|
From: | Eric Blake |
Subject: | Re: [Qemu-devel] [PATCH 2/6] nbd: allow authorization with nbd-server-start QMP command |
Date: | Tue, 19 Jun 2018 15:10:12 -0500 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 |
On 06/15/2018 10:50 AM, Daniel P. Berrangé wrote:
From: "Daniel P. Berrange" <address@hidden> As with the previous patch to qemu-nbd, the nbd-server-start QMP command also needs to be able to specify authorization when enabling TLS encryption. First the client must create a QAuthZ object instance using the 'object-add' command: { 'execute': 'object-add', 'arguments': { 'qom-type': 'authz-simple', 'id': 'authz0', 'parameters': { 'policy': 'deny', 'rules': [ { 'match': '*CN=fred', 'policy': 'allow' } ] } } } They can then reference this in the new 'tls-authz' parameter when executing the 'nbd-server-start' command: { 'execute': 'nbd-server-start', 'arguments': { 'addr': { 'type': 'inet', 'host': '127.0.0.1', 'port': '9000' }, 'tls-creds': 'tls0', 'tls-authz': 'authz0' } }
Is it worth using a discriminated union (string vs. QAuthZ) so that one could specify the authz policy inline rather than as a separate object, for convenience? But that would be fine as a followup patch, if we even want it.
Signed-off-by: Daniel P. Berrange <address@hidden> --- blockdev-nbd.c | 14 +++++++++++--- hmp.c | 2 +- include/block/nbd.h | 2 +- qapi/block.json | 4 +++- 4 files changed, 16 insertions(+), 6 deletions(-)
@@ -118,6 +121,10 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds, } }+ if (tls_authz) {+ nbd_server->tlsauthz = g_strdup(tls_authz); + }
Pointless 'if'; g_strdup() does the right thing.
+++ b/qapi/block.json @@ -197,6 +197,7 @@ # # @addr: Address on which to listen. # @tls-creds: (optional) ID of the TLS credentials object. Since 2.6 +# @tls-authz: (optional) ID of the QAuthZ authorization object. Since 2.13
No need for the string '(optional)' (I thought we killed those uses when we automated the documentation generation - but obviously a few were left behind).
s/2.13/3.0/ -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org
[Prev in Thread] | Current Thread | [Next in Thread] |