Message ID | 20180620121423.16979-2-berrange@redhat.com |
---|---|
State | New |
Headers | show |
Series | Add authorization support to all network services | expand |
On 06/20/2018 07:14 AM, Daniel P. Berrangé wrote: > From: "Daniel P. Berrange" <berrange@redhat.com> > > Currently any client which can complete the TLS handshake is able to use > the NBD server. The server admin can turn on the 'verify-peer' option > for the x509 creds to require the client to provide a x509 certificate. > This means the client will have to acquire a certificate from the CA > before they are permitted to use the NBD server. This is still a fairly > low bar to cross. > > This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which > takes the ID of a previously added 'QAuthZ' object instance. This will > be used to validate the client's x509 distinguished name. Clients > failing the authorization check will not be permitted to use the NBD > server. > > For example to setup authorization that only allows connection from a client > whose x509 certificate distinguished name is > > CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB Is the space in O= intentional? > > use: > > qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ > endpoint=server,verify-peer=yes \ > --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\ > O=Example Org,,L=London,,ST=London,,C=GB \ you need shell quoting to preserve the space. Also, the indentation breaks the intent that these long lines are single arguments, not separate arguments. > --tls-creds tls0 \ > --tls-authz authz0 > ....other qemu-nbd args... Is it also worth a sample command line using JSON syntax? > > Signed-off-by: Daniel P. Berrange <berrange@redhat.com> > --- > include/block/nbd.h | 2 +- > nbd/server.c | 10 +++++----- > qemu-nbd.c | 13 ++++++++++++- > qemu-nbd.texi | 4 ++++ > 4 files changed, 22 insertions(+), 7 deletions(-) > Reviewed-by: Eric Blake <eblake@redhat.com>
On Wed, Jun 20, 2018 at 08:58:40AM -0500, Eric Blake wrote: > On 06/20/2018 07:14 AM, Daniel P. Berrangé wrote: > > From: "Daniel P. Berrange" <berrange@redhat.com> > > > > Currently any client which can complete the TLS handshake is able to use > > the NBD server. The server admin can turn on the 'verify-peer' option > > for the x509 creds to require the client to provide a x509 certificate. > > This means the client will have to acquire a certificate from the CA > > before they are permitted to use the NBD server. This is still a fairly > > low bar to cross. > > > > This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which > > takes the ID of a previously added 'QAuthZ' object instance. This will > > be used to validate the client's x509 distinguished name. Clients > > failing the authorization check will not be permitted to use the NBD > > server. > > > > For example to setup authorization that only allows connection from a client > > whose x509 certificate distinguished name is > > > > CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB > > Is the space in O= intentional? Yes it really does have a space, though perhaps for sake of illustration I'll remove the space. > > > > > use: > > > > qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ > > endpoint=server,verify-peer=yes \ > > --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\ > > O=Example Org,,L=London,,ST=London,,C=GB \ > > you need shell quoting to preserve the space. Also, the indentation breaks > the intent that these long lines are single arguments, not separate > arguments. Yeah I'll definitely remove the space, because it just makes this more confusing than needed. I know the \ isn't really supposed to separate args, but I don't see a nicer way to format it for a commit message while respecting line length. I figured people would understand what I meant, but the fact that I've indented the second line to vertically align. > > > --tls-creds tls0 \ > > --tls-authz authz0 > > ....other qemu-nbd args... > > Is it also worth a sample command line using JSON syntax? Probably overkill for the commit message IMHO. > > > > > Signed-off-by: Daniel P. Berrange <berrange@redhat.com> > > --- > > include/block/nbd.h | 2 +- > > nbd/server.c | 10 +++++----- > > qemu-nbd.c | 13 ++++++++++++- > > qemu-nbd.texi | 4 ++++ > > 4 files changed, 22 insertions(+), 7 deletions(-) > > > > Reviewed-by: Eric Blake <eblake@redhat.com> > > -- > Eric Blake, Principal Software Engineer > Red Hat, Inc. +1-919-301-3266 > Virtualization: qemu.org | libvirt.org Regards, Daniel
* Daniel P. Berrangé (berrange@redhat.com) wrote: > From: "Daniel P. Berrange" <berrange@redhat.com> > > Currently any client which can complete the TLS handshake is able to use > the NBD server. The server admin can turn on the 'verify-peer' option > for the x509 creds to require the client to provide a x509 certificate. > This means the client will have to acquire a certificate from the CA > before they are permitted to use the NBD server. This is still a fairly > low bar to cross. > > This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which > takes the ID of a previously added 'QAuthZ' object instance. This will > be used to validate the client's x509 distinguished name. Clients > failing the authorization check will not be permitted to use the NBD > server. > > For example to setup authorization that only allows connection from a client > whose x509 certificate distinguished name is > > CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB > > use: > > qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ > endpoint=server,verify-peer=yes \ > --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\ > O=Example Org,,L=London,,ST=London,,C=GB \ I'm confused about how that gets parsed, what differentiates the ,s that separate the arguments (e.g. ,id= ,identity=) and the ,s that separate the options within the identity string (e.g. the ,ST=London) Would: --object authz-simple,identity=CN=laptop.example.com,,O=Example Org,,L=London,,ST=London,,C=GB,id=auth0 be equivalent? Dave > --tls-creds tls0 \ > --tls-authz authz0 > ....other qemu-nbd args... > > Signed-off-by: Daniel P. Berrange <berrange@redhat.com> > --- > include/block/nbd.h | 2 +- > nbd/server.c | 10 +++++----- > qemu-nbd.c | 13 ++++++++++++- > qemu-nbd.texi | 4 ++++ > 4 files changed, 22 insertions(+), 7 deletions(-) > > diff --git a/include/block/nbd.h b/include/block/nbd.h > index fcdcd54502..80ea9d240c 100644 > --- a/include/block/nbd.h > +++ b/include/block/nbd.h > @@ -307,7 +307,7 @@ void nbd_export_close_all(void); > void nbd_client_new(NBDExport *exp, > QIOChannelSocket *sioc, > QCryptoTLSCreds *tlscreds, > - const char *tlsaclname, > + const char *tlsauthz, > void (*close_fn)(NBDClient *, bool)); > void nbd_client_get(NBDClient *client); > void nbd_client_put(NBDClient *client); > diff --git a/nbd/server.c b/nbd/server.c > index 9e1f227178..4f10f08dc0 100644 > --- a/nbd/server.c > +++ b/nbd/server.c > @@ -100,7 +100,7 @@ struct NBDClient { > > NBDExport *exp; > QCryptoTLSCreds *tlscreds; > - char *tlsaclname; > + char *tlsauthz; > QIOChannelSocket *sioc; /* The underlying data channel */ > QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */ > > @@ -677,7 +677,7 @@ static QIOChannel *nbd_negotiate_handle_starttls(NBDClient *client, > > tioc = qio_channel_tls_new_server(ioc, > client->tlscreds, > - client->tlsaclname, > + client->tlsauthz, > errp); > if (!tioc) { > return NULL; > @@ -1250,7 +1250,7 @@ void nbd_client_put(NBDClient *client) > if (client->tlscreds) { > object_unref(OBJECT(client->tlscreds)); > } > - g_free(client->tlsaclname); > + g_free(client->tlsauthz); > if (client->exp) { > QTAILQ_REMOVE(&client->exp->clients, client, next); > nbd_export_put(client->exp); > @@ -2140,7 +2140,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque) > void nbd_client_new(NBDExport *exp, > QIOChannelSocket *sioc, > QCryptoTLSCreds *tlscreds, > - const char *tlsaclname, > + const char *tlsauthz, > void (*close_fn)(NBDClient *, bool)) > { > NBDClient *client; > @@ -2153,7 +2153,7 @@ void nbd_client_new(NBDExport *exp, > if (tlscreds) { > object_ref(OBJECT(client->tlscreds)); > } > - client->tlsaclname = g_strdup(tlsaclname); > + client->tlsauthz = g_strdup(tlsauthz); > client->sioc = sioc; > object_ref(OBJECT(client->sioc)); > client->ioc = QIO_CHANNEL(sioc); > diff --git a/qemu-nbd.c b/qemu-nbd.c > index 51b9d38c72..c0c9c805c0 100644 > --- a/qemu-nbd.c > +++ b/qemu-nbd.c > @@ -52,6 +52,7 @@ > #define QEMU_NBD_OPT_TLSCREDS 261 > #define QEMU_NBD_OPT_IMAGE_OPTS 262 > #define QEMU_NBD_OPT_FORK 263 > +#define QEMU_NBD_OPT_TLSAUTHZ 264 > > #define MBR_SIZE 512 > > @@ -66,6 +67,7 @@ static int shared = 1; > static int nb_fds; > static QIONetListener *server; > static QCryptoTLSCreds *tlscreds; > +static const char *tlsauthz; > > static void usage(const char *name) > { > @@ -355,7 +357,7 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc, > nb_fds++; > nbd_update_server_watch(); > nbd_client_new(newproto ? NULL : exp, cioc, > - tlscreds, NULL, nbd_client_closed); > + tlscreds, tlsauthz, nbd_client_closed); > } > > static void nbd_update_server_watch(void) > @@ -533,6 +535,7 @@ int main(int argc, char **argv) > { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, > { "trace", required_argument, NULL, 'T' }, > { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK }, > + { "tls-authz", no_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, > { NULL, 0, NULL, 0 } > }; > int ch; > @@ -755,6 +758,9 @@ int main(int argc, char **argv) > g_free(trace_file); > trace_file = trace_opt_parse(optarg); > break; > + case QEMU_NBD_OPT_TLSAUTHZ: > + tlsauthz = optarg; > + break; > case QEMU_NBD_OPT_FORK: > fork_process = true; > break; > @@ -819,6 +825,11 @@ int main(int argc, char **argv) > error_get_pretty(local_err)); > exit(EXIT_FAILURE); > } > + } else { > + if (tlsauthz) { > + error_report("--tls-authz is not permitted without --tls-creds"); > + exit(EXIT_FAILURE); > + } > } > > if (disconnect) { > diff --git a/qemu-nbd.texi b/qemu-nbd.texi > index 9a84e81eed..7f9503cf05 100644 > --- a/qemu-nbd.texi > +++ b/qemu-nbd.texi > @@ -91,6 +91,10 @@ of the TLS credentials object previously created with the --object > option. > @item --fork > Fork off the server process and exit the parent once the server is running. > +@item --tls-authz=ID > +Specify the ID of a qauthz object previously created with the > +--object option. This will be used to authorize connecting users > +against their x509 distinguished name. > @item -v, --verbose > Display extra debugging information > @item -h, --help > -- > 2.17.0 > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
On Wed, Jun 20, 2018 at 03:22:53PM +0100, Dr. David Alan Gilbert wrote: > * Daniel P. Berrangé (berrange@redhat.com) wrote: > > From: "Daniel P. Berrange" <berrange@redhat.com> > > > > Currently any client which can complete the TLS handshake is able to use > > the NBD server. The server admin can turn on the 'verify-peer' option > > for the x509 creds to require the client to provide a x509 certificate. > > This means the client will have to acquire a certificate from the CA > > before they are permitted to use the NBD server. This is still a fairly > > low bar to cross. > > > > This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which > > takes the ID of a previously added 'QAuthZ' object instance. This will > > be used to validate the client's x509 distinguished name. Clients > > failing the authorization check will not be permitted to use the NBD > > server. > > > > For example to setup authorization that only allows connection from a client > > whose x509 certificate distinguished name is > > > > CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB > > > > use: > > > > qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ > > endpoint=server,verify-peer=yes \ > > --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\ > > O=Example Org,,L=London,,ST=London,,C=GB \ > > I'm confused about how that gets parsed, what differentiates the ,s > that separate the arguments (e.g. ,id= ,identity=) and the ,s that > separate the options within the identity string (e.g. the ,ST=London) That's why I've doubled up - eg ',,' must be used when you need to include a literal ',' in a value without it being interpreted as starting a new option > Would: > --object authz-simple,identity=CN=laptop.example.com,,O=Example Org,,L=London,,ST=London,,C=GB,id=auth0 > > be equivalent? Yes Regards, Daniel
On 06/20/2018 09:22 AM, Dr. David Alan Gilbert wrote: >> For example to setup authorization that only allows connection from a client >> whose x509 certificate distinguished name is >> >> CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB >> >> use: >> >> qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ >> endpoint=server,verify-peer=yes \ >> --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\ >> O=Example Org,,L=London,,ST=London,,C=GB \ > > I'm confused about how that gets parsed, what differentiates the ,s > that separate the arguments (e.g. ,id= ,identity=) and the ,s that > separate the options within the identity string (e.g. the ,ST=London) > Would: > --object authz-simple,identity=CN=laptop.example.com,,O=Example Org,,L=London,,ST=London,,C=GB,id=auth0 > > be equivalent? Yes, once you take care of quoting the space and unfolding indentation. Our standard QemuOpt parser treats ',,' as a literal comma, and all other ',' as separating args. So either form is ultimately parsed as: --object [type=]"authz-simple" id="auth0" identity="CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB"
* Daniel P. Berrangé (berrange@redhat.com) wrote: > On Wed, Jun 20, 2018 at 03:22:53PM +0100, Dr. David Alan Gilbert wrote: > > * Daniel P. Berrangé (berrange@redhat.com) wrote: > > > From: "Daniel P. Berrange" <berrange@redhat.com> > > > > > > Currently any client which can complete the TLS handshake is able to use > > > the NBD server. The server admin can turn on the 'verify-peer' option > > > for the x509 creds to require the client to provide a x509 certificate. > > > This means the client will have to acquire a certificate from the CA > > > before they are permitted to use the NBD server. This is still a fairly > > > low bar to cross. > > > > > > This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which > > > takes the ID of a previously added 'QAuthZ' object instance. This will > > > be used to validate the client's x509 distinguished name. Clients > > > failing the authorization check will not be permitted to use the NBD > > > server. > > > > > > For example to setup authorization that only allows connection from a client > > > whose x509 certificate distinguished name is > > > > > > CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB > > > > > > use: > > > > > > qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ > > > endpoint=server,verify-peer=yes \ > > > --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\ > > > O=Example Org,,L=London,,ST=London,,C=GB \ > > > > I'm confused about how that gets parsed, what differentiates the ,s > > that separate the arguments (e.g. ,id= ,identity=) and the ,s that > > separate the options within the identity string (e.g. the ,ST=London) > > That's why I've doubled up - eg ',,' must be used when you need to > include a literal ',' in a value without it being interpreted as > starting a new option OK, yeh I forgot about the obscure double-comma rule. > > Would: > > --object authz-simple,identity=CN=laptop.example.com,,O=Example Org,,L=London,,ST=London,,C=GB,id=auth0 > > > > be equivalent? > > Yes OK. Dave > > > Regards, > Daniel > -- > |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
diff --git a/include/block/nbd.h b/include/block/nbd.h index fcdcd54502..80ea9d240c 100644 --- a/include/block/nbd.h +++ b/include/block/nbd.h @@ -307,7 +307,7 @@ void nbd_export_close_all(void); void nbd_client_new(NBDExport *exp, QIOChannelSocket *sioc, QCryptoTLSCreds *tlscreds, - const char *tlsaclname, + const char *tlsauthz, void (*close_fn)(NBDClient *, bool)); void nbd_client_get(NBDClient *client); void nbd_client_put(NBDClient *client); diff --git a/nbd/server.c b/nbd/server.c index 9e1f227178..4f10f08dc0 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -100,7 +100,7 @@ struct NBDClient { NBDExport *exp; QCryptoTLSCreds *tlscreds; - char *tlsaclname; + char *tlsauthz; QIOChannelSocket *sioc; /* The underlying data channel */ QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */ @@ -677,7 +677,7 @@ static QIOChannel *nbd_negotiate_handle_starttls(NBDClient *client, tioc = qio_channel_tls_new_server(ioc, client->tlscreds, - client->tlsaclname, + client->tlsauthz, errp); if (!tioc) { return NULL; @@ -1250,7 +1250,7 @@ void nbd_client_put(NBDClient *client) if (client->tlscreds) { object_unref(OBJECT(client->tlscreds)); } - g_free(client->tlsaclname); + g_free(client->tlsauthz); if (client->exp) { QTAILQ_REMOVE(&client->exp->clients, client, next); nbd_export_put(client->exp); @@ -2140,7 +2140,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque) void nbd_client_new(NBDExport *exp, QIOChannelSocket *sioc, QCryptoTLSCreds *tlscreds, - const char *tlsaclname, + const char *tlsauthz, void (*close_fn)(NBDClient *, bool)) { NBDClient *client; @@ -2153,7 +2153,7 @@ void nbd_client_new(NBDExport *exp, if (tlscreds) { object_ref(OBJECT(client->tlscreds)); } - client->tlsaclname = g_strdup(tlsaclname); + client->tlsauthz = g_strdup(tlsauthz); client->sioc = sioc; object_ref(OBJECT(client->sioc)); client->ioc = QIO_CHANNEL(sioc); diff --git a/qemu-nbd.c b/qemu-nbd.c index 51b9d38c72..c0c9c805c0 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -52,6 +52,7 @@ #define QEMU_NBD_OPT_TLSCREDS 261 #define QEMU_NBD_OPT_IMAGE_OPTS 262 #define QEMU_NBD_OPT_FORK 263 +#define QEMU_NBD_OPT_TLSAUTHZ 264 #define MBR_SIZE 512 @@ -66,6 +67,7 @@ static int shared = 1; static int nb_fds; static QIONetListener *server; static QCryptoTLSCreds *tlscreds; +static const char *tlsauthz; static void usage(const char *name) { @@ -355,7 +357,7 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc, nb_fds++; nbd_update_server_watch(); nbd_client_new(newproto ? NULL : exp, cioc, - tlscreds, NULL, nbd_client_closed); + tlscreds, tlsauthz, nbd_client_closed); } static void nbd_update_server_watch(void) @@ -533,6 +535,7 @@ int main(int argc, char **argv) { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, { "trace", required_argument, NULL, 'T' }, { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK }, + { "tls-authz", no_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, { NULL, 0, NULL, 0 } }; int ch; @@ -755,6 +758,9 @@ int main(int argc, char **argv) g_free(trace_file); trace_file = trace_opt_parse(optarg); break; + case QEMU_NBD_OPT_TLSAUTHZ: + tlsauthz = optarg; + break; case QEMU_NBD_OPT_FORK: fork_process = true; break; @@ -819,6 +825,11 @@ int main(int argc, char **argv) error_get_pretty(local_err)); exit(EXIT_FAILURE); } + } else { + if (tlsauthz) { + error_report("--tls-authz is not permitted without --tls-creds"); + exit(EXIT_FAILURE); + } } if (disconnect) { diff --git a/qemu-nbd.texi b/qemu-nbd.texi index 9a84e81eed..7f9503cf05 100644 --- a/qemu-nbd.texi +++ b/qemu-nbd.texi @@ -91,6 +91,10 @@ of the TLS credentials object previously created with the --object option. @item --fork Fork off the server process and exit the parent once the server is running. +@item --tls-authz=ID +Specify the ID of a qauthz object previously created with the +--object option. This will be used to authorize connecting users +against their x509 distinguished name. @item -v, --verbose Display extra debugging information @item -h, --help