diff options
| author | Daniel P. Berrange | 2019-02-27 17:20:34 +0100 |
|---|---|---|
| committer | Eric Blake | 2019-03-06 18:05:27 +0100 |
| commit | 000194556b65970a19ca437cd96b804a3f069f11 (patch) | |
| tree | 3ca23aafe1f56a6e1345be4f2700a1f846a4bf71 /qapi/block.json | |
| parent | qemu-nbd: add support for authorization of TLS clients (diff) | |
| download | qemu-000194556b65970a19ca437cd96b804a3f069f11.tar.gz qemu-000194556b65970a19ca437cd96b804a3f069f11.tar.xz qemu-000194556b65970a19ca437cd96b804a3f069f11.zip | |
nbd: allow authorization with nbd-server-start QMP command
As with the previous patch to qemu-nbd, the nbd-server-start QMP command
also needs to be able to specify authorization when enabling TLS encryption.
First the client must create a QAuthZ object instance using the
'object-add' command:
{
'execute': 'object-add',
'arguments': {
'qom-type': 'authz-list',
'id': 'authz0',
'parameters': {
'policy': 'deny',
'rules': [
{
'match': '*CN=fred',
'policy': 'allow'
}
]
}
}
}
They can then reference this in the new 'tls-authz' parameter when
executing the 'nbd-server-start' command:
{
'execute': 'nbd-server-start',
'arguments': {
'addr': {
'type': 'inet',
'host': '127.0.0.1',
'port': '9000'
},
'tls-creds': 'tls0',
'tls-authz': 'authz0'
}
}
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <20190227162035.18543-3-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Diffstat (limited to 'qapi/block.json')
| -rw-r--r-- | qapi/block.json | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/qapi/block.json b/qapi/block.json index 5a79d639e8..79623088e7 100644 --- a/qapi/block.json +++ b/qapi/block.json @@ -225,6 +225,11 @@ # # @addr: Address on which to listen. # @tls-creds: (optional) ID of the TLS credentials object. Since 2.6 +# @tls-authz: ID of the QAuthZ authorization object used to validate +# the client's x509 distinguished name. This object is +# is only resolved at time of use, so can be deleted and +# recreated on the fly while the NBD server is active. +# If missing, it will default to denying access (since 4.0). # # Returns: error if the server is already running. # @@ -232,7 +237,8 @@ ## { 'command': 'nbd-server-start', 'data': { 'addr': 'SocketAddressLegacy', - '*tls-creds': 'str'} } + '*tls-creds': 'str', + '*tls-authz': 'str'} } ## # @nbd-server-add: |