mbox

[PULL,00/11] Merge authz core patches

Message ID 20190225123111.30363-1-berrange@redhat.com (mailing list archive)
State New, archived
Headers show

Pull-request

https://github.com/berrange/qemu tags/authz-core-pull-request

Message

Daniel P. Berrangé Feb. 25, 2019, 12:31 p.m. UTC 
The following changes since commit 8eb29f1bf5a974dc4c11d2d1f5e7c7f7a62be116:

  Merge remote-tracking branch 'remotes/awilliam/tags/vfio-updates-20190221.0' into staging (2019-02-22 15:48:04 +0000)

are available in the Git repository at:

  https://github.com/berrange/qemu tags/authz-core-pull-request

for you to fetch changes up to cfde05c6c0db7d3122a5491d50f62f7910ab8abb:

  authz: delete existing ACL implementation (2019-02-25 12:28:25 +0000)

----------------------------------------------------------------
Add a standard authorization framework

The current network services now support encryption via TLS and in some
cases support authentication via SASL. In cases where SASL is not
available, x509 client certificates can be used as a crude authorization
scheme, but using a sub-CA and controlling who you give certs to. In
general this is not very flexible though, so this series introduces a
new standard authorization framework.

It comes with four initial authorization mechanisms

 - Simple - an exact username match. This is useful when there is
   exactly one user that is known to connect. For example when live
   migrating from one QEMU to another with TLS, libvirt would use
   the simple scheme to whitelist the TLS cert of the source QEMU.

 - List - an full access control list, with optional regex matching.
   This is more flexible and is used to provide 100% backcompat with
   the existing HMP ACL commands. The caveat is that we can't create
   these via the CLI -object arg yet.

 - ListFile - the same as List, but with the rules stored in JSON
   format in an external file. This avoids the -object limitation
   while also allowing the admin to change list entries on the file.
   QEMU uses inotify to notice these changes and auto-reload the
   file contents. This is likely a good default choice for most
   network services, if the "simple" mechanism isn't sufficient.

 - PAM - delegate the username lookup to a PAM module, which opens
   the door to many options including things like SQL/LDAP lookups.

----------------------------------------------------------------

Daniel P. Berrangé (11):
  util: add helper APIs for dealing with inotify in portable manner
  qom: don't require user creatable objects to be registered
  hw/usb: don't set IN_ISDIR for inotify watch in MTP driver
  hw/usb: fix const-ness for string params in MTP driver
  hw/usb: switch MTP to use new inotify APIs
  authz: add QAuthZ object as an authorization base class
  authz: add QAuthZSimple object type for easy whitelist auth checks
  authz: add QAuthZList object type for an access control list
  authz: add QAuthZListFile object type for a file access control list
  authz: add QAuthZPAM object type for authorizing using PAM
  authz: delete existing ACL implementation

 MAINTAINERS                    |  15 +
 Makefile                       |  10 +-
 Makefile.objs                  |   8 +-
 Makefile.target                |   2 +
 authz/Makefile.objs            |   7 +
 authz/base.c                   |  82 ++++
 authz/list.c                   | 271 +++++++++++++
 authz/listfile.c               | 283 ++++++++++++++
 authz/pamacct.c                | 148 +++++++
 authz/simple.c                 | 115 ++++++
 authz/trace-events             |  18 +
 configure                      |  54 ++-
 crypto/tlssession.c            |  35 +-
 crypto/trace-events            |   2 +-
 hw/usb/dev-mtp.c               | 281 ++++++--------
 hw/usb/trace-events            |   2 +-
 include/authz/base.h           | 112 ++++++
 include/authz/list.h           | 106 +++++
 include/authz/listfile.h       | 111 ++++++
 include/authz/pamacct.h        | 100 +++++
 include/authz/simple.h         |  84 ++++
 include/qemu/acl.h             |  66 ----
 include/qemu/filemonitor.h     | 128 ++++++
 monitor.c                      | 179 ++++++---
 qapi/Makefile.objs             |   2 +-
 qapi/authz.json                |  58 +++
 qapi/qapi-schema.json          |   1 +
 qemu-options.hx                | 105 +++++
 qom/object.c                   |  12 +-
 qom/object_interfaces.c        |  16 +-
 tests/Makefile.include         |  16 +-
 tests/test-authz-list.c        | 159 ++++++++
 tests/test-authz-listfile.c    | 195 ++++++++++
 tests/test-authz-pam.c         | 124 ++++++
 tests/test-authz-simple.c      |  50 +++
 tests/test-crypto-tlssession.c |  15 +-
 tests/test-io-channel-tls.c    |  16 +-
 tests/test-util-filemonitor.c  | 685 +++++++++++++++++++++++++++++++++
 ui/vnc-auth-sasl.c             |  23 +-
 ui/vnc-auth-sasl.h             |   5 +-
 ui/vnc-auth-vencrypt.c         |   2 +-
 ui/vnc-ws.c                    |   2 +-
 ui/vnc.c                       |  37 +-
 ui/vnc.h                       |   4 +-
 util/Makefile.objs             |   4 +-
 util/acl.c                     | 179 ---------
 util/filemonitor-inotify.c     | 339 ++++++++++++++++
 util/filemonitor-stub.c        |  59 +++
 util/trace-events              |   9 +
 49 files changed, 3773 insertions(+), 563 deletions(-)
 create mode 100644 authz/Makefile.objs
 create mode 100644 authz/base.c
 create mode 100644 authz/list.c
 create mode 100644 authz/listfile.c
 create mode 100644 authz/pamacct.c
 create mode 100644 authz/simple.c
 create mode 100644 authz/trace-events
 create mode 100644 include/authz/base.h
 create mode 100644 include/authz/list.h
 create mode 100644 include/authz/listfile.h
 create mode 100644 include/authz/pamacct.h
 create mode 100644 include/authz/simple.h
 delete mode 100644 include/qemu/acl.h
 create mode 100644 include/qemu/filemonitor.h
 create mode 100644 qapi/authz.json
 create mode 100644 tests/test-authz-list.c
 create mode 100644 tests/test-authz-listfile.c
 create mode 100644 tests/test-authz-pam.c
 create mode 100644 tests/test-authz-simple.c
 create mode 100644 tests/test-util-filemonitor.c
 delete mode 100644 util/acl.c
 create mode 100644 util/filemonitor-inotify.c
 create mode 100644 util/filemonitor-stub.c

Comments

Peter Maydell Feb. 26, 2019, 7:04 p.m. UTC | #1 
On Mon, 25 Feb 2019 at 12:35, Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> The following changes since commit 8eb29f1bf5a974dc4c11d2d1f5e7c7f7a62be116:
>
>   Merge remote-tracking branch 'remotes/awilliam/tags/vfio-updates-20190221.0' into staging (2019-02-22 15:48:04 +0000)
>
> are available in the Git repository at:
>
>   https://github.com/berrange/qemu tags/authz-core-pull-request
>
> for you to fetch changes up to cfde05c6c0db7d3122a5491d50f62f7910ab8abb:
>
>   authz: delete existing ACL implementation (2019-02-25 12:28:25 +0000)
>
> ----------------------------------------------------------------
> Add a standard authorization framework
>
> The current network services now support encryption via TLS and in some
> cases support authentication via SASL. In cases where SASL is not
> available, x509 client certificates can be used as a crude authorization
> scheme, but using a sub-CA and controlling who you give certs to. In
> general this is not very flexible though, so this series introduces a
> new standard authorization framework.
>

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/4.0
for any user-visible changes.

-- PMM
Philippe Mathieu-Daudé Feb. 26, 2019, 7:07 p.m. UTC | #2 
On 2/26/19 8:04 PM, Peter Maydell wrote:
> On Mon, 25 Feb 2019 at 12:35, Daniel P. Berrangé <berrange@redhat.com> wrote:
>>
>> The following changes since commit 8eb29f1bf5a974dc4c11d2d1f5e7c7f7a62be116:
>>
>>   Merge remote-tracking branch 'remotes/awilliam/tags/vfio-updates-20190221.0' into staging (2019-02-22 15:48:04 +0000)
>>
>> are available in the Git repository at:
>>
>>   https://github.com/berrange/qemu tags/authz-core-pull-request
>>
>> for you to fetch changes up to cfde05c6c0db7d3122a5491d50f62f7910ab8abb:
>>
>>   authz: delete existing ACL implementation (2019-02-25 12:28:25 +0000)
>>
>> ----------------------------------------------------------------
>> Add a standard authorization framework
>>
>> The current network services now support encryption via TLS and in some
>> cases support authentication via SASL. In cases where SASL is not
>> available, x509 client certificates can be used as a crude authorization
>> scheme, but using a sub-CA and controlling who you give certs to. In
>> general this is not very flexible though, so this series introduces a
>> new standard authorization framework.
>>
> 
> Applied, thanks.

Argh there is a v2... Daniel didn't NACK'd this one.
Peter Maydell Feb. 26, 2019, 7:09 p.m. UTC | #3 
On Tue, 26 Feb 2019 at 19:07, Philippe Mathieu-Daudé <philmd@redhat.com> wrote:
>
> On 2/26/19 8:04 PM, Peter Maydell wrote:
> > On Mon, 25 Feb 2019 at 12:35, Daniel P. Berrangé <berrange@redhat.com> wrote:
> >>
> >> The following changes since commit 8eb29f1bf5a974dc4c11d2d1f5e7c7f7a62be116:
> >>
> >>   Merge remote-tracking branch 'remotes/awilliam/tags/vfio-updates-20190221.0' into staging (2019-02-22 15:48:04 +0000)
> >>
> >> are available in the Git repository at:
> >>
> >>   https://github.com/berrange/qemu tags/authz-core-pull-request
> >>
> >> for you to fetch changes up to cfde05c6c0db7d3122a5491d50f62f7910ab8abb:
> >>
> >>   authz: delete existing ACL implementation (2019-02-25 12:28:25 +0000)
> >>
> >> ----------------------------------------------------------------
> >> Add a standard authorization framework
> >>
> >> The current network services now support encryption via TLS and in some
> >> cases support authentication via SASL. In cases where SASL is not
> >> available, x509 client certificates can be used as a crude authorization
> >> scheme, but using a sub-CA and controlling who you give certs to. In
> >> general this is not very flexible though, so this series introduces a
> >> new standard authorization framework.
> >>
> >
> > Applied, thanks.
>
> Argh there is a v2... Daniel didn't NACK'd this one.

Oops. Yes, I process my pullreq queue oldest-first and unless you
follow up to the cover letter to say "don't apply this v1" I'm
not necessarily going to notice a v2. I'm afraid you'll have to
send whatever the v1->v2 fixes were as a separate set of patches now.

thanks
-- PMM
Daniel P. Berrangé Feb. 27, 2019, 9:31 a.m. UTC | #4 
On Tue, Feb 26, 2019 at 08:07:34PM +0100, Philippe Mathieu-Daudé wrote:
> On 2/26/19 8:04 PM, Peter Maydell wrote:
> > On Mon, 25 Feb 2019 at 12:35, Daniel P. Berrangé <berrange@redhat.com> wrote:
> >>
> >> The following changes since commit 8eb29f1bf5a974dc4c11d2d1f5e7c7f7a62be116:
> >>
> >>   Merge remote-tracking branch 'remotes/awilliam/tags/vfio-updates-20190221.0' into staging (2019-02-22 15:48:04 +0000)
> >>
> >> are available in the Git repository at:
> >>
> >>   https://github.com/berrange/qemu tags/authz-core-pull-request
> >>
> >> for you to fetch changes up to cfde05c6c0db7d3122a5491d50f62f7910ab8abb:
> >>
> >>   authz: delete existing ACL implementation (2019-02-25 12:28:25 +0000)
> >>
> >> ----------------------------------------------------------------
> >> Add a standard authorization framework
> >>
> >> The current network services now support encryption via TLS and in some
> >> cases support authentication via SASL. In cases where SASL is not
> >> available, x509 client certificates can be used as a crude authorization
> >> scheme, but using a sub-CA and controlling who you give certs to. In
> >> general this is not very flexible though, so this series introduces a
> >> new standard authorization framework.
> >>
> > 
> > Applied, thanks.
> 
> Argh there is a v2... Daniel didn't NACK'd this one.

It is no big deal. The only changes were very minor and were fine as
a followup.

Regards,
Daniel
Daniel P. Berrangé Feb. 27, 2019, 11:12 a.m. UTC | #5 
On Tue, Feb 26, 2019 at 07:09:29PM +0000, Peter Maydell wrote:
> On Tue, 26 Feb 2019 at 19:07, Philippe Mathieu-Daudé <philmd@redhat.com> wrote:
> >
> > On 2/26/19 8:04 PM, Peter Maydell wrote:
> > > On Mon, 25 Feb 2019 at 12:35, Daniel P. Berrangé <berrange@redhat.com> wrote:
> > >>
> > >> The following changes since commit 8eb29f1bf5a974dc4c11d2d1f5e7c7f7a62be116:
> > >>
> > >>   Merge remote-tracking branch 'remotes/awilliam/tags/vfio-updates-20190221.0' into staging (2019-02-22 15:48:04 +0000)
> > >>
> > >> are available in the Git repository at:
> > >>
> > >>   https://github.com/berrange/qemu tags/authz-core-pull-request
> > >>
> > >> for you to fetch changes up to cfde05c6c0db7d3122a5491d50f62f7910ab8abb:
> > >>
> > >>   authz: delete existing ACL implementation (2019-02-25 12:28:25 +0000)
> > >>
> > >> ----------------------------------------------------------------
> > >> Add a standard authorization framework
> > >>
> > >> The current network services now support encryption via TLS and in some
> > >> cases support authentication via SASL. In cases where SASL is not
> > >> available, x509 client certificates can be used as a crude authorization
> > >> scheme, but using a sub-CA and controlling who you give certs to. In
> > >> general this is not very flexible though, so this series introduces a
> > >> new standard authorization framework.
> > >>
> > >
> > > Applied, thanks.
> >
> > Argh there is a v2... Daniel didn't NACK'd this one.
> 
> Oops. Yes, I process my pullreq queue oldest-first and unless you
> follow up to the cover letter to say "don't apply this v1" I'm
> not necessarily going to notice a v2. I'm afraid you'll have to
> send whatever the v1->v2 fixes were as a separate set of patches now.

Actually there is no problem here.  git-publish will always use the
same tag name when sending a pull request, so the v2 tag name was
the same as the v1 tag name & thus you automatically applied the
correct v2 pull request.

Regards,
Daniel