mirror of
https://github.com/Motorhead1991/qemu.git
synced 2025-08-07 01:33:56 -06:00
qemu-nbd: add support for authorization of TLS clients
Currently any client which can complete the TLS handshake is able to use
the NBD server. The server admin can turn on the 'verify-peer' option
for the x509 creds to require the client to provide a x509 certificate.
This means the client will have to acquire a certificate from the CA
before they are permitted to use the NBD server. This is still a fairly
low bar to cross.
This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which
takes the ID of a previously added 'QAuthZ' object instance. This will
be used to validate the client's x509 distinguished name. Clients
failing the authorization check will not be permitted to use the NBD
server.
For example to setup authorization that only allows connection from a client
whose x509 certificate distinguished name is
CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB
escape the commas in the name and use:
qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
endpoint=server,verify-peer=yes \
--object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\
O=Example Org,,L=London,,ST=London,,C=GB' \
--tls-creds tls0 \
--tls-authz authz0 \
....other qemu-nbd args...
NB: a real shell command line would not have leading whitespace after
the line continuation, it is just included here for clarity.
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <20190227162035.18543-2-berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
[eblake: split long line in --help text, tweak 233 to show that whitespace
after ,, in identity= portion is actually okay]
Signed-off-by: Eric Blake <eblake@redhat.com>
This commit is contained in:
Daniel P. Berrange
Eric Blake
parent
c557a8c7b7
commit
b25e12daff
6 changed files with 73 additions and 12 deletions
|
|
@ -6,6 +6,7 @@ Generating a self signed certificate...
|
|||
Generating a signed certificate...
|
||||
Generating a signed certificate...
|
||||
Generating a signed certificate...
|
||||
Generating a signed certificate...
|
||||
|
||||
== preparing image ==
|
||||
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
|
||||
|
|
@ -29,6 +30,10 @@ image: nbd://127.0.0.1:PORT
|
|||
file format: nbd
|
||||
virtual size: 64M (67108864 bytes)
|
||||
disk size: unavailable
|
||||
image: nbd://127.0.0.1:PORT
|
||||
file format: nbd
|
||||
virtual size: 64M (67108864 bytes)
|
||||
disk size: unavailable
|
||||
exports available: 1
|
||||
export: ''
|
||||
size: 67108864
|
||||
|
|
@ -51,7 +56,13 @@ wrote 1048576/1048576 bytes at offset 1048576
|
|||
read 1048576/1048576 bytes at offset 1048576
|
||||
1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
||||
|
||||
== check TLS with authorization ==
|
||||
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=10809,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort
|
||||
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=10809,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort
|
||||
|
||||
== final server log ==
|
||||
qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
|
||||
qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
|
||||
qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client1,L=R'lyeh,C=South Pacific is denied
|
||||
qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client3,L=R'lyeh,C=South Pacific is denied
|
||||
*** done
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue