From nobody Fri Dec 19 04:23:34 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 16137604817881001.1309178257229; Fri, 19 Feb 2021 10:48:01 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-137-SmxobGNuNLuntnL8E7yO0w-1; Fri, 19 Feb 2021 13:46:39 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EA6BC80403A; Fri, 19 Feb 2021 18:46:31 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BB41819D9B; Fri, 19 Feb 2021 18:46:31 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 811BACF75; Fri, 19 Feb 2021 18:46:31 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 11JIkFip029415 for ; Fri, 19 Feb 2021 13:46:15 -0500 Received: by smtp.corp.redhat.com (Postfix) id F151F19713; Fri, 19 Feb 2021 18:46:14 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-33.ams2.redhat.com [10.36.112.33]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4F5051970A; Fri, 19 Feb 2021 18:46:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1613760480; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=zCNcaEZloCKhIAzc4ZFSyCKe7zpwyMqkRQbG6RkVakQ=; b=OSIXWP+hlwkA/8nvDLLfkBYctGMHG2KwAvmxs8eacV/jXf+bwsbDVNYW+yK3nCiBJe8hZa 4REuAzZ4xriTMrW7TljBJJV/L3UkTsB0XVefVRRgfJdG+sSVLWNdlpsN7K/iq1/Vln/ljL xdNoC4oHMAzdBOqbhvJc+hL4Jciw12k= X-MC-Unique: SmxobGNuNLuntnL8E7yO0w-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 4/4] ui, monitor: remove deprecated VNC ACL option and HMP commands Date: Fri, 19 Feb 2021 18:45:56 +0000 Message-Id: <20210219184556.154972-5-berrange@redhat.com> In-Reply-To: <20210219184556.154972-1-berrange@redhat.com> References: <20210219184556.154972-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com Cc: libvir-list@redhat.com, Gerd Hoffmann , "Dr. David Alan Gilbert" X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) The VNC ACL concept has been replaced by the pluggable "authz" framework which does not use monitor commands. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Dr. David Alan Gilbert --- docs/system/deprecated.rst | 16 --- docs/system/removed-features.rst | 13 +++ hmp-commands.hx | 76 ------------- monitor/misc.c | 187 ------------------------------- ui/vnc.c | 38 ------- 5 files changed, 13 insertions(+), 317 deletions(-) diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst index 57ff9f47cc..beed4b4f02 100644 --- a/docs/system/deprecated.rst +++ b/docs/system/deprecated.rst @@ -37,12 +37,6 @@ The 'file' driver for drives is no longer appropriate fo= r character or host devices and will only accept regular files (S_IFREG). The correct driver for these file types is 'host_cdrom' or 'host_device' as appropriate. =20 -``-vnc acl`` (since 4.0.0) -'''''''''''''''''''''''''' - -The ``acl`` option to the ``-vnc`` argument has been replaced -by the ``tls-authz`` and ``sasl-authz`` options. - ``QEMU_AUDIO_`` environment variables and ``-audio-help`` (since 4.0) ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' =20 @@ -262,16 +256,6 @@ Use the more generic commands ``block-export-add`` and= ``block-export-del`` instead. As part of this deprecation, where ``nbd-server-add`` used a single ``bitmap``, the new ``block-export-add`` uses a list of ``bitmaps``. =20 -Human Monitor Protocol (HMP) commands -------------------------------------- - -``acl_show``, ``acl_reset``, ``acl_policy``, ``acl_add``, ``acl_remove`` (= since 4.0.0) -''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''= '''''''''''' - -The ``acl_show``, ``acl_reset``, ``acl_policy``, ``acl_add``, and -``acl_remove`` commands are deprecated with no replacement. Authorization -for VNC should be performed using the pluggable QAuthZ objects. - System emulator CPUS -------------------- =20 diff --git a/docs/system/removed-features.rst b/docs/system/removed-feature= s.rst index c8481cafbd..0424b9a89d 100644 --- a/docs/system/removed-features.rst +++ b/docs/system/removed-features.rst @@ -38,6 +38,12 @@ or ``-display default,show-cursor=3Don`` instead. QEMU 5.0 introduced an alternative syntax to specify the size of the trans= lation block cache, ``-accel tcg,tb-size=3D``. =20 +``-vnc acl`` (removed in 6.0) +''''''''''''''''''''''''''''' + +The ``acl`` option to the ``-vnc`` argument has been replaced +by the ``tls-authz`` and ``sasl-authz`` options. + QEMU Machine Protocol (QMP) commands ------------------------------------ =20 @@ -79,6 +85,13 @@ documentation of ``query-hotpluggable-cpus`` for additio= nal details. No replacement. The ``change vnc password`` and ``change DEVICE MEDIUM`` commands are not affected. =20 +``acl_show``, ``acl_reset``, ``acl_policy``, ``acl_add``, ``acl_remove`` (= removed in 6.0) +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''= ''''''''''''''' + +The ``acl_show``, ``acl_reset``, ``acl_policy``, ``acl_add``, and +``acl_remove`` commands were removed with no replacement. Authorization +for VNC should be performed using the pluggable QAuthZ objects. + Guest Emulator ISAs ------------------- =20 diff --git a/hmp-commands.hx b/hmp-commands.hx index d4001f9c5d..b500b8526d 100644 --- a/hmp-commands.hx +++ b/hmp-commands.hx @@ -1433,82 +1433,6 @@ SRST Change watchdog action. ERST =20 - { - .name =3D "acl_show", - .args_type =3D "aclname:s", - .params =3D "aclname", - .help =3D "list rules in the access control list", - .cmd =3D hmp_acl_show, - }, - -SRST -``acl_show`` *aclname* - List all the matching rules in the access control list, and the default - policy. There are currently two named access control lists, - *vnc.x509dname* and *vnc.username* matching on the x509 client - certificate distinguished name, and SASL username respectively. -ERST - - { - .name =3D "acl_policy", - .args_type =3D "aclname:s,policy:s", - .params =3D "aclname allow|deny", - .help =3D "set default access control list policy", - .cmd =3D hmp_acl_policy, - }, - -SRST -``acl_policy`` *aclname* ``allow|deny`` - Set the default access control list policy, used in the event that - none of the explicit rules match. The default policy at startup is - always ``deny``. -ERST - - { - .name =3D "acl_add", - .args_type =3D "aclname:s,match:s,policy:s,index:i?", - .params =3D "aclname match allow|deny [index]", - .help =3D "add a match rule to the access control list", - .cmd =3D hmp_acl_add, - }, - -SRST -``acl_add`` *aclname* *match* ``allow|deny`` [*index*] - Add a match rule to the access control list, allowing or denying access. - The match will normally be an exact username or x509 distinguished name, - but can optionally include wildcard globs. eg ``*@EXAMPLE.COM`` to - allow all users in the ``EXAMPLE.COM`` kerberos realm. The match will - normally be appended to the end of the ACL, but can be inserted - earlier in the list if the optional *index* parameter is supplied. -ERST - - { - .name =3D "acl_remove", - .args_type =3D "aclname:s,match:s", - .params =3D "aclname match", - .help =3D "remove a match rule from the access control list", - .cmd =3D hmp_acl_remove, - }, - -SRST -``acl_remove`` *aclname* *match* - Remove the specified match rule from the access control list. -ERST - - { - .name =3D "acl_reset", - .args_type =3D "aclname:s", - .params =3D "aclname", - .help =3D "reset the access control list", - .cmd =3D hmp_acl_reset, - }, - -SRST -``acl_reset`` *aclname* - Remove all matches from the access control list, and set the default - policy back to ``deny``. -ERST - { .name =3D "nbd_server_start", .args_type =3D "all:-a,writable:-w,uri:s", diff --git a/monitor/misc.c b/monitor/misc.c index a7650ed747..d9ed2bacef 100644 --- a/monitor/misc.c +++ b/monitor/misc.c @@ -1045,193 +1045,6 @@ static void hmp_wavcapture(Monitor *mon, const QDic= t *qdict) QLIST_INSERT_HEAD (&capture_head, s, entries); } =20 -static QAuthZList *find_auth(Monitor *mon, const char *name) -{ - Object *obj; - Object *container; - - container =3D object_get_objects_root(); - obj =3D object_resolve_path_component(container, name); - if (!obj) { - monitor_printf(mon, "acl: unknown list '%s'\n", name); - return NULL; - } - - return QAUTHZ_LIST(obj); -} - -static bool warn_acl; -static void hmp_warn_acl(void) -{ - if (warn_acl) { - return; - } - error_report("The acl_show, acl_reset, acl_policy, acl_add, acl_remove= " - "commands are deprecated with no replacement. Authorizati= on " - "for VNC should be performed using the pluggable QAuthZ " - "objects"); - warn_acl =3D true; -} - -static void hmp_acl_show(Monitor *mon, const QDict *qdict) -{ - const char *aclname =3D qdict_get_str(qdict, "aclname"); - QAuthZList *auth =3D find_auth(mon, aclname); - QAuthZListRuleList *rules; - size_t i =3D 0; - - hmp_warn_acl(); - - if (!auth) { - return; - } - - monitor_printf(mon, "policy: %s\n", - QAuthZListPolicy_str(auth->policy)); - - rules =3D auth->rules; - while (rules) { - QAuthZListRule *rule =3D rules->value; - i++; - monitor_printf(mon, "%zu: %s %s\n", i, - QAuthZListPolicy_str(rule->policy), - rule->match); - rules =3D rules->next; - } -} - -static void hmp_acl_reset(Monitor *mon, const QDict *qdict) -{ - const char *aclname =3D qdict_get_str(qdict, "aclname"); - QAuthZList *auth =3D find_auth(mon, aclname); - - hmp_warn_acl(); - - if (!auth) { - return; - } - - auth->policy =3D QAUTHZ_LIST_POLICY_DENY; - qapi_free_QAuthZListRuleList(auth->rules); - auth->rules =3D NULL; - monitor_printf(mon, "acl: removed all rules\n"); -} - -static void hmp_acl_policy(Monitor *mon, const QDict *qdict) -{ - const char *aclname =3D qdict_get_str(qdict, "aclname"); - const char *policy =3D qdict_get_str(qdict, "policy"); - QAuthZList *auth =3D find_auth(mon, aclname); - int val; - Error *err =3D NULL; - - hmp_warn_acl(); - - if (!auth) { - return; - } - - val =3D qapi_enum_parse(&QAuthZListPolicy_lookup, - policy, - QAUTHZ_LIST_POLICY_DENY, - &err); - if (err) { - error_free(err); - monitor_printf(mon, "acl: unknown policy '%s', " - "expected 'deny' or 'allow'\n", policy); - } else { - auth->policy =3D val; - if (auth->policy =3D=3D QAUTHZ_LIST_POLICY_ALLOW) { - monitor_printf(mon, "acl: policy set to 'allow'\n"); - } else { - monitor_printf(mon, "acl: policy set to 'deny'\n"); - } - } -} - -static QAuthZListFormat hmp_acl_get_format(const char *match) -{ - if (strchr(match, '*')) { - return QAUTHZ_LIST_FORMAT_GLOB; - } else { - return QAUTHZ_LIST_FORMAT_EXACT; - } -} - -static void hmp_acl_add(Monitor *mon, const QDict *qdict) -{ - const char *aclname =3D qdict_get_str(qdict, "aclname"); - const char *match =3D qdict_get_str(qdict, "match"); - const char *policystr =3D qdict_get_str(qdict, "policy"); - int has_index =3D qdict_haskey(qdict, "index"); - int index =3D qdict_get_try_int(qdict, "index", -1); - QAuthZList *auth =3D find_auth(mon, aclname); - Error *err =3D NULL; - QAuthZListPolicy policy; - QAuthZListFormat format; - size_t i =3D 0; - - hmp_warn_acl(); - - if (!auth) { - return; - } - - policy =3D qapi_enum_parse(&QAuthZListPolicy_lookup, - policystr, - QAUTHZ_LIST_POLICY_DENY, - &err); - if (err) { - error_free(err); - monitor_printf(mon, "acl: unknown policy '%s', " - "expected 'deny' or 'allow'\n", policystr); - return; - } - - format =3D hmp_acl_get_format(match); - - if (has_index && index =3D=3D 0) { - monitor_printf(mon, "acl: unable to add acl entry\n"); - return; - } - - if (has_index) { - i =3D qauthz_list_insert_rule(auth, match, policy, - format, index - 1, &err); - } else { - i =3D qauthz_list_append_rule(auth, match, policy, - format, &err); - } - if (err) { - monitor_printf(mon, "acl: unable to add rule: %s", - error_get_pretty(err)); - error_free(err); - } else { - monitor_printf(mon, "acl: added rule at position %zu\n", i + 1); - } -} - -static void hmp_acl_remove(Monitor *mon, const QDict *qdict) -{ - const char *aclname =3D qdict_get_str(qdict, "aclname"); - const char *match =3D qdict_get_str(qdict, "match"); - QAuthZList *auth =3D find_auth(mon, aclname); - ssize_t i =3D 0; - - hmp_warn_acl(); - - if (!auth) { - return; - } - - i =3D qauthz_list_delete_rule(auth, match); - if (i >=3D 0) { - monitor_printf(mon, "acl: removed rule at position %zu\n", i + 1); - } else { - monitor_printf(mon, "acl: no matching acl entry\n"); - } -} - void qmp_getfd(const char *fdname, Error **errp) { Monitor *cur_mon =3D monitor_cur(); diff --git a/ui/vnc.c b/ui/vnc.c index 77e07ac351..5aea2652d4 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -3485,9 +3485,6 @@ static QemuOptsList qemu_vnc_opts =3D { },{ .name =3D "sasl", .type =3D QEMU_OPT_BOOL, - },{ - .name =3D "acl", - .type =3D QEMU_OPT_BOOL, },{ .name =3D "tls-authz", .type =3D QEMU_OPT_STRING, @@ -3939,7 +3936,6 @@ void vnc_display_open(const char *id, Error **errp) bool reverse =3D false; const char *credid; bool sasl =3D false; - int acl =3D 0; const char *tlsauthz; const char *saslauthz; int lock_key_sync =3D 1; @@ -4031,29 +4027,13 @@ void vnc_display_open(const char *id, Error **errp) goto fail; } } - if (qemu_opt_get(opts, "acl")) { - error_report("The 'acl' option to -vnc is deprecated. " - "Please use the 'tls-authz' and 'sasl-authz' " - "options instead"); - } - acl =3D qemu_opt_get_bool(opts, "acl", false); tlsauthz =3D qemu_opt_get(opts, "tls-authz"); - if (acl && tlsauthz) { - error_setg(errp, "'acl' option is mutually exclusive with the " - "'tls-authz' option"); - goto fail; - } if (tlsauthz && !vd->tlscreds) { error_setg(errp, "'tls-authz' provided but TLS is not enabled"); goto fail; } =20 saslauthz =3D qemu_opt_get(opts, "sasl-authz"); - if (acl && saslauthz) { - error_setg(errp, "'acl' option is mutually exclusive with the " - "'sasl-authz' option"); - goto fail; - } if (saslauthz && !sasl) { error_setg(errp, "'sasl-authz' provided but SASL auth is not enabl= ed"); goto fail; @@ -4091,29 +4071,11 @@ void vnc_display_open(const char *id, Error **errp) =20 if (tlsauthz) { vd->tlsauthzid =3D g_strdup(tlsauthz); - } else if (acl) { - if (strcmp(vd->id, "default") =3D=3D 0) { - vd->tlsauthzid =3D g_strdup("vnc.x509dname"); - } else { - vd->tlsauthzid =3D g_strdup_printf("vnc.%s.x509dname", vd->id); - } - vd->tlsauthz =3D QAUTHZ(qauthz_list_new(vd->tlsauthzid, - QAUTHZ_LIST_POLICY_DENY, - &error_abort)); } #ifdef CONFIG_VNC_SASL if (sasl) { if (saslauthz) { vd->sasl.authzid =3D g_strdup(saslauthz); - } else if (acl) { - if (strcmp(vd->id, "default") =3D=3D 0) { - vd->sasl.authzid =3D g_strdup("vnc.username"); - } else { - vd->sasl.authzid =3D g_strdup_printf("vnc.%s.username", vd= ->id); - } - vd->sasl.authz =3D QAUTHZ(qauthz_list_new(vd->sasl.authzid, - QAUTHZ_LIST_POLICY_DEN= Y, - &error_abort)); } } #endif --=20 2.29.2