From: "Marc-André Lureau" <marcandre.lureau@gmail.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: QEMU <qemu-devel@nongnu.org>
Subject: Re: [PATCH 2/4] docs: document usage of the authorization framework
Date: Fri, 4 Jun 2021 15:26:06 +0400 [thread overview]
Message-ID: <CAJ+F1CJGW3fpZPsKhQC2VTwxsYjiAH9J1fr=hzgYv1tKm8F7FA@mail.gmail.com> (raw)
In-Reply-To: <20210514173110.1397741-3-berrange@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 10463 bytes --]
On Fri, May 14, 2021 at 9:36 PM Daniel P. Berrangé <berrange@redhat.com>
wrote:
> The authorization framework provides a way to control access to network
> services after a client has been authenticated. This documents how to
> actually use it.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> docs/system/authz.rst | 263 ++++++++++++++++++++++++++++++++++++++++++
> docs/system/index.rst | 1 +
> 2 files changed, 264 insertions(+)
> create mode 100644 docs/system/authz.rst
>
> diff --git a/docs/system/authz.rst b/docs/system/authz.rst
> new file mode 100644
> index 0000000000..2276546d23
> --- /dev/null
> +++ b/docs/system/authz.rst
> @@ -0,0 +1,263 @@
> +.. _client authorization:
> +
> +Client authorization
> +--------------------
> +
> +When configuring a QEMU network backend with either TLS certificates or
> SASL
> +authentication, access will be granted if the client successfully proves
> +their identity. If the authorization identity database is scoped to the
> QEMU
> +client this may be sufficient. It is common, however, for the identity
> database
> +to be much broader and thus authentication alone does not enable
> sufficient
> +access control. In this case QEMU provides a flexible system for enforcing
> +finer grained authorization on clients post-authentication.
> +
> +Identity providers
> +~~~~~~~~~~~~~~~~~~
> +
> +At the time of writing there are two authentication frameworks used by
> QEMU
> +that emit an identity upon completion.
> +
> + * TLS x509 certificate distinguished name.
> +
> + When configuring the QEMU backend as a network server with TLS, there
> + are a choice of credentials to use. The most common scenario is to
> utilize
> + x509 certificates. The simplest configuration only involves issuing
> + certificates to the servers, allowing the client to avoid a MITM attack
> + against their intended server.
> +
> + It is possible, however, to enable mutual verification by requiring
> that
> + the client provide a certificate to the server to prove its own
> identity.
> + This is done by setting the property ``verify-peer=yes`` on the
> + ``tls-creds-x509`` object, which is in fact the default.
> +
> + When peer verification is enabled, client will need to be issued with a
> + certificate by the same certificate authority as the server. If this is
> + still not sufficiently strong access control the Distinguished Name of
> + the certificate can be used as an identity in the QEMU authorization
> + framework.
> +
> + * SASL username.
> +
> + When configuring the QEMU backend as a network server with SASL, upon
> + completion of the SASL authentication mechanism, a username will be
> + provided. The format of this username will vary depending on the choice
> + of mechanism configured for SASL. It might be a simple UNIX style user
> + ``joebloggs``, while if using Kerberos/GSSAPI it can have a realm
> + attached ``joebloggs@QEMU.ORG``. Whatever format the username is
> presented
> + in, it can be used with the QEMU authorization framework.
> +
> +Authorization drivers
> +~~~~~~~~~~~~~~~~~~~~~
> +
> +The QEMU authorization framework is a general purpose design with choice
> of
> +user customizable drivers. These are provided as objects that can be
> +created at startup using the ``-object`` argument, or at runtime using the
> +``object_add`` monitor command.
> +
> +Simple
> +^^^^^^
> +
> +This authorization driver provides a simple mechanism for granting access
> +based on an exact match against a single identity. This is useful when it
> is
> +known that only a single client is to be allowed access.
> +
> +A possible use case would be when configuring QEMU for an incoming live
> +migration. It is known exactly which source QEMU the migration is expected
> +to arrive from. The x509 certificate associated with this source QEMU
> would
> +thus be used as the identity to match against. Alternatively if the
> virtual
> +machine is dedicated to a specific tenant, then the VNC server would be
> +configured with SASL and the username of only that tenant listed.
> +
> +To create an instance of this driver via QMP:
> +
> +::
> +
> + {
> + "execute": "object-add",
> + "arguments": {
> + "qom-type": "authz-simple",
> + "id": "authz0",
> + "props": {
> + "identity": "fred"
> + }
> + }
> + }
> +
> +
> +Or via the command line
> +
> +::
> +
> + -object authz-simple,id=authz0,identity=fred
> +
> +
> +List
> +^^^^
> +
> +In some network backends it will be desirable to grant access to a range
> of
> +clients. This authorization driver provides a list mechanism for granting
> +access by matching identities against a list of permitted one. Each match
> +rule has an associated policy and a catch all policy applies if no rule
> +matches. The match can either be done as an exact string comparison, or
> can
> +use the shell-like glob syntax, which allows for use of wildcards.
> +
> +To create an instance of this class via QMP:
> +
> +::
> +
> + {
> + "execute": "object-add",
> + "arguments": {
> + "qom-type": "authz-list",
> + "id": "authz0",
> + "props": {
> + "rules": [
> + { "match": "fred", "policy": "allow", "format": "exact" },
> + { "match": "bob", "policy": "allow", "format": "exact" },
> + { "match": "danb", "policy": "deny", "format": "exact" },
> + { "match": "dan*", "policy": "allow", "format": "glob" }
> + ],
> + "policy": "deny"
> + }
> + }
> + }
> +
> +
> +Due to the way this driver requires setting nested properties, creating
> +it on the command line will require use of the JSON syntax for
> ``-object``.
> +In most cases, however, the next driver will be more suitable.
> +
> +List file
> +^^^^^^^^^
> +
> +This is a variant on the previous driver that allows for a more dynamic
> +access control policy by storing the match rules in a standalone file
> +that can be reloaded automatically upon change.
> +
> +To create an instance of this class via QMP:
> +
> +::
> +
> + {
> + "execute": "object-add",
> + "arguments": {
> + "qom-type": "authz-list-file",
> + "id": "authz0",
> + "props": {
> + "filename": "/etc/qemu/myvm-vnc.acl",
> + "refresh": true
> + }
> + }
> + }
> +
> +
> +If ``refresh`` is ``yes``, inotify is used to monitor for changes
> +to the file and auto-reload the rules.
> +
> +The ``myvm-vnc.acl`` file should contain the match rules in a format that
> +closely matches the previous driver:
> +
> +::
> +
> + {
> + "rules": [
> + { "match": "fred", "policy": "allow", "format": "exact" },
> + { "match": "bob", "policy": "allow", "format": "exact" },
> + { "match": "danb", "policy": "deny", "format": "exact" },
> + { "match": "dan*", "policy": "allow", "format": "glob" }
> + ],
> + "policy": "deny"
> + }
> +
> +
> +The object can be created on the command line using
> +
> +::
> +
> + -object authz-list-file,id=authz0,\
> + filename=/etc/qemu/myvm-vnc.acl,refresh=on
> +
> +
> +PAM
> +^^^
> +
> +In some scenarios it might be desirable to integrate with authorization
> +mechanisms that are implemented outside of QEMU. In order to allow maximum
> +flexibility, QEMU provides a driver that uses the ``PAM`` framework.
> +
> +To create an instance of this class via QMP:
> +
> +::
> +
> + {
> + "execute": "object-add",
> + "arguments": {
> + "qom-type": "authz-pam",
> + "id": "authz0",
> + "parameters": {
> + "service": "qemu-vnc-tls"
> + }
> + }
> + }
> +
> +
> +The driver only uses the PAM "account" verification
> +subsystem. The above config would require a config
> +file /etc/pam.d/qemu-vnc-tls. For a simple file
> +lookup it would contain
> +
> +::
> +
> + account requisite pam_listfile.so item=user sense=allow \
> + file=/etc/qemu/vnc.allow
> +
> +
> +The external file would then contain a list of usernames.
> +If x509 cert was being used as the username, a suitable
> +entry would match the distinguished name:
> +
> +::
> +
> + CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB
> +
> +
> +On the command line it can be created using
> +
> +::
> +
> + -object authz-pam,id=authz0,service=qemu-vnc-tls
> +
> +
> +There are a variety of PAM plugins that can be used which are not
> illustrated
> +here, and it is possible to implement brand new plugins using the PAM API.
> +
> +
> +Connecting backends
> +~~~~~~~~~~~~~~~~~~~
> +
> +The authorization driver is created using the ``-object`` argument and
> then
> +needs to be associated with a network service. The authorization driver
> object
> +will be given a unique ID that needs to be referenced.
> +
> +The property to set in the network service will vary depending on the
> type of
> +identity to verify. By convention, any network server backend that uses
> TLS
> +will provide ``tls-authz`` property, while any server using SASL will
> provide
> +a ``sasl-authz`` property.
> +
> +Thus a example using SASL and authorization for the VNC server would look
>
"an example"
+like:
> +
> +::
> +
> + $QEMU --object authz-simple,id=authz0,identity=fred \
> + --vnc 0.0.0.0:1,sasl,sasl-authz=authz0
> +
> +While to validate both the x509 certificate and SASL username:
> +
> +::
> +
> + echo "CN=laptop.qemu.org,O=QEMU Project,L=London,ST=London,C=GB" >>
> tls.acl
> + $QEMU --object authz-simple,id=authz0,identity=fred \
> + --object authz-list-file,id=authz1,filename=tls.acl \
> + --object tls-creds-x509,id=tls0,dir=/etc/qemu/tls,verify-peer=yes
> \
> + --vnc 0.0.0.0:1
> ,sasl,sasl-authz=auth0,tls-creds=tls0,tls-authz=authz1
> diff --git a/docs/system/index.rst b/docs/system/index.rst
> index 6aa2f8c05c..6092eb2d91 100644
> --- a/docs/system/index.rst
> +++ b/docs/system/index.rst
> @@ -31,6 +31,7 @@ Contents:
> vnc-security
> tls
> secrets
> + authz
> gdb
> managed-startup
> cpu-hotplug
> --
> 2.31.1
>
>
>
--
Marc-André Lureau
[-- Attachment #2: Type: text/html, Size: 13196 bytes --]
next prev parent reply other threads:[~2021-06-04 11:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-14 17:31 [PATCH 0/4] docs: add user facing docs for secret passing and authorization controls Daniel P. Berrangé
2021-05-14 17:31 ` [PATCH 1/4] docs: document how to pass secret data to QEMU Daniel P. Berrangé
2021-05-14 17:31 ` [PATCH 2/4] docs: document usage of the authorization framework Daniel P. Berrangé
2021-06-04 11:26 ` Marc-André Lureau [this message]
2021-05-14 17:31 ` [PATCH 3/4] docs: recommend SCRAM-SHA-256 SASL mech instead of SHA-1 variant Daniel P. Berrangé
2021-05-14 17:31 ` [PATCH 4/4] sasl: remove comment about obsolete kerberos versions Daniel P. Berrangé
2021-06-04 8:43 ` [PATCH 0/4] docs: add user facing docs for secret passing and authorization controls Daniel P. Berrangé
2021-06-04 11:26 ` Marc-André Lureau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJ+F1CJGW3fpZPsKhQC2VTwxsYjiAH9J1fr=hzgYv1tKm8F7FA@mail.gmail.com' \
--to=marcandre.lureau@gmail.com \
--cc=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.