Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote: > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> > > Currently any client which can complete the TLS handshake is able to use > the NBD server. The server admin can turn on the 'verify-peer' option > for the x509 creds to require the client to provide a x509 certificate. > This means the client will have to acquire a certificate from the CA > before they are permitted to use the NBD server. This is still a fairly > low bar to cross. > > This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which > takes the ID of a previously added 'QAuthZ' object instance. This will > be used to validate the client's x509 distinguished name. Clients > failing the authorization check will not be permitted to use the NBD > server. > > For example to setup authorization that only allows connection from a client > whose x509 certificate distinguished name is > > CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB > > use: > > qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ > endpoint=server,verify-peer=yes \ > --object authz-simple,id=auth0,identity=CN=laptop.example.com,,\ > O=Example Org,,L=London,,ST=London,,C=GB \ > --tls-creds tls0 \ > --tls-authz authz0 > ....other qemu-nbd args... > > Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx> -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
