Message ID | 1457636396-24983-4-git-send-email-berrange@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On 03/10/2016 11:59 AM, Daniel P. Berrange wrote: > The current qemu_acl module provides a simple access control > list facility inside QEMU, which is used via a set of monitor > commands acl_show, acl_policy, acl_add, acl_remove & acl_reset. > > Note there is no ability to create ACLs - the network services > (eg VNC server) were expected to create ACLs that they want to > check. > > There is also no way to define ACLs on the command line, nor > potentially integrate with external authorization systems like > polkit, pam, ldap lookup, etc. > > The QAuthZ object defines a minimal abstract QOM class that can > be subclassed for creating different authorization providers. > > Signed-off-by: Daniel P. Berrange <berrange@redhat.com> > --- > +++ b/include/qemu/authz.h > + > +/** > + * QAuthZ: > + * > + * The QAuthZ class defines an API contract to be used > + * for providing an authorization driver for network > + * services. Just network services? Or is it broader than that? > +/** > + * qauthz_is_allowed: > + * @authz: the authorization object > + * @identity: the user identity to authorize > + * @errp: pointer to a NULL initialized error object > + * > + * Check if a user @identity is authorized > + * > + * Returns: true if @identity is authorizd, false otherwise s/authorizd/authorized/ I think you need more documentation on return semantics. Do we have strict binary return (either we returned true and errp is unset, or we returned false and errp is set), or is it a ternary (we return true and errp is unset: permission is explicitly granted; we return false and errp is unset: permission is explicitly denied; or we set errp: we could not determine permission). And if a ternary, do we also want to require that setting 'errp' also requires a return of false, or is the return undefined in that case?
On Tue, Mar 22, 2016 at 10:33:42AM -0600, Eric Blake wrote: > On 03/10/2016 11:59 AM, Daniel P. Berrange wrote: > > The current qemu_acl module provides a simple access control > > list facility inside QEMU, which is used via a set of monitor > > commands acl_show, acl_policy, acl_add, acl_remove & acl_reset. > > > > Note there is no ability to create ACLs - the network services > > (eg VNC server) were expected to create ACLs that they want to > > check. > > > > There is also no way to define ACLs on the command line, nor > > potentially integrate with external authorization systems like > > polkit, pam, ldap lookup, etc. > > > > The QAuthZ object defines a minimal abstract QOM class that can > > be subclassed for creating different authorization providers. > > > > Signed-off-by: Daniel P. Berrange <berrange@redhat.com> > > --- > > > +++ b/include/qemu/authz.h > > + > > +/** > > + * QAuthZ: > > + * > > + * The QAuthZ class defines an API contract to be used > > + * for providing an authorization driver for network > > + * services. > > Just network services? Or is it broader than that? > > > +/** > > + * qauthz_is_allowed: > > + * @authz: the authorization object > > + * @identity: the user identity to authorize > > + * @errp: pointer to a NULL initialized error object > > + * > > + * Check if a user @identity is authorized > > + * > > + * Returns: true if @identity is authorizd, false otherwise > > s/authorizd/authorized/ > > I think you need more documentation on return semantics. Do we have > strict binary return (either we returned true and errp is unset, or we > returned false and errp is set), or is it a ternary (we return true and > errp is unset: permission is explicitly granted; we return false and > errp is unset: permission is explicitly denied; or we set errp: we could > not determine permission). And if a ternary, do we also want to require > that setting 'errp' also requires a return of false, or is the return > undefined in that case? It is intended to be ternary, and if errp is set, the return value should be false. ie you should be able todo if (qauthz_is_allowed(authz, identity, NULL)) .... safe in the knowledge that any error that you're ignoring will result in denial of permission Regards, Daniel
On Tue, Mar 22, 2016 at 10:33:42AM -0600, Eric Blake wrote: > On 03/10/2016 11:59 AM, Daniel P. Berrange wrote: > > The current qemu_acl module provides a simple access control > > list facility inside QEMU, which is used via a set of monitor > > commands acl_show, acl_policy, acl_add, acl_remove & acl_reset. > > > > Note there is no ability to create ACLs - the network services > > (eg VNC server) were expected to create ACLs that they want to > > check. > > > > There is also no way to define ACLs on the command line, nor > > potentially integrate with external authorization systems like > > polkit, pam, ldap lookup, etc. > > > > The QAuthZ object defines a minimal abstract QOM class that can > > be subclassed for creating different authorization providers. > > > > Signed-off-by: Daniel P. Berrange <berrange@redhat.com> > > --- > > > +++ b/include/qemu/authz.h > > + > > +/** > > + * QAuthZ: > > + * > > + * The QAuthZ class defines an API contract to be used > > + * for providing an authorization driver for network > > + * services. > > Just network services? Or is it broader than that? Any service that requires authentication. It is actually nothing specific to networking Regards, Daniel
diff --git a/MAINTAINERS b/MAINTAINERS index dc0aa54..73bc431 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1301,6 +1301,13 @@ F: include/qemu/throttle.h F: util/throttle.c L: qemu-block@nongnu.org +Authorization +M: Daniel P. Berrange <berrange@redhat.com> +S: Maintained +F: util/authz* +F: include/qemu/authz* +F: tests/test-authz-* + Usermode Emulation ------------------ Overall diff --git a/Makefile b/Makefile index 70e3ebc..903dc35 100644 --- a/Makefile +++ b/Makefile @@ -150,6 +150,7 @@ endif dummy := $(call unnest-vars,, \ stub-obj-y \ util-obj-y \ + util-qom-obj-y \ qga-obj-y \ ivshmem-client-obj-y \ ivshmem-server-obj-y \ diff --git a/Makefile.objs b/Makefile.objs index fbcaa74..8bc9a77 100644 --- a/Makefile.objs +++ b/Makefile.objs @@ -4,6 +4,8 @@ stub-obj-y = stubs/ util-obj-y = util/ qobject/ qapi/ util-obj-y += qmp-introspect.o qapi-types.o qapi-visit.o qapi-event.o +util-qom-obj-y += util/ + ####################################################################### # block-obj-y is code used by both qemu system emulation and qemu-img diff --git a/Makefile.target b/Makefile.target index 34ddb7e..9728f86 100644 --- a/Makefile.target +++ b/Makefile.target @@ -171,6 +171,7 @@ include $(SRC_PATH)/Makefile.objs dummy := $(call unnest-vars,,target-obj-y) target-obj-y-save := $(target-obj-y) dummy := $(call unnest-vars,.., \ + util-qom-obj-y \ block-obj-y \ block-obj-m \ crypto-obj-y \ @@ -183,6 +184,7 @@ target-obj-y := $(target-obj-y-save) all-obj-y += $(common-obj-y) all-obj-y += $(target-obj-y) all-obj-y += $(qom-obj-y) +all-obj-y += $(util-qom-obj-y) all-obj-$(CONFIG_SOFTMMU) += $(block-obj-y) all-obj-$(CONFIG_USER_ONLY) += $(crypto-aes-obj-y) all-obj-$(CONFIG_SOFTMMU) += $(crypto-obj-y) diff --git a/include/qemu/authz.h b/include/qemu/authz.h new file mode 100644 index 0000000..89fa6da --- /dev/null +++ b/include/qemu/authz.h @@ -0,0 +1,81 @@ +/* + * QEMU authorization framework + * + * Copyright (c) 2016 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see <http://www.gnu.org/licenses/>. + * + */ + +#ifndef QAUTHZ_H__ +#define QAUTHZ_H__ + +#include "qemu-common.h" +#include "qapi/error.h" +#include "qom/object.h" + + +#define TYPE_QAUTHZ "authz" + +#define QAUTHZ_CLASS(klass) \ + OBJECT_CLASS_CHECK(QAuthZClass, (klass), \ + TYPE_QAUTHZ) +#define QAUTHZ_GET_CLASS(obj) \ + OBJECT_GET_CLASS(QAuthZClass, (obj), \ + TYPE_QAUTHZ) +#define QAUTHZ(obj) \ + INTERFACE_CHECK(QAuthZ, (obj), \ + TYPE_QAUTHZ) + +typedef struct QAuthZ QAuthZ; +typedef struct QAuthZClass QAuthZClass; + +/** + * QAuthZ: + * + * The QAuthZ class defines an API contract to be used + * for providing an authorization driver for network + * services. + */ + +struct QAuthZ { + Object parent_obj; +}; + + +struct QAuthZClass { + ObjectClass parent_class; + + bool (*is_allowed)(QAuthZ *authz, + const char *identity, + Error **errp); +}; + + +/** + * qauthz_is_allowed: + * @authz: the authorization object + * @identity: the user identity to authorize + * @errp: pointer to a NULL initialized error object + * + * Check if a user @identity is authorized + * + * Returns: true if @identity is authorizd, false otherwise + */ +bool qauthz_is_allowed(QAuthZ *authz, + const char *identity, + Error **errp); + +#endif /* QAUTHZ_H__ */ + diff --git a/util/Makefile.objs b/util/Makefile.objs index a8a777e..b29fb45 100644 --- a/util/Makefile.objs +++ b/util/Makefile.objs @@ -32,3 +32,5 @@ util-obj-y += buffer.o util-obj-y += timed-average.o util-obj-y += base64.o util-obj-y += log.o + +util-qom-obj-y += authz.o diff --git a/util/authz.c b/util/authz.c new file mode 100644 index 0000000..fd9f84e --- /dev/null +++ b/util/authz.c @@ -0,0 +1,46 @@ +/* + * QEMU authorization framework + * + * Copyright (c) 2016 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see <http://www.gnu.org/licenses/>. + * + */ + +#include "qemu/osdep.h" +#include "qemu/authz.h" + +bool qauthz_is_allowed(QAuthZ *authz, + const char *identity, + Error **errp) +{ + QAuthZClass *cls = QAUTHZ_GET_CLASS(authz); + + return cls->is_allowed(authz, identity, errp); +} + +static const TypeInfo authz_info = { + .parent = TYPE_OBJECT, + .name = TYPE_QAUTHZ, + .instance_size = sizeof(QAuthZ), + .class_size = sizeof(QAuthZClass), +}; + +static void qauthz_register_types(void) +{ + type_register_static(&authz_info); +} + +type_init(qauthz_register_types) +
The current qemu_acl module provides a simple access control list facility inside QEMU, which is used via a set of monitor commands acl_show, acl_policy, acl_add, acl_remove & acl_reset. Note there is no ability to create ACLs - the network services (eg VNC server) were expected to create ACLs that they want to check. There is also no way to define ACLs on the command line, nor potentially integrate with external authorization systems like polkit, pam, ldap lookup, etc. The QAuthZ object defines a minimal abstract QOM class that can be subclassed for creating different authorization providers. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- MAINTAINERS | 7 +++++ Makefile | 1 + Makefile.objs | 2 ++ Makefile.target | 2 ++ include/qemu/authz.h | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++ util/Makefile.objs | 2 ++ util/authz.c | 46 +++++++++++++++++++++++++++++ 7 files changed, 141 insertions(+) create mode 100644 include/qemu/authz.h create mode 100644 util/authz.c