summaryrefslogtreecommitdiffstats
path: root/hw/arm
diff options
context:
space:
mode:
authorPeter Maydell2019-02-26 18:59:41 +0100
committerPeter Maydell2019-02-26 18:59:41 +0100
commit86c7e2f4a93322a76afea5ee6806a83420d1dfea (patch)
tree557e23fb1865a42a0e68fd45603788e2f8aa380c /hw/arm
parentMerge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into ... (diff)
parentauthz: delete existing ACL implementation (diff)
downloadqemu-86c7e2f4a93322a76afea5ee6806a83420d1dfea.tar.gz
qemu-86c7e2f4a93322a76afea5ee6806a83420d1dfea.tar.xz
qemu-86c7e2f4a93322a76afea5ee6806a83420d1dfea.zip
Merge remote-tracking branch 'remotes/berrange/tags/authz-core-pull-request' into staging
Add a standard authorization framework The current network services now support encryption via TLS and in some cases support authentication via SASL. In cases where SASL is not available, x509 client certificates can be used as a crude authorization scheme, but using a sub-CA and controlling who you give certs to. In general this is not very flexible though, so this series introduces a new standard authorization framework. It comes with four initial authorization mechanisms - Simple - an exact username match. This is useful when there is exactly one user that is known to connect. For example when live migrating from one QEMU to another with TLS, libvirt would use the simple scheme to whitelist the TLS cert of the source QEMU. - List - an full access control list, with optional regex matching. This is more flexible and is used to provide 100% backcompat with the existing HMP ACL commands. The caveat is that we can't create these via the CLI -object arg yet. - ListFile - the same as List, but with the rules stored in JSON format in an external file. This avoids the -object limitation while also allowing the admin to change list entries on the file. QEMU uses inotify to notice these changes and auto-reload the file contents. This is likely a good default choice for most network services, if the "simple" mechanism isn't sufficient. - PAM - delegate the username lookup to a PAM module, which opens the door to many options including things like SQL/LDAP lookups. # gpg: Signature made Tue 26 Feb 2019 15:33:46 GMT # gpg: using RSA key BE86EBB415104FDF # gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full] # gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full] # Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF * remotes/berrange/tags/authz-core-pull-request: authz: delete existing ACL implementation authz: add QAuthZPAM object type for authorizing using PAM authz: add QAuthZListFile object type for a file access control list authz: add QAuthZList object type for an access control list authz: add QAuthZSimple object type for easy whitelist auth checks authz: add QAuthZ object as an authorization base class hw/usb: switch MTP to use new inotify APIs hw/usb: fix const-ness for string params in MTP driver hw/usb: don't set IN_ISDIR for inotify watch in MTP driver qom: don't require user creatable objects to be registered util: add helper APIs for dealing with inotify in portable manner Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw/arm')
0 files changed, 0 insertions, 0 deletions