Re: [Qemu-devel] [PATCH v6 06/11] authz: add QAuthZ object as an authori

qemu-devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v6 06/11] authz: add QAuthZ object as an authori

From:	Marc-André Lureau
Subject:	Re: [Qemu-devel] [PATCH v6 06/11] authz: add QAuthZ object as an authorization base class
Date:	Thu, 8 Nov 2018 02:23:55 +0400
On Fri, Oct 19, 2018 at 5:46 PM Daniel P. Berrangé <address@hidden> wrote:
>
> From: "Daniel P. Berrange" <address@hidden>
>
> The current qemu_acl module provides a simple access control list
> facility inside QEMU, which is used via a set of monitor commands
> acl_show, acl_policy, acl_add, acl_remove & acl_reset.
>
> Note there is no ability to create ACLs - the network services (eg VNC
> server) were expected to create ACLs that they want to check.
>
> There is also no way to define ACLs on the command line, nor potentially
> integrate with external authorization systems like polkit, pam, ldap
> lookup, etc.
>
> The QAuthZ object defines a minimal abstract QOM class that can be
> subclassed for creating different authorization providers.
>
> Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
> Tested-by: Philippe Mathieu-Daudé <address@hidden>
> Signed-off-by: Daniel P. Berrange <address@hidden>

Reviewed-by: Marc-André Lureau <address@hidden>

> ---
>  Makefile             |  10 ++--
>  Makefile.objs        |   6 +++
>  Makefile.target      |   2 +
>  include/authz/base.h | 112 +++++++++++++++++++++++++++++++++++++++++++
>  authz/base.c         |  82 +++++++++++++++++++++++++++++++
>  MAINTAINERS          |   7 +++
>  authz/Makefile.objs  |   1 +
>  authz/trace-events   |   4 ++
>  8 files changed, 220 insertions(+), 4 deletions(-)
>  create mode 100644 include/authz/base.h
>  create mode 100644 authz/base.c
>  create mode 100644 authz/Makefile.objs
>  create mode 100644 authz/trace-events
>
> diff --git a/Makefile b/Makefile
> index f2947186a4..4b20ee2b19 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -412,6 +412,7 @@ endif
>
>  dummy := $(call unnest-vars,, \
>                  stub-obj-y \
> +                authz-obj-y \
>                  chardev-obj-y \
>                  util-obj-y \
>                  qga-obj-y \
> @@ -474,6 +475,7 @@ qemu-options.def: $(SRC_PATH)/qemu-options.hx 
> $(SRC_PATH)/scripts/hxtool
>  SUBDIR_RULES=$(patsubst %,subdir-%, $(TARGET_DIRS))
>  SOFTMMU_SUBDIR_RULES=$(filter %-softmmu,$(SUBDIR_RULES))
>
> +$(SOFTMMU_SUBDIR_RULES): $(authz-obj-y)
>  $(SOFTMMU_SUBDIR_RULES): $(block-obj-y)
>  $(SOFTMMU_SUBDIR_RULES): $(crypto-obj-y)
>  $(SOFTMMU_SUBDIR_RULES): $(io-obj-y)
> @@ -536,9 +538,9 @@ COMMON_LDADDS = libqemuutil.a
>
>  qemu-img.o: qemu-img-cmds.h
>
> -qemu-img$(EXESUF): qemu-img.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) 
> $(qom-obj-y) $(COMMON_LDADDS)
> -qemu-nbd$(EXESUF): qemu-nbd.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) 
> $(qom-obj-y) $(COMMON_LDADDS)
> -qemu-io$(EXESUF): qemu-io.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) 
> $(qom-obj-y) $(COMMON_LDADDS)
> +qemu-img$(EXESUF): qemu-img.o $(authz-obj-y) $(block-obj-y) $(crypto-obj-y) 
> $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS)
> +qemu-nbd$(EXESUF): qemu-nbd.o $(authz-obj-y) $(block-obj-y) $(crypto-obj-y) 
> $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS)
> +qemu-io$(EXESUF): qemu-io.o $(authz-obj-y) $(block-obj-y) $(crypto-obj-y) 
> $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS)
>
>  qemu-bridge-helper$(EXESUF): qemu-bridge-helper.o $(COMMON_LDADDS)
>
> @@ -549,7 +551,7 @@ qemu-edid$(EXESUF): qemu-edid.o 
> hw/display/edid-generate.o $(COMMON_LDADDS)
>  fsdev/virtfs-proxy-helper$(EXESUF): fsdev/virtfs-proxy-helper.o 
> fsdev/9p-marshal.o fsdev/9p-iov-marshal.o $(COMMON_LDADDS)
>  fsdev/virtfs-proxy-helper$(EXESUF): LIBS += -lcap
>
> -scsi/qemu-pr-helper$(EXESUF): scsi/qemu-pr-helper.o scsi/utils.o 
> $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS)
> +scsi/qemu-pr-helper$(EXESUF): scsi/qemu-pr-helper.o scsi/utils.o 
> $(authz-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS)
>  ifdef CONFIG_MPATH
>  scsi/qemu-pr-helper$(EXESUF): LIBS += -ludev -lmultipath -lmpathpersist
>  endif
> diff --git a/Makefile.objs b/Makefile.objs
> index 1e1ff387d7..ecb1071c4f 100644
> --- a/Makefile.objs
> +++ b/Makefile.objs
> @@ -62,6 +62,11 @@ util-obj-y += qapi/qapi-introspect.o
>
>  chardev-obj-y = chardev/
>
> +#######################################################################
> +# authz-obj-y is code used by both qemu system emulation and qemu-img
> +
> +authz-obj-y = authz/
> +
>  #######################################################################
>  # block-obj-y is code used by both qemu system emulation and qemu-img
>
> @@ -200,6 +205,7 @@ trace-events-subdirs =
>  trace-events-subdirs += accel/kvm
>  trace-events-subdirs += accel/tcg
>  trace-events-subdirs += audio
> +trace-events-subdirs += authz
>  trace-events-subdirs += block
>  trace-events-subdirs += chardev
>  trace-events-subdirs += crypto
> diff --git a/Makefile.target b/Makefile.target
> index 4d56298bbf..c08461726d 100644
> --- a/Makefile.target
> +++ b/Makefile.target
> @@ -172,6 +172,7 @@ include $(SRC_PATH)/Makefile.objs
>  dummy := $(call unnest-vars,,target-obj-y)
>  target-obj-y-save := $(target-obj-y)
>  dummy := $(call unnest-vars,.., \
> +               authz-obj-y \
>                 block-obj-y \
>                 block-obj-m \
>                 chardev-obj-y \
> @@ -185,6 +186,7 @@ target-obj-y := $(target-obj-y-save)
>  all-obj-y += $(common-obj-y)
>  all-obj-y += $(target-obj-y)
>  all-obj-y += $(qom-obj-y)
> +all-obj-$(CONFIG_SOFTMMU) += $(authz-obj-y)
>  all-obj-$(CONFIG_SOFTMMU) += $(block-obj-y) $(chardev-obj-y)
>  all-obj-$(CONFIG_USER_ONLY) += $(crypto-aes-obj-y)
>  all-obj-$(CONFIG_SOFTMMU) += $(crypto-obj-y)
> diff --git a/include/authz/base.h b/include/authz/base.h
> new file mode 100644
> index 0000000000..77dcd54c4c
> --- /dev/null
> +++ b/include/authz/base.h
> @@ -0,0 +1,112 @@
> +/*
> + * QEMU authorization framework base class
> + *
> + * Copyright (c) 2018 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see 
> <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#ifndef QAUTHZ_BASE_H__
> +#define QAUTHZ_BASE_H__
> +
> +#include "qemu-common.h"
> +#include "qapi/error.h"
> +#include "qom/object.h"
> +
> +
> +#define TYPE_QAUTHZ "authz"
> +
> +#define QAUTHZ_CLASS(klass) \
> +     OBJECT_CLASS_CHECK(QAuthZClass, (klass), \
> +                        TYPE_QAUTHZ)
> +#define QAUTHZ_GET_CLASS(obj) \
> +     OBJECT_GET_CLASS(QAuthZClass, (obj), \
> +                      TYPE_QAUTHZ)
> +#define QAUTHZ(obj) \
> +     INTERFACE_CHECK(QAuthZ, (obj), \
> +                     TYPE_QAUTHZ)
> +
> +typedef struct QAuthZ QAuthZ;
> +typedef struct QAuthZClass QAuthZClass;
> +
> +/**
> + * QAuthZ:
> + *
> + * The QAuthZ class defines an API contract to be used
> + * for providing an authorization driver for services
> + * with user identities.
> + */
> +
> +struct QAuthZ {
> +    Object parent_obj;
> +};
> +
> +
> +struct QAuthZClass {
> +    ObjectClass parent_class;
> +
> +    bool (*is_allowed)(QAuthZ *authz,
> +                       const char *identity,
> +                       Error **errp);
> +};
> +
> +
> +/**
> + * qauthz_is_allowed:
> + * @authz: the authorization object
> + * @identity: the user identity to authorize
> + * @errp: pointer to a NULL initialized error object
> + *
> + * Check if a user @identity is authorized. If an error
> + * occurs this method will return false to indicate
> + * denial, as well as setting @errp to contain the details.
> + * Callers are recommended to treat the denial and error
> + * scenarios identically. Specifically the error info in
> + * @errp should never be fed back to the user being
> + * authorized, it is merely for benefit of administrator
> + * debugging.
> + *
> + * Returns: true if @identity is authorized, false if denied or if
> + * an error occurred.
> + */
> +bool qauthz_is_allowed(QAuthZ *authz,
> +                       const char *identity,
> +                       Error **errp);
> +
> +
> +/**
> + * qauthz_is_allowed_by_id:
> + * @authzid: ID of the authorization object
> + * @identity: the user identity to authorize
> + * @errp: pointer to a NULL initialized error object
> + *
> + * Check if a user @identity is authorized. If an error
> + * occurs this method will return false to indicate
> + * denial, as well as setting @errp to contain the details.
> + * Callers are recommended to treat the denial and error
> + * scenarios identically. Specifically the error info in
> + * @errp should never be fed back to the user being
> + * authorized, it is merely for benefit of administrator
> + * debugging.
> + *
> + * Returns: true if @identity is authorized, false if denied or if
> + * an error occurred.
> + */
> +bool qauthz_is_allowed_by_id(const char *authzid,
> +                             const char *identity,
> +                             Error **errp);
> +
> +#endif /* QAUTHZ_BASE_H__ */
> +
> diff --git a/authz/base.c b/authz/base.c
> new file mode 100644
> index 0000000000..110dfa4195
> --- /dev/null
> +++ b/authz/base.c
> @@ -0,0 +1,82 @@
> +/*
> + * QEMU authorization framework base class
> + *
> + * Copyright (c) 2018 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see 
> <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "qemu/osdep.h"
> +#include "authz/base.h"
> +#include "authz/trace.h"
> +
> +bool qauthz_is_allowed(QAuthZ *authz,
> +                       const char *identity,
> +                       Error **errp)
> +{
> +    QAuthZClass *cls = QAUTHZ_GET_CLASS(authz);
> +    bool allowed;
> +
> +    allowed = cls->is_allowed(authz, identity, errp);
> +    trace_qauthz_is_allowed(authz, identity, allowed);
> +
> +    return allowed;
> +}
> +
> +
> +bool qauthz_is_allowed_by_id(const char *authzid,
> +                             const char *identity,
> +                             Error **errp)
> +{
> +    QAuthZ *authz;
> +    Object *obj;
> +    Object *container;
> +
> +    container = object_get_objects_root();
> +    obj = object_resolve_path_component(container,
> +                                        authzid);
> +    if (!obj) {
> +        error_setg(errp, "Cannot find QAuthZ object ID %s",
> +                   authzid);
> +        return false;
> +    }
> +
> +    if (!object_dynamic_cast(obj, TYPE_QAUTHZ)) {
> +        error_setg(errp, "Object '%s' is not a QAuthZ subclass",
> +                   authzid);
> +        return false;
> +    }
> +
> +    authz = QAUTHZ(obj);
> +
> +    return qauthz_is_allowed(authz, identity, errp);
> +}
> +
> +
> +static const TypeInfo authz_info = {
> +    .parent = TYPE_OBJECT,
> +    .name = TYPE_QAUTHZ,
> +    .instance_size = sizeof(QAuthZ),
> +    .class_size = sizeof(QAuthZClass),
> +    .abstract = true,
> +};
> +
> +static void qauthz_register_types(void)
> +{
> +    type_register_static(&authz_info);
> +}
> +
> +type_init(qauthz_register_types)
> +
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 29bbcf8c25..9624734923 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -1857,6 +1857,13 @@ F: io/
>  F: include/io/
>  F: tests/test-io-*
>
> +User authorization
> +M: Daniel P. Berrange <address@hidden>
> +S: Maintained
> +F: authz/
> +F: include/authz/
> +F: tests/test-authz-*
> +
>  Sockets
>  M: Daniel P. Berrange <address@hidden>
>  M: Gerd Hoffmann <address@hidden>
> diff --git a/authz/Makefile.objs b/authz/Makefile.objs
> new file mode 100644
> index 0000000000..12597c9528
> --- /dev/null
> +++ b/authz/Makefile.objs
> @@ -0,0 +1 @@
> +authz-obj-y += base.o
> diff --git a/authz/trace-events b/authz/trace-events
> new file mode 100644
> index 0000000000..481c90f511
> --- /dev/null
> +++ b/authz/trace-events
> @@ -0,0 +1,4 @@
> +# See docs/devel/tracing.txt for syntax documentation.
> +
> +# authz/base.c
> +qauthz_is_allowed(void *authz, const char *identity, bool allowed) "AuthZ %p 
> check identity=%s allowed=%d"
> --
> 2.17.2
>
>


--
Marc-André Lureau
[Prev in Thread]
Current Thread
[Next in Thread]
Re: [Qemu-devel] [PATCH v6 06/11] authz: add QAuthZ object as an authorization base class, Marc-André Lureau <=
Prev by Date: Re: [Qemu-devel] [PATCH v6 08/11] authz: add QAuthZList object type for an access control list
Next by Date: Re: [Qemu-devel] [PATCH v6 08/11] authz: add QAuthZList object type for an access control list
Previous by thread: Re: [Qemu-devel] [PATCH v6 08/11] authz: add QAuthZList object type for an access control list
Next by thread: Re: [Qemu-devel] [PATCH V4 3/5] hw/misc/pvpanic: Add the MMIO interface
Index(es):
- Date
- Thread