[libvirt] [PATCH v3 5/6] vnc: allow specifying a custom authorization object name

Juan Quintela quintela at redhat.com
Mon Nov 5 14:21:48 UTC 2018 

Daniel P. Berrangé <berrange at redhat.com> wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
>
> The VNC server has historically had support for ACLs to check both the
> SASL username and the TLS x509 distinguished name. The VNC server was
> responsible for creating the initial ACL, and the client app was then
> responsible for populating it with rules using the HMP 'acl_add' command.
>
> This is not satisfactory for a variety of reasons. There is no way to
> populate the ACLs from the command line, users are forced to use the
> HMP. With multiple network services all supporting TLS and ACLs now, it
> is desirable to be able to define a single ACL that is referenced by all
> services.
>
> To address these limitations, two new options are added to the VNC
> server CLI. The 'tls-authz' option takes the ID of a QAuthZ object to
> use for checking TLS x509 distinguished names, and the 'sasl-authz'
> option takes the ID of another object to use for checking SASL usernames.
>
> In this example, we setup two authorization rules. The first allows any
> client with a certificate issued by the 'RedHat' organization in the
> 'London' locality. The second ACL allows clients with either the
> 'joe at REDHAT.COM' or  'fred at REDHAT.COM' kerberos usernames. Both checks
> must pass for the user to be allowed.
>
>     $QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
>                   endpoint=server,verify-peer=yes \
>           -object authz-simple,id=authz0,policy=deny,\
>                   rules.0.match=O=RedHat,,L=London,rules.0.policy=allow \
>           -object authz-simple,id=authz1,policy=deny,\
>                   rules.0.match=fred at REDHAT.COM,rules.0.policy=allow \
>                   rules.0.match=joe at REDHAT.COM,rules.0.policy=allow \
>           -vnc 0.0.0.0:1,tls-creds=tls0,tls-authz=authz0,
> 	       sasl,sasl-authz=authz1 \
>           ...other QEMU args...
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>

Reviewed-by: Juan Quintela <quintela at redhat.com>

More information about the libvir-list mailing list