@@ -300,6 +300,9 @@ void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict)
monitor_printf(mon, " %s: '%s'",
MigrationParameter_lookup[MIGRATION_PARAMETER_TLS_HOSTNAME],
params->tls_hostname ? : "");
+ monitor_printf(mon, " %s: '%s'",
+ MigrationParameter_lookup[MIGRATION_PARAMETER_TLS_ACL],
+ params->tls_acl ? : "");
monitor_printf(mon, "\n");
}
@@ -1259,6 +1262,7 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict)
bool has_cpu_throttle_increment = false;
bool has_tls_creds = false;
bool has_tls_hostname = false;
+ bool has_tls_acl = false;
bool use_int_value = false;
int i;
@@ -1290,6 +1294,9 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict)
case MIGRATION_PARAMETER_TLS_HOSTNAME:
has_tls_hostname = true;
break;
+ case MIGRATION_PARAMETER_TLS_ACL:
+ has_tls_acl = true;
+ break;
}
if (use_int_value) {
@@ -1307,6 +1314,7 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict)
has_cpu_throttle_increment, valueint,
has_tls_creds, valuestr,
has_tls_hostname, valuestr,
+ has_tls_acl, valuestr,
&err);
break;
}
@@ -566,6 +566,7 @@ MigrationParameters *qmp_query_migrate_parameters(Error **errp)
params->cpu_throttle_increment = s->parameters.cpu_throttle_increment;
params->tls_creds = g_strdup(s->parameters.tls_creds);
params->tls_hostname = g_strdup(s->parameters.tls_hostname);
+ params->tls_acl = g_strdup(s->parameters.tls_acl);
return params;
}
@@ -771,6 +772,8 @@ void qmp_migrate_set_parameters(bool has_compress_level,
const char *tls_creds,
bool has_tls_hostname,
const char *tls_hostname,
+ bool has_tls_acl,
+ const char *tls_acl,
Error **errp)
{
MigrationState *s = migrate_get_current();
@@ -830,6 +833,10 @@ void qmp_migrate_set_parameters(bool has_compress_level,
g_free(s->parameters.tls_hostname);
s->parameters.tls_hostname = g_strdup(tls_hostname);
}
+ if (has_tls_acl) {
+ g_free(s->parameters.tls_acl);
+ s->parameters.tls_acl = g_strdup(tls_acl);
+ }
}
@@ -92,7 +92,7 @@ void migration_tls_set_incoming_channel(MigrationState *s,
tioc = qio_channel_tls_new_server(
ioc, creds,
- NULL, /* XXX pass ACL name */
+ s->parameters.tls_acl,
errp);
if (!tioc) {
return;
@@ -636,12 +636,16 @@
# hostname must be provided so that the server's x509
# certificate identity canbe validated. (Since 2.7)
#
+# @tls-acl: ID of the 'authz' object subclass that provides access control
+# checking of the TLS x509 certificate distinguished name. (Since
+# 2.7)
+#
# Since: 2.4
##
{ 'enum': 'MigrationParameter',
'data': ['compress-level', 'compress-threads', 'decompress-threads',
'cpu-throttle-initial', 'cpu-throttle-increment',
- 'tls-creds', 'tls-hostname'] }
+ 'tls-creds', 'tls-hostname', 'tls-acl'] }
#
# @migrate-set-parameters
@@ -677,6 +681,10 @@
# hostname must be provided so that the server's x509
# certificate identity canbe validated. (Since 2.7)
#
+# @tls-acl: ID of the 'authz' object subclass that provides access control
+# checking of the TLS x509 certificate distinguished name. (Since
+# 2.7)
+#
# Since: 2.4
##
{ 'command': 'migrate-set-parameters',
@@ -686,7 +694,8 @@
'*cpu-throttle-initial': 'int',
'*cpu-throttle-increment': 'int',
'*tls-creds': 'str',
- '*tls-hostname': 'str'} }
+ '*tls-hostname': 'str',
+ '*tls-acl': 'str'} }
#
# @MigrationParameters
@@ -720,6 +729,10 @@
# hostname must be provided so that the server's x509
# certificate identity canbe validated. (Since 2.6)
#
+# @tls-acl: ID of the 'authz' object subclass that provides access control
+# checking of the TLS x509 certificate distinguished name. (Since
+# 2.7)
+#
# Since: 2.4
##
{ 'struct': 'MigrationParameters',
@@ -729,7 +742,8 @@
'cpu-throttle-initial': 'int',
'cpu-throttle-increment': 'int',
'tls-creds': 'str',
- 'tls-hostname': 'str'} }
+ 'tls-hostname': 'str',
+ 'tls-acl': 'str'} }
##
# @query-migrate-parameters
#
The QEMU instance that runs as the server for the migration data transport (ie the target QEMU) needs to be able to configure access control so it can prevent unauthorized clients initiating an incoming migration. This adds a new 'tls-acl' migration parameter that is used to provide the QOM ID of a QAuthZ subclass instance that provides the access control check. This ACL is checked against the x509 certificate obtained during the TLS handshake. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- hmp.c | 8 ++++++++ migration/migration.c | 7 +++++++ migration/tls.c | 2 +- qapi-schema.json | 20 +++++++++++++++++--- 4 files changed, 33 insertions(+), 4 deletions(-)