Commit 00019455 authored by Daniel P. Berrangé's avatar Daniel P. Berrangé Committed by Eric Blake
Browse files

nbd: allow authorization with nbd-server-start QMP command 



As with the previous patch to qemu-nbd, the nbd-server-start QMP command
also needs to be able to specify authorization when enabling TLS encryption.

First the client must create a QAuthZ object instance using the
'object-add' command:

   {
     'execute': 'object-add',
     'arguments': {
       'qom-type': 'authz-list',
       'id': 'authz0',
       'parameters': {
         'policy': 'deny',
         'rules': [
           {
             'match': '*CN=fred',
             'policy': 'allow'
           }
         ]
       }
     }
   }

They can then reference this in the new 'tls-authz' parameter when
executing the 'nbd-server-start' command:

   {
     'execute': 'nbd-server-start',
     'arguments': {
       'addr': {
           'type': 'inet',
           'host': '127.0.0.1',
           'port': '9000'
       },
       'tls-creds': 'tls0',
       'tls-authz': 'authz0'
     }
   }

Reviewed-by: default avatarEric Blake <eblake@redhat.com>
Reviewed-by: default avatarJuan Quintela <quintela@redhat.com>
Signed-off-by: default avatarDaniel P. Berrange <berrange@redhat.com>
Message-Id: <20190227162035.18543-3-berrange@redhat.com>
Signed-off-by: default avatarEric Blake <eblake@redhat.com>
parent b25e12da

blockdev-nbd.c

+8 −3
Original line number Diff line number Diff line
@@ -23,6 +23,7 @@ 
typedef struct NBDServerData {

    QIONetListener *listener;

    QCryptoTLSCreds *tlscreds;

    char *tlsauthz;

} NBDServerData;



static NBDServerData *nbd_server;
@@ -36,7 +37,7 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc, 
                       gpointer opaque)

{

    qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");

    nbd_client_new(cioc, nbd_server->tlscreds, NULL,

    nbd_client_new(cioc, nbd_server->tlscreds, nbd_server->tlsauthz,

                   nbd_blockdev_client_closed);

}
@@ -52,6 +53,7 @@ static void nbd_server_free(NBDServerData *server) 
    if (server->tlscreds) {

        object_unref(OBJECT(server->tlscreds));

    }

    g_free(server->tlsauthz);



    g_free(server);

}
@@ -87,7 +89,7 @@ static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp) 




void nbd_server_start(SocketAddress *addr, const char *tls_creds,

                      Error **errp)

                      const char *tls_authz, Error **errp)

{

    if (nbd_server) {

        error_setg(errp, "NBD server already running");
@@ -117,6 +119,8 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds, 
        }

    }



    nbd_server->tlsauthz = g_strdup(tls_authz);



    qio_net_listener_set_client_func(nbd_server->listener,

                                     nbd_accept,

                                     NULL,
@@ -131,11 +135,12 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds, 


void qmp_nbd_server_start(SocketAddressLegacy *addr,

                          bool has_tls_creds, const char *tls_creds,

                          bool has_tls_authz, const char *tls_authz,

                          Error **errp)

{

    SocketAddress *addr_flat = socket_address_flatten(addr);



    nbd_server_start(addr_flat, tls_creds, errp);

    nbd_server_start(addr_flat, tls_creds, tls_authz, errp);

    qapi_free_SocketAddress(addr_flat);

}

hmp.c

+1 −1
Original line number Diff line number Diff line
@@ -2373,7 +2373,7 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict) 
        goto exit;

    }



    nbd_server_start(addr, NULL, &local_err);

    nbd_server_start(addr, NULL, NULL, &local_err);

    qapi_free_SocketAddress(addr);

    if (local_err != NULL) {

        goto exit;

include/block/nbd.h

+1 −1
Original line number Diff line number Diff line
@@ -332,7 +332,7 @@ void nbd_client_get(NBDClient *client); 
void nbd_client_put(NBDClient *client);



void nbd_server_start(SocketAddress *addr, const char *tls_creds,

                      Error **errp);

                      const char *tls_authz, Error **errp);



/* nbd_read

 * Reads @size bytes from @ioc. Returns 0 on success.

qapi/block.json

+7 −1
Original line number Diff line number Diff line
@@ -225,6 +225,11 @@ 
#

# @addr: Address on which to listen.

# @tls-creds: (optional) ID of the TLS credentials object. Since 2.6

# @tls-authz: ID of the QAuthZ authorization object used to validate

#             the client's x509 distinguished name. This object is

#             is only resolved at time of use, so can be deleted and

#             recreated on the fly while the NBD server is active.

#             If missing, it will default to denying access (since 4.0).

#

# Returns: error if the server is already running.

#
@@ -232,7 +237,8 @@ 
##

{ 'command': 'nbd-server-start',

  'data': { 'addr': 'SocketAddressLegacy',

            '*tls-creds': 'str'} }

            '*tls-creds': 'str',

            '*tls-authz': 'str'} }



##

# @nbd-server-add: