[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3 5/6] vnc: allow specifying a custom authoriza
From: |
Juan Quintela |
Subject: |
Re: [Qemu-devel] [PATCH v3 5/6] vnc: allow specifying a custom authorization object name |
Date: |
Mon, 05 Nov 2018 15:21:48 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Daniel P. Berrangé <address@hidden> wrote:
> From: "Daniel P. Berrange" <address@hidden>
>
> The VNC server has historically had support for ACLs to check both the
> SASL username and the TLS x509 distinguished name. The VNC server was
> responsible for creating the initial ACL, and the client app was then
> responsible for populating it with rules using the HMP 'acl_add' command.
>
> This is not satisfactory for a variety of reasons. There is no way to
> populate the ACLs from the command line, users are forced to use the
> HMP. With multiple network services all supporting TLS and ACLs now, it
> is desirable to be able to define a single ACL that is referenced by all
> services.
>
> To address these limitations, two new options are added to the VNC
> server CLI. The 'tls-authz' option takes the ID of a QAuthZ object to
> use for checking TLS x509 distinguished names, and the 'sasl-authz'
> option takes the ID of another object to use for checking SASL usernames.
>
> In this example, we setup two authorization rules. The first allows any
> client with a certificate issued by the 'RedHat' organization in the
> 'London' locality. The second ACL allows clients with either the
> 'address@hidden' or 'address@hidden' kerberos usernames. Both checks
> must pass for the user to be allowed.
>
> $QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
> endpoint=server,verify-peer=yes \
> -object authz-simple,id=authz0,policy=deny,\
> rules.0.match=O=RedHat,,L=London,rules.0.policy=allow \
> -object authz-simple,id=authz1,policy=deny,\
> address@hidden,rules.0.policy=allow \
> address@hidden,rules.0.policy=allow \
> -vnc 0.0.0.0:1,tls-creds=tls0,tls-authz=authz0,
> sasl,sasl-authz=authz1 \
> ...other QEMU args...
>
> Signed-off-by: Daniel P. Berrange <address@hidden>
Reviewed-by: Juan Quintela <address@hidden>
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Qemu-devel] [PATCH v3 5/6] vnc: allow specifying a custom authorization object name,
Juan Quintela <=