]
        }
      }
    }

They can then reference this in the new 'tls-authz' parameter when
executing the 'nbd-server-start' command:

    {
      'execute': 'nbd-server-start',
      'arguments': {
        'addr': {
            'type': 'inet',
            'host': '127.0.0.1',
            'port': '9000'
        },
        'tls-creds': 'tls0',
        'tls-authz': 'authz0'
      }
    }
Is it worth using a discriminated union (string vs. QAuthZ) so that one could specify the authz policy inline rather than as a separate object, for convenience? But that would be fine as a followup patch, if we even want it. 



Signed-off-by: Daniel P. Berrange <address@hidden>
---
  blockdev-nbd.c      | 14 +++++++++++---
  hmp.c               |  2 +-
  include/block/nbd.h |  2 +-
  qapi/block.json     |  4 +++-
  4 files changed, 16 insertions(+), 6 deletions(-)




@@ -118,6 +121,10 @@ void nbd_server_start(SocketAddress *addr, const char 
*tls_creds,
          }
      }
+ if (tls_authz) { 
+        nbd_server->tlsauthz = g_strdup(tls_authz);
+    }


Pointless 'if'; g_strdup() does the right thing.


+++ b/qapi/block.json
@@ -197,6 +197,7 @@
  #
  # @addr: Address on which to listen.
  # @tls-creds: (optional) ID of the TLS credentials object. Since 2.6
+# @tls-authz: (optional) ID of the QAuthZ authorization object. Since 2.13
No need for the string '(optional)' (I thought we killed those uses when we automated the documentation generation - but obviously a few were left behind). 

s/2.13/3.0/

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org
reply via email to
[Prev in Thread] Current Thread [Next in Thread]