From: "Daniel P. Berrange" <berrange@redhat.com>
As with the previous patch to qemu-nbd, the nbd-server-start QMP command
also needs to be able to specify authorization when enabling TLS encryption.
First the client must create a QAuthZ object instance using the
'object-add' command:
{
'execute': 'object-add',
'arguments': {
'qom-type': 'authz-simple',
'id': 'authz0',
'parameters': {
'policy': 'deny',
'rules': [
{
'match': '*CN=fred',
'policy': 'allow'
}
]
}
}
}
They can then reference this in the new 'tls-authz' parameter when
executing the 'nbd-server-start' command:
{
'execute': 'nbd-server-start',
'arguments': {
'addr': {
'type': 'inet',
'host': '127.0.0.1',
'port': '9000'
},
'tls-creds': 'tls0',
'tls-authz': 'authz0'
}
}
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
blockdev-nbd.c | 14 +++++++++++---
hmp.c | 2 +-
include/block/nbd.h | 2 +-
qapi/block.json | 4 +++-
4 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/blockdev-nbd.c b/blockdev-nbd.c
index 65a84739ed..1ef2989118 100644
--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
@@ -23,6 +23,7 @@
typedef struct NBDServerData {
QIONetListener *listener;
QCryptoTLSCreds *tlscreds;
+ char *tlsauthz;
} NBDServerData;
static NBDServerData *nbd_server;
@@ -37,7 +38,8 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
{
qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
nbd_client_new(NULL, cioc,
- nbd_server->tlscreds, NULL,
+ nbd_server->tlscreds,
+ nbd_server->tlsauthz,
nbd_blockdev_client_closed);
}
@@ -53,6 +55,7 @@ static void nbd_server_free(NBDServerData *server)
if (server->tlscreds) {
object_unref(OBJECT(server->tlscreds));
}
+ g_free(server->tlsauthz);
g_free(server);
}
@@ -88,7 +91,7 @@ static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp)
void nbd_server_start(SocketAddress *addr, const char *tls_creds,
- Error **errp)
+ const char *tls_authz, Error **errp)
{
if (nbd_server) {
error_setg(errp, "NBD server already running");
@@ -118,6 +121,10 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds,
}
}
+ if (tls_authz) {
+ nbd_server->tlsauthz = g_strdup(tls_authz);
+ }
+
qio_net_listener_set_client_func(nbd_server->listener,
nbd_accept,
NULL,
@@ -132,11 +139,12 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds,
void qmp_nbd_server_start(SocketAddressLegacy *addr,
bool has_tls_creds, const char *tls_creds,
+ bool has_tls_authz, const char *tls_authz,
Error **errp)
{
SocketAddress *addr_flat = socket_address_flatten(addr);
- nbd_server_start(addr_flat, tls_creds, errp);
+ nbd_server_start(addr_flat, tls_creds, tls_authz, errp);
qapi_free_SocketAddress(addr_flat);
}
diff --git a/hmp.c b/hmp.c
index ef93f4878b..74e18db103 100644
--- a/hmp.c
+++ b/hmp.c
@@ -2214,7 +2214,7 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict)
goto exit;
}
- nbd_server_start(addr, NULL, &local_err);
+ nbd_server_start(addr, NULL, NULL, &local_err);
qapi_free_SocketAddress(addr);
if (local_err != NULL) {
goto exit;
diff --git a/include/block/nbd.h b/include/block/nbd.h
index 80ea9d240c..8a8ae8c3a7 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -313,7 +313,7 @@ void nbd_client_get(NBDClient *client);
void nbd_client_put(NBDClient *client);
void nbd_server_start(SocketAddress *addr, const char *tls_creds,
- Error **errp);
+ const char *tls_authz, Error **errp);
/* nbd_read
diff --git a/qapi/block.json b/qapi/block.json
index c694524002..8c7cc9b798 100644
--- a/qapi/block.json
+++ b/qapi/block.json
@@ -197,6 +197,7 @@
#
# @addr: Address on which to listen.
# @tls-creds: (optional) ID of the TLS credentials object. Since 2.6
+# @tls-authz: (optional) ID of the QAuthZ authorization object. Since 2.13
#
# Returns: error if the server is already running.
#
@@ -204,7 +205,8 @@
##
{ 'command': 'nbd-server-start',
'data': { 'addr': 'SocketAddressLegacy',
- '*tls-creds': 'str'} }
+ '*tls-creds': 'str',
+ '*tls-authz': 'str'} }
##
# @nbd-server-add:
--
2.17.0
On 06/15/2018 10:50 AM, Daniel P. Berrangé wrote:
> From: "Daniel P. Berrange" <berrange@redhat.com>
>
> As with the previous patch to qemu-nbd, the nbd-server-start QMP command
> also needs to be able to specify authorization when enabling TLS encryption.
>
> First the client must create a QAuthZ object instance using the
> 'object-add' command:
>
> {
> 'execute': 'object-add',
> 'arguments': {
> 'qom-type': 'authz-simple',
> 'id': 'authz0',
> 'parameters': {
> 'policy': 'deny',
> 'rules': [
> {
> 'match': '*CN=fred',
> 'policy': 'allow'
> }
> ]
> }
> }
> }
>
> They can then reference this in the new 'tls-authz' parameter when
> executing the 'nbd-server-start' command:
>
> {
> 'execute': 'nbd-server-start',
> 'arguments': {
> 'addr': {
> 'type': 'inet',
> 'host': '127.0.0.1',
> 'port': '9000'
> },
> 'tls-creds': 'tls0',
> 'tls-authz': 'authz0'
> }
> }
Is it worth using a discriminated union (string vs. QAuthZ) so that one
could specify the authz policy inline rather than as a separate object,
for convenience? But that would be fine as a followup patch, if we even
want it.
>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
> blockdev-nbd.c | 14 +++++++++++---
> hmp.c | 2 +-
> include/block/nbd.h | 2 +-
> qapi/block.json | 4 +++-
> 4 files changed, 16 insertions(+), 6 deletions(-)
>
> @@ -118,6 +121,10 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds,
> }
> }
>
> + if (tls_authz) {
> + nbd_server->tlsauthz = g_strdup(tls_authz);
> + }
Pointless 'if'; g_strdup() does the right thing.
> +++ b/qapi/block.json
> @@ -197,6 +197,7 @@
> #
> # @addr: Address on which to listen.
> # @tls-creds: (optional) ID of the TLS credentials object. Since 2.6
> +# @tls-authz: (optional) ID of the QAuthZ authorization object. Since 2.13
No need for the string '(optional)' (I thought we killed those uses when
we automated the documentation generation - but obviously a few were
left behind).
s/2.13/3.0/
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
On Tue, Jun 19, 2018 at 03:10:12PM -0500, Eric Blake wrote:
> On 06/15/2018 10:50 AM, Daniel P. Berrangé wrote:
> > From: "Daniel P. Berrange" <berrange@redhat.com>
> >
> > As with the previous patch to qemu-nbd, the nbd-server-start QMP command
> > also needs to be able to specify authorization when enabling TLS encryption.
> >
> > First the client must create a QAuthZ object instance using the
> > 'object-add' command:
> >
> > {
> > 'execute': 'object-add',
> > 'arguments': {
> > 'qom-type': 'authz-simple',
> > 'id': 'authz0',
> > 'parameters': {
> > 'policy': 'deny',
> > 'rules': [
> > {
> > 'match': '*CN=fred',
> > 'policy': 'allow'
> > }
> > ]
> > }
> > }
> > }
> >
> > They can then reference this in the new 'tls-authz' parameter when
> > executing the 'nbd-server-start' command:
> >
> > {
> > 'execute': 'nbd-server-start',
> > 'arguments': {
> > 'addr': {
> > 'type': 'inet',
> > 'host': '127.0.0.1',
> > 'port': '9000'
> > },
> > 'tls-creds': 'tls0',
> > 'tls-authz': 'authz0'
> > }
> > }
>
> Is it worth using a discriminated union (string vs. QAuthZ) so that one
> could specify the authz policy inline rather than as a separate object, for
> convenience? But that would be fine as a followup patch, if we even want
> it.
QAuthZ isn't a QAPI type - its a QOM object interface, so you'd have to
allow the entire object_add arg set inline, and then validate the QOM type
you received after the fact actually implemented the interface. Also for
migration at least it is likely the single authz impl will be shared for
both migration + nbd services. So I think its cleaner just to keep it
separate to avoid having 2 distinct codepaths for handling the same thing
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
© 2016 - 2026 Red Hat, Inc.