Re: [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization

From:	Eric Blake
Subject:	Re: [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization of TLS clients
Date:	Wed, 20 Jun 2018 09:28:58 -0500
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0

On 06/20/2018 09:22 AM, Dr. David Alan Gilbert wrote:

For example to setup authorization that only allows connection from a client
whose x509 certificate distinguished name is

    CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB

use:

   qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
                     endpoint=server,verify-peer=yes \
            --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\
                     O=Example Org,,L=London,,ST=London,,C=GB \


I'm confused about how that gets parsed, what differentiates the ,s
that separate the arguments (e.g. ,id=  ,identity=) and the ,s that
separate the options within the identity string (e.g. the ,ST=London)
Would:
   --object authz-simple,identity=CN=laptop.example.com,,O=Example 
Org,,L=London,,ST=London,,C=GB,id=auth0

be equivalent?

Yes, once you take care of quoting the space and unfolding indentation.Our standard QemuOpt parser treats ',,' as a literal comma, and allother ',' as separating args. So either form is ultimately parsed as:


--object
  [type=]"authz-simple"
  id="auth0"
  identity="CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB"

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH v2 0/6] Add authorization support to all network services, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization of TLS clients, Daniel P . Berrangé, 2018/06/20
  - Re: [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization of TLS clients, Eric Blake, 2018/06/20
    - Re: [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization of TLS clients, Daniel P . Berrangé, 2018/06/20
  - Re: [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization of TLS clients, Dr. David Alan Gilbert, 2018/06/20
    - Re: [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization of TLS clients, Daniel P . Berrangé, 2018/06/20
    - Re: [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization of TLS clients, Dr. David Alan Gilbert, 2018/06/20
    - Re: [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization of TLS clients, Eric Blake <=
- [Qemu-devel] [PATCH v2 2/6] nbd: allow authorization with nbd-server-start QMP command, Daniel P . Berrangé, 2018/06/20
  - Re: [Qemu-devel] [PATCH v2 2/6] nbd: allow authorization with nbd-server-start QMP command, Eric Blake, 2018/06/20
    - Re: [Qemu-devel] [PATCH v2 2/6] nbd: allow authorization with nbd-server-start QMP command, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v2 3/6] migration: add support for a "tls-authz" migration parameter, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v2 4/6] chardev: add support for authorization for TLS clients, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v2 6/6] monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v2 5/6] vnc: allow specifying a custom authorization object name, Daniel P . Berrangé, 2018/06/20

Prev by Date: Re: [Qemu-devel] bug in reopen arch
Next by Date: Re: [Qemu-devel] [PATCH v3 1/2] kvm: support -dedicated cpu-pm=on|off
Previous by thread: Re: [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization of TLS clients
Next by thread: [Qemu-devel] [PATCH v2 2/6] nbd: allow authorization with nbd-server-start QMP command
Index(es):
- Date
- Thread