From nobody Thu Nov 6 03:12:38 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1539091455869307.32460105193377; Tue, 9 Oct 2018 06:24:15 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 046855F724; Tue, 9 Oct 2018 13:24:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id AE54D1001F5E; Tue, 9 Oct 2018 13:24:13 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5476818005B1; Tue, 9 Oct 2018 13:24:13 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w99DOBDo002640 for ; Tue, 9 Oct 2018 09:24:11 -0400 Received: by smtp.corp.redhat.com (Postfix) id D31D86A96E; Tue, 9 Oct 2018 13:24:11 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.42.22.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id 78A0D6A943; Tue, 9 Oct 2018 13:23:57 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Tue, 9 Oct 2018 14:23:27 +0100 Message-Id: <20181009132330.7549-4-berrange@redhat.com> In-Reply-To: <20181009132330.7549-1-berrange@redhat.com> References: <20181009132330.7549-1-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Cc: Kevin Wolf , qemu-block@nongnu.org, Juan Quintela , libvir-list@redhat.com, Max Reitz , Gerd Hoffmann , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Paolo Bonzini , "Dr. David Alan Gilbert" Subject: [libvirt] [PATCH v3 3/6] migration: add support for a "tls-authz" migration parameter X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 09 Oct 2018 13:24:14 +0000 (UTC) X-ZohoMail: RDMRC_0 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: "Daniel P. Berrange" The QEMU instance that runs as the server for the migration data transport (ie the target QEMU) needs to be able to configure access control so it can prevent unauthorized clients initiating an incoming migration. This adds a new 'tls-authz' migration parameter that is used to provide the QOM ID of a QAuthZ subclass instance that provides the access control check. This is checked against the x509 certificate obtained during the TLS handshake. For example, when starting a QEMU for incoming migration, it is possible to give an example identity of the source QEMU that is intended to be connecting later: $QEMU \ -monitor stdio \ -incoming defer \ ...other args... (qemu) object_add tls-creds-x509,id=3Dtls0,dir=3D/home/berrange/qemutls,\ endpoint=3Dserver,verify-peer=3Dyes \ (qemu) object_add authz-simple,id=3Dauth0,identity=3DCN=3Dlaptop.example.= com,,\ O=3DExample Org,,L=3DLondon,,ST=3DLondon,,C=3DGB \ (qemu) migrate_incoming tcp:localhost:9000 Signed-off-by: Daniel P. Berrange Reviewed-by: Juan Quintela --- hmp.c | 9 +++++++++ migration/migration.c | 8 ++++++++ migration/tls.c | 2 +- qapi/migration.json | 14 +++++++++++++- 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/hmp.c b/hmp.c index 7fc5a6502f..52ee5e5444 100644 --- a/hmp.c +++ b/hmp.c @@ -396,6 +396,9 @@ void hmp_info_migrate_parameters(Monitor *mon, const QD= ict *qdict) monitor_printf(mon, "%s: %" PRIu64 "\n", MigrationParameter_str(MIGRATION_PARAMETER_MAX_POSTCOPY_BANDWI= DTH), params->max_postcopy_bandwidth); + monitor_printf(mon, " %s: '%s'\n", + MigrationParameter_str(MIGRATION_PARAMETER_TLS_AUTHZ), + params->has_tls_authz ? params->tls_authz : ""); } =20 qapi_free_MigrationParameters(params); @@ -1702,6 +1705,12 @@ void hmp_migrate_set_parameter(Monitor *mon, const Q= Dict *qdict) p->tls_hostname->type =3D QTYPE_QSTRING; visit_type_str(v, param, &p->tls_hostname->u.s, &err); break; + case MIGRATION_PARAMETER_TLS_AUTHZ: + p->has_tls_authz =3D true; + p->tls_authz =3D g_new0(StrOrNull, 1); + p->tls_authz->type =3D QTYPE_QSTRING; + visit_type_str(v, param, &p->tls_authz->u.s, &err); + break; case MIGRATION_PARAMETER_MAX_BANDWIDTH: p->has_max_bandwidth =3D true; /* diff --git a/migration/migration.c b/migration/migration.c index d6ae879dc8..f8d0251885 100644 --- a/migration/migration.c +++ b/migration/migration.c @@ -685,6 +685,8 @@ MigrationParameters *qmp_query_migrate_parameters(Error= **errp) params->tls_creds =3D g_strdup(s->parameters.tls_creds); params->has_tls_hostname =3D true; params->tls_hostname =3D g_strdup(s->parameters.tls_hostname); + params->has_tls_authz =3D true; + params->tls_authz =3D g_strdup(s->parameters.tls_authz); params->has_max_bandwidth =3D true; params->max_bandwidth =3D s->parameters.max_bandwidth; params->has_downtime_limit =3D true; @@ -1188,6 +1190,12 @@ static void migrate_params_apply(MigrateSetParameter= s *params, Error **errp) s->parameters.tls_hostname =3D g_strdup(params->tls_hostname->u.s); } =20 + if (params->has_tls_authz) { + g_free(s->parameters.tls_authz); + assert(params->tls_authz->type =3D=3D QTYPE_QSTRING); + s->parameters.tls_authz =3D g_strdup(params->tls_authz->u.s); + } + if (params->has_max_bandwidth) { s->parameters.max_bandwidth =3D params->max_bandwidth; if (s->to_dst_file) { diff --git a/migration/tls.c b/migration/tls.c index 3b9e8c9263..5171afc6c4 100644 --- a/migration/tls.c +++ b/migration/tls.c @@ -94,7 +94,7 @@ void migration_tls_channel_process_incoming(MigrationStat= e *s, =20 tioc =3D qio_channel_tls_new_server( ioc, creds, - NULL, /* XXX pass ACL name */ + s->parameters.tls_authz, errp); if (!tioc) { return; diff --git a/qapi/migration.json b/qapi/migration.json index 6e8c21258a..9c656effb0 100644 --- a/qapi/migration.json +++ b/qapi/migration.json @@ -519,6 +519,12 @@ # hostname must be provided so that the server's x509 # certificate identity can be validated. (Since 2.7) # +# @tls-authz: ID of the 'authz' object subclass that provides access contr= ol +# checking of the TLS x509 certificate distinguished name. +# This object is only resolved at time of use, so can be delet= ed +# and recreated on the fly while the migration server is activ= e. +# If missing, it will default to denying access (Since 3.1) +# # @max-bandwidth: to set maximum speed for migration. maximum speed in # bytes per second. (Since 2.8) # @@ -560,7 +566,7 @@ 'data': ['compress-level', 'compress-threads', 'decompress-threads', 'compress-wait-thread', 'cpu-throttle-initial', 'cpu-throttle-increment', - 'tls-creds', 'tls-hostname', 'max-bandwidth', + 'tls-creds', 'tls-hostname', 'tls-authz', 'max-bandwidth', 'downtime-limit', 'x-checkpoint-delay', 'block-incremental', 'x-multifd-channels', 'x-multifd-page-count', 'xbzrle-cache-size', 'max-postcopy-bandwidth', @@ -658,6 +664,7 @@ '*cpu-throttle-increment': 'int', '*tls-creds': 'StrOrNull', '*tls-hostname': 'StrOrNull', + '*tls-authz': 'StrOrNull', '*max-bandwidth': 'int', '*downtime-limit': 'int', '*x-checkpoint-delay': 'int', @@ -727,6 +734,10 @@ # associated with the migration URI, if any. (Since 2.9) # Note: 2.8 reports this by omitting tls-hostname instead. # +# @tls-authz: ID of the 'authz' object subclass that provides access contr= ol +# checking of the TLS x509 certificate distinguished name. (Si= nce +# 3.1) +# # @max-bandwidth: to set maximum speed for migration. maximum speed in # bytes per second. (Since 2.8) # @@ -774,6 +785,7 @@ '*cpu-throttle-increment': 'uint8', '*tls-creds': 'str', '*tls-hostname': 'str', + '*tls-authz': 'str', '*max-bandwidth': 'size', '*downtime-limit': 'uint64', '*x-checkpoint-delay': 'uint32', --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list