Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote: > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> > > The VNC server has historically had support for ACLs to check both the > SASL username and the TLS x509 distinguished name. The VNC server was > responsible for creating the initial ACL, and the client app was then > responsible for populating it with rules using the HMP 'acl_add' command. > > This is not satisfactory for a variety of reasons. There is no way to > populate the ACLs from the command line, users are forced to use the > HMP. With multiple network services all supporting TLS and ACLs now, it > is desirable to be able to define a single ACL that is referenced by all > services. > > To address these limitations, two new options are added to the VNC > server CLI. The 'tls-authz' option takes the ID of a QAuthZ object to > use for checking TLS x509 distinguished names, and the 'sasl-authz' > option takes the ID of another object to use for checking SASL usernames. > > In this example, we setup two authorization rules. The first allows any > client with a certificate issued by the 'RedHat' organization in the > 'London' locality. The second ACL allows clients with either the > 'joe@xxxxxxxxxx' or 'fred@xxxxxxxxxx' kerberos usernames. Both checks > must pass for the user to be allowed. > > $QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ > endpoint=server,verify-peer=yes \ > -object authz-simple,id=authz0,policy=deny,\ > rules.0.match=O=RedHat,,L=London,rules.0.policy=allow \ > -object authz-simple,id=authz1,policy=deny,\ > rules.0.match=fred@xxxxxxxxxx,rules.0.policy=allow \ > rules.0.match=joe@xxxxxxxxxx,rules.0.policy=allow \ > -vnc 0.0.0.0:1,tls-creds=tls0,tls-authz=authz0, > sasl,sasl-authz=authz1 \ > ...other QEMU args... > > Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx> -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
