qemu-e2k/qapi
Daniel P. Berrange fd4a5fd463 chardev: add support for authorization for TLS clients
Currently any client which can complete the TLS handshake is able to use
a chardev server. The server admin can turn on the 'verify-peer' option
for the x509 creds to require the client to provide a x509
certificate. This means the client will have to acquire a certificate
from the CA before they are permitted to use the chardev server. This is
still a fairly low bar.

This adds a 'tls-authz=OBJECT-ID' option to the socket chardev backend
which takes the ID of a previously added 'QAuthZ' object instance. This
will be used to validate the client's x509 distinguished name. Clients
failing the check will not be permitted to use the chardev server.

For example to setup authorization that only allows connection from a
client whose x509 certificate distinguished name contains 'CN=fred', you
would use:

  $QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
                endpoint=server,verify-peer=yes \
        -object authz-simple,id=authz0,identity=CN=laptop.example.com,,\
                O=Example Org,,L=London,,ST=London,,C=GB \
        -chardev socket,host=127.0.0.1,port=9000,server,\
	         tls-creds=tls0,tls-authz=authz0 \
        ...other qemu args...

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2019-03-11 16:55:52 +01:00
..
authz.json authz: add QAuthZList object type for an access control list 2019-02-26 15:32:18 +00:00
block-core.json qcow2: Implement data-file-raw create option 2019-03-08 12:26:46 +01:00
block.json nbd: fix outdated qapi docs syntax for tls-creds 2019-03-06 11:05:27 -06:00
char.json chardev: add support for authorization for TLS clients 2019-03-11 16:55:52 +01:00
common.json qapi: Define PCIe link speed and width properties 2018-12-19 16:48:16 -05:00
crypto.json crypto: Fix defaults in QCryptoBlockCreateOptionsLUKS 2018-12-12 11:16:49 +00:00
introspect.json json: Update references to RFC 7159 to RFC 8259 2018-08-24 20:27:14 +02:00
job.json
Makefile.objs authz: add QAuthZList object type for an access control list 2019-02-26 15:32:18 +00:00
migration.json qapi/migration.json: Remove a variable that doesn't exist in example 2019-03-06 10:49:18 +00:00
misc.json qapi: move RTC_CHANGE to the target schema 2019-02-18 14:44:05 +01:00
net.json qmp: Add announce-self command 2019-03-05 11:27:41 +08:00
opts-visitor.c
qapi-clone-visitor.c
qapi-dealloc-visitor.c
qapi-schema.json authz: add QAuthZList object type for an access control list 2019-02-26 15:32:18 +00:00
qapi-util.c
qapi-visit-core.c
qmp-dispatch.c qmp: constify qmp_is_oob() 2018-08-30 16:08:47 +02:00
qmp-event.c qapi: Eliminate indirection through qmp_event_get_func_emit() 2019-01-24 10:01:05 +01:00
qmp-registry.c qapi: remove qmp_unregister_command() 2019-02-18 14:44:05 +01:00
qobject-input-visitor.c qapi: Use qemu_strtod_finite() in qobject-input-visitor 2018-12-13 19:10:06 +01:00
qobject-output-visitor.c
rdma.json qapi: Define new QMP message for pvrdma 2018-12-22 11:09:56 +02:00
rocker.json
run-state.json qmp: Split ShutdownCause host-qmp into quit and system-reset 2018-12-18 07:55:47 +01:00
sockets.json
string-input-visitor.c qapi: Rewrite string-input-visitor's integer and list parsing 2018-12-13 19:10:06 +01:00
string-output-visitor.c
target.json target/mips: implement QMP query-cpu-definitions command 2019-02-21 19:36:47 +01:00
tpm.json qapi: break long lines at 'data' member 2018-12-13 19:20:11 +01:00
trace-events
trace.json
transaction.json block: remove 'x' prefix from experimental bitmap APIs 2019-01-14 10:09:46 -06:00
ui.json display: add -display spice-app launching a Spice client 2019-02-22 07:42:59 +01:00