From 000194556b65970a19ca437cd96b804a3f069f11 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Wed, 27 Feb 2019 16:20:34 +0000 Subject: nbd: allow authorization with nbd-server-start QMP command As with the previous patch to qemu-nbd, the nbd-server-start QMP command also needs to be able to specify authorization when enabling TLS encryption. First the client must create a QAuthZ object instance using the 'object-add' command: { 'execute': 'object-add', 'arguments': { 'qom-type': 'authz-list', 'id': 'authz0', 'parameters': { 'policy': 'deny', 'rules': [ { 'match': '*CN=fred', 'policy': 'allow' } ] } } } They can then reference this in the new 'tls-authz' parameter when executing the 'nbd-server-start' command: { 'execute': 'nbd-server-start', 'arguments': { 'addr': { 'type': 'inet', 'host': '127.0.0.1', 'port': '9000' }, 'tls-creds': 'tls0', 'tls-authz': 'authz0' } } Reviewed-by: Eric Blake Reviewed-by: Juan Quintela Signed-off-by: Daniel P. Berrange Message-Id: <20190227162035.18543-3-berrange@redhat.com> Signed-off-by: Eric Blake --- qapi/block.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'qapi/block.json') diff --git a/qapi/block.json b/qapi/block.json index 5a79d639e8..79623088e7 100644 --- a/qapi/block.json +++ b/qapi/block.json @@ -225,6 +225,11 @@ # # @addr: Address on which to listen. # @tls-creds: (optional) ID of the TLS credentials object. Since 2.6 +# @tls-authz: ID of the QAuthZ authorization object used to validate +# the client's x509 distinguished name. This object is +# is only resolved at time of use, so can be deleted and +# recreated on the fly while the NBD server is active. +# If missing, it will default to denying access (since 4.0). # # Returns: error if the server is already running. # @@ -232,7 +237,8 @@ ## { 'command': 'nbd-server-start', 'data': { 'addr': 'SocketAddressLegacy', - '*tls-creds': 'str'} } + '*tls-creds': 'str', + '*tls-authz': 'str'} } ## # @nbd-server-add: -- cgit v1.2.3