[libvirt] [PATCH v3 1/6] qemu-nbd: add support for authorization of TLS clients

[Juan Quintela]

Daniel P. Berrangé <berrange at redhat.com> wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
>
> Currently any client which can complete the TLS handshake is able to use
> the NBD server. The server admin can turn on the 'verify-peer' option
> for the x509 creds to require the client to provide a x509 certificate.
> This means the client will have to acquire a certificate from the CA
> before they are permitted to use the NBD server. This is still a fairly
> low bar to cross.
>
> This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which
> takes the ID of a previously added 'QAuthZ' object instance. This will
> be used to validate the client's x509 distinguished name. Clients
> failing the authorization check will not be permitted to use the NBD
> server.
>
> For example to setup authorization that only allows connection from a client
> whose x509 certificate distinguished name is
>
>    CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB
>
> use:
>
>   qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
>                     endpoint=server,verify-peer=yes \
>            --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\
>                     O=Example Org,,L=London,,ST=London,,C=GB \
>            --tls-creds tls0 \
>            --tls-authz authz0
> 	   ....other qemu-nbd args...
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>

Reviewed-by: Juan Quintela <quintela at redhat.com>