8:23 a.m.
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Currently any client which can complete the TLS handshake is able to use
the NBD server. The server admin can turn on the 'verify-peer' option
for the x509 creds to require the client to provide a x509 certificate.
This means the client will have to acquire a certificate from the CA
before they are permitted to use the NBD server. This is still a fairly
low bar to cross.
This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which
takes the ID of a previously added 'QAuthZ' object instance. This will
be used to validate the client's x509 distinguished name. Clients
failing the authorization check will not be permitted to use the NBD
server.
For example to setup authorization that only allows connection from a client
whose x509 certificate distinguished name is
CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB
use:
qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
endpoint=server,verify-peer=yes \
--object authz-simple,id=auth0,identity=CN=laptop.example.com,,\
O=Example Org,,L=London,,ST=London,,C=GB \
--tls-creds tls0 \
--tls-authz authz0
....other qemu-nbd args...
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
include/block/nbd.h | 2 +-
nbd/server.c | 10 +++++-----
qemu-nbd.c | 13 ++++++++++++-
qemu-nbd.texi | 4 ++++
4 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/include/block/nbd.h b/include/block/nbd.h
index 6a5bfe5d55..d7aa6b24d0 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -312,7 +312,7 @@ void nbd_export_close_all(void);
void nbd_client_new(QIOChannelSocket *sioc,
QCryptoTLSCreds *tlscreds,
- const char *tlsaclname,
+ const char *tlsauthz,
void (*close_fn)(NBDClient *, bool));
void nbd_client_get(NBDClient *client);
void nbd_client_put(NBDClient *client);
diff --git a/nbd/server.c b/nbd/server.c
index a1eda0114f..138a35f838 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -111,7 +111,7 @@ struct NBDClient {
NBDExport *exp;
QCryptoTLSCreds *tlscreds;
- char *tlsaclname;
+ char *tlsauthz;
QIOChannelSocket *sioc; /* The underlying data channel */
QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */
@@ -687,7 +687,7 @@ static QIOChannel *nbd_negotiate_handle_starttls(NBDClient *client,
tioc = qio_channel_tls_new_server(ioc,
client->tlscreds,
- client->tlsaclname,
+ client->tlsauthz,
errp);
if (!tioc) {
return NULL;
@@ -1353,7 +1353,7 @@ void nbd_client_put(NBDClient *client)
if (client->tlscreds) {
object_unref(OBJECT(client->tlscreds));
}
- g_free(client->tlsaclname);
+ g_free(client->tlsauthz);
if (client->exp) {
QTAILQ_REMOVE(&client->exp->clients, client, next);
nbd_export_put(client->exp);
@@ -2403,7 +2403,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
*/
void nbd_client_new(QIOChannelSocket *sioc,
QCryptoTLSCreds *tlscreds,
- const char *tlsaclname,
+ const char *tlsauthz,
void (*close_fn)(NBDClient *, bool))
{
NBDClient *client;
@@ -2415,7 +2415,7 @@ void nbd_client_new(QIOChannelSocket *sioc,
if (tlscreds) {
object_ref(OBJECT(client->tlscreds));
}
- client->tlsaclname = g_strdup(tlsaclname);
+ client->tlsauthz = g_strdup(tlsauthz);
client->sioc = sioc;
object_ref(OBJECT(client->sioc));
client->ioc = QIO_CHANNEL(sioc);
diff --git a/qemu-nbd.c b/qemu-nbd.c
index e76fe3082a..61fe0fb5b9 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -52,6 +52,7 @@
#define QEMU_NBD_OPT_TLSCREDS 261
#define QEMU_NBD_OPT_IMAGE_OPTS 262
#define QEMU_NBD_OPT_FORK 263
+#define QEMU_NBD_OPT_TLSAUTHZ 264
#define MBR_SIZE 512
@@ -65,6 +66,7 @@ static int shared = 1;
static int nb_fds;
static QIONetListener *server;
static QCryptoTLSCreds *tlscreds;
+static const char *tlsauthz;
static void usage(const char *name)
{
@@ -354,7 +356,7 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket
*cioc,
nb_fds++;
nbd_update_server_watch();
- nbd_client_new(cioc, tlscreds, NULL, nbd_client_closed);
+ nbd_client_new(cioc, tlscreds, tlsauthz, nbd_client_closed);
}
static void nbd_update_server_watch(void)
@@ -532,6 +534,7 @@ int main(int argc, char **argv)
{ "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
{ "trace", required_argument, NULL, 'T' },
{ "fork", no_argument, NULL, QEMU_NBD_OPT_FORK },
+ { "tls-authz", no_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ },
{ NULL, 0, NULL, 0 }
};
int ch;
@@ -754,6 +757,9 @@ int main(int argc, char **argv)
g_free(trace_file);
trace_file = trace_opt_parse(optarg);
break;
+ case QEMU_NBD_OPT_TLSAUTHZ:
+ tlsauthz = optarg;
+ break;
case QEMU_NBD_OPT_FORK:
fork_process = true;
break;
@@ -813,6 +819,11 @@ int main(int argc, char **argv)
error_get_pretty(local_err));
exit(EXIT_FAILURE);
}
+ } else {
+ if (tlsauthz) {
+ error_report("--tls-authz is not permitted without --tls-creds");
+ exit(EXIT_FAILURE);
+ }
}
if (disconnect) {
diff --git a/qemu-nbd.texi b/qemu-nbd.texi
index 9a84e81eed..7f9503cf05 100644
--- a/qemu-nbd.texi
+++ b/qemu-nbd.texi
@@ -91,6 +91,10 @@ of the TLS credentials object previously created with the --object
option.
@item --fork
Fork off the server process and exit the parent once the server is running.
+@item --tls-authz=ID
+Specify the ID of a qauthz object previously created with the
+--object option. This will be used to authorize connecting users
+against their x509 distinguished name.
@item -v, --verbose
Display extra debugging information
@item -h, --help
--
2.17.1