Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote: > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> > > The QEMU instance that runs as the server for the migration data > transport (ie the target QEMU) needs to be able to configure access > control so it can prevent unauthorized clients initiating an incoming > migration. This adds a new 'tls-authz' migration parameter that is used > to provide the QOM ID of a QAuthZ subclass instance that provides the > access control check. This is checked against the x509 certificate > obtained during the TLS handshake. > > For example, when starting a QEMU for incoming migration, it is > possible to give an example identity of the source QEMU that is > intended to be connecting later: > > $QEMU \ > -monitor stdio \ > -incoming defer \ > ...other args... > > (qemu) object_add tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ > endpoint=server,verify-peer=yes \ > (qemu) object_add authz-simple,id=auth0,identity=CN=laptop.example.com,,\ > O=Example Org,,L=London,,ST=London,,C=GB \ > (qemu) migrate_incoming tcp:localhost:9000 > > Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx> -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
