aboutsummaryrefslogtreecommitdiff
path: root/qemu-nbd.texi
diff options
context:
space:
mode:
authorDaniel P. Berrange <berrange@redhat.com>2019-02-27 16:20:33 +0000
committerEric Blake <eblake@redhat.com>2019-03-06 11:05:27 -0600
commitb25e12daff2c3e5ba933f85e8ba278f5bcba8f4d (patch)
tree9904e22023d61441ebfdf56c9676d33163583ee7 /qemu-nbd.texi
parentc557a8c7b755d8c153fc0f5be00688228be96e76 (diff)
qemu-nbd: add support for authorization of TLS clients
Currently any client which can complete the TLS handshake is able to use the NBD server. The server admin can turn on the 'verify-peer' option for the x509 creds to require the client to provide a x509 certificate. This means the client will have to acquire a certificate from the CA before they are permitted to use the NBD server. This is still a fairly low bar to cross. This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which takes the ID of a previously added 'QAuthZ' object instance. This will be used to validate the client's x509 distinguished name. Clients failing the authorization check will not be permitted to use the NBD server. For example to setup authorization that only allows connection from a client whose x509 certificate distinguished name is CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB escape the commas in the name and use: qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ endpoint=server,verify-peer=yes \ --object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\ O=Example Org,,L=London,,ST=London,,C=GB' \ --tls-creds tls0 \ --tls-authz authz0 \ ....other qemu-nbd args... NB: a real shell command line would not have leading whitespace after the line continuation, it is just included here for clarity. Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-Id: <20190227162035.18543-2-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> [eblake: split long line in --help text, tweak 233 to show that whitespace after ,, in identity= portion is actually okay] Signed-off-by: Eric Blake <eblake@redhat.com>
Diffstat (limited to 'qemu-nbd.texi')
-rw-r--r--qemu-nbd.texi11
1 files changed, 9 insertions, 2 deletions
diff --git a/qemu-nbd.texi b/qemu-nbd.texi
index d0c5182814..de342c76b8 100644
--- a/qemu-nbd.texi
+++ b/qemu-nbd.texi
@@ -117,6 +117,10 @@ option; or provide the credentials needed for connecting as a client
in list mode.
@item --fork
Fork off the server process and exit the parent once the server is running.
+@item --tls-authz=ID
+Specify the ID of a qauthz object previously created with the
+--object option. This will be used to authorize connecting users
+against their x509 distinguished name.
@item -v, --verbose
Display extra debugging information.
@item -h, --help
@@ -142,13 +146,16 @@ qemu-nbd -f qcow2 file.qcow2
@end example
Start a long-running server listening with encryption on port 10810,
-and require clients to have a correct X.509 certificate to connect to
+and whitelist clients with a specific X.509 certificate to connect to
a 1 megabyte subset of a raw file, using the export name 'subset':
@example
qemu-nbd \
--object tls-creds-x509,id=tls0,endpoint=server,dir=/path/to/qemutls \
- --tls-creds tls0 -t -x subset -p 10810 \
+ --object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\
+ O=Example Org,,L=London,,ST=London,,C=GB' \
+ --tls-creds tls0 --tls-authz auth0 \
+ -t -x subset -p 10810 \
--image-opts driver=raw,offset=1M,size=1M,file.driver=file,file.filename=file.raw
@end example