Re: [Qemu-devel] [PATCH v3 5/6] vnc: allow specifying a custom authoriza

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v3 5/6] vnc: allow specifying a custom authoriza

From:	Juan Quintela
Subject:	Re: [Qemu-devel] [PATCH v3 5/6] vnc: allow specifying a custom authorization object name
Date:	Mon, 05 Nov 2018 15:21:48 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)

Daniel P. Berrangé <address@hidden> wrote:
> From: "Daniel P. Berrange" <address@hidden>
>
> The VNC server has historically had support for ACLs to check both the
> SASL username and the TLS x509 distinguished name. The VNC server was
> responsible for creating the initial ACL, and the client app was then
> responsible for populating it with rules using the HMP 'acl_add' command.
>
> This is not satisfactory for a variety of reasons. There is no way to
> populate the ACLs from the command line, users are forced to use the
> HMP. With multiple network services all supporting TLS and ACLs now, it
> is desirable to be able to define a single ACL that is referenced by all
> services.
>
> To address these limitations, two new options are added to the VNC
> server CLI. The 'tls-authz' option takes the ID of a QAuthZ object to
> use for checking TLS x509 distinguished names, and the 'sasl-authz'
> option takes the ID of another object to use for checking SASL usernames.
>
> In this example, we setup two authorization rules. The first allows any
> client with a certificate issued by the 'RedHat' organization in the
> 'London' locality. The second ACL allows clients with either the
> 'address@hidden' or  'address@hidden' kerberos usernames. Both checks
> must pass for the user to be allowed.
>
>     $QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
>                   endpoint=server,verify-peer=yes \
>           -object authz-simple,id=authz0,policy=deny,\
>                   rules.0.match=O=RedHat,,L=London,rules.0.policy=allow \
>           -object authz-simple,id=authz1,policy=deny,\
>                   address@hidden,rules.0.policy=allow \
>                   address@hidden,rules.0.policy=allow \
>           -vnc 0.0.0.0:1,tls-creds=tls0,tls-authz=authz0,
>              sasl,sasl-authz=authz1 \
>           ...other QEMU args...
>
> Signed-off-by: Daniel P. Berrange <address@hidden>

Reviewed-by: Juan Quintela <address@hidden>

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH v3 5/6] vnc: allow specifying a custom authorization object name, Juan Quintela <=

Prev by Date: [Qemu-devel] [PATCH 1/1 resend] Add vhost-pci-blk driver
Next by Date: Re: [Qemu-devel] [PATCH v3 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove
Previous by thread: [Qemu-devel] [PATCH 0/1 resend] Add vhost-pci-blk driver
Next by thread: Re: [Qemu-devel] [PATCH v3 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove
Index(es):
- Date
- Thread