migration: add support for a "tls-authz" migration parameter

author Daniel P. Berrange <berrange@redhat.com>

Wed, 27 Feb 2019 14:53:24 +0000 (14:53 +0000)

committer Juan Quintela <quintela@redhat.com>

Mon, 25 Mar 2019 17:13:47 +0000 (18:13 +0100)
author Daniel P. Berrange <berrange@redhat.com>
Wed, 27 Feb 2019 14:53:24 +0000 (14:53 +0000)
committer Juan Quintela <quintela@redhat.com>
Mon, 25 Mar 2019 17:13:47 +0000 (18:13 +0100)
diff --git a/hmp.c b/hmp.c

index 6bbbe1a..9294114 100644 (file)
--- a/hmp.c
+++ b/hmp.c
@@ -441,6 +441,9 @@ void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict)
          monitor_printf(mon, "%s: %" PRIu64 "\n",
              MigrationParameter_str(MIGRATION_PARAMETER_MAX_POSTCOPY_BANDWIDTH),
              params->max_postcopy_bandwidth);
+        monitor_printf(mon, " %s: '%s'\n",
+            MigrationParameter_str(MIGRATION_PARAMETER_TLS_AUTHZ),
+            params->has_tls_authz ? params->tls_authz : "");
      }
  
      qapi_free_MigrationParameters(params);
@@ -1783,6 +1786,12 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict)
          p->tls_hostname->type = QTYPE_QSTRING;
          visit_type_str(v, param, &p->tls_hostname->u.s, &err);
          break;
+    case MIGRATION_PARAMETER_TLS_AUTHZ:
+        p->has_tls_authz = true;
+        p->tls_authz = g_new0(StrOrNull, 1);
+        p->tls_authz->type = QTYPE_QSTRING;
+        visit_type_str(v, param, &p->tls_authz->u.s, &err);
+        break;
      case MIGRATION_PARAMETER_MAX_BANDWIDTH:
          p->has_max_bandwidth = true;
          /*
diff --git a/migration/migration.c b/migration/migration.c

index b36cf9c..d5c218a 100644 (file)
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -757,6 +757,8 @@ MigrationParameters *qmp_query_migrate_parameters(Error **errp)
      params->tls_creds = g_strdup(s->parameters.tls_creds);
      params->has_tls_hostname = true;
      params->tls_hostname = g_strdup(s->parameters.tls_hostname);
+    params->has_tls_authz = true;
+    params->tls_authz = g_strdup(s->parameters.tls_authz);
      params->has_max_bandwidth = true;
      params->max_bandwidth = s->parameters.max_bandwidth;
      params->has_downtime_limit = true;
@@ -1331,6 +1333,12 @@ static void migrate_params_apply(MigrateSetParameters *params, Error **errp)
          s->parameters.tls_hostname = g_strdup(params->tls_hostname->u.s);
      }
  
+    if (params->has_tls_authz) {
+        g_free(s->parameters.tls_authz);
+        assert(params->tls_authz->type == QTYPE_QSTRING);
+        s->parameters.tls_authz = g_strdup(params->tls_authz->u.s);
+    }
+
      if (params->has_max_bandwidth) {
          s->parameters.max_bandwidth = params->max_bandwidth;
          if (s->to_dst_file) {
diff --git a/migration/tls.c b/migration/tls.c

index 3b9e8c9..5171afc 100644 (file)
--- a/migration/tls.c
+++ b/migration/tls.c
@@ -94,7 +94,7 @@ void migration_tls_channel_process_incoming(MigrationState *s,
  
      tioc = qio_channel_tls_new_server(
          ioc, creds,
-        NULL, /* XXX pass ACL name */
+        s->parameters.tls_authz,
          errp);
      if (!tioc) {
          return;
diff --git a/qapi/migration.json b/qapi/migration.json

index ff3616f..0a85aad 100644 (file)
--- a/qapi/migration.json
+++ b/qapi/migration.json
@@ -541,6 +541,12 @@
  #                hostname must be provided so that the server's x509
  #                certificate identity can be validated. (Since 2.7)
  #
+# @tls-authz: ID of the 'authz' object subclass that provides access control
+#             checking of the TLS x509 certificate distinguished name.
+#             This object is only resolved at time of use, so can be deleted
+#             and recreated on the fly while the migration server is active.
+#             If missing, it will default to denying access (Since 4.0)
+#
  # @max-bandwidth: to set maximum speed for migration. maximum speed in
  #                 bytes per second. (Since 2.8)
  #
@@ -582,7 +588,7 @@
             'compress-level', 'compress-threads', 'decompress-threads',
             'compress-wait-thread',
             'cpu-throttle-initial', 'cpu-throttle-increment',
-           'tls-creds', 'tls-hostname', 'max-bandwidth',
+           'tls-creds', 'tls-hostname', 'tls-authz', 'max-bandwidth',
             'downtime-limit', 'x-checkpoint-delay', 'block-incremental',
             'multifd-channels',
             'xbzrle-cache-size', 'max-postcopy-bandwidth',
@@ -693,6 +699,7 @@
              '*cpu-throttle-increment': 'int',
              '*tls-creds': 'StrOrNull',
              '*tls-hostname': 'StrOrNull',
+            '*tls-authz': 'StrOrNull',
              '*max-bandwidth': 'int',
              '*downtime-limit': 'int',
              '*x-checkpoint-delay': 'int',
@@ -773,6 +780,10 @@
  #                associated with the migration URI, if any. (Since 2.9)
  #                Note: 2.8 reports this by omitting tls-hostname instead.
  #
+# @tls-authz: ID of the 'authz' object subclass that provides access control
+#             checking of the TLS x509 certificate distinguished name. (Since
+#             4.0)
+#
  # @max-bandwidth: to set maximum speed for migration. maximum speed in
  #                 bytes per second. (Since 2.8)
  #
@@ -821,6 +832,7 @@
              '*cpu-throttle-increment': 'uint8',
              '*tls-creds': 'str',
              '*tls-hostname': 'str',
+            '*tls-authz': 'str',
              '*max-bandwidth': 'size',
              '*downtime-limit': 'uint64',
              '*x-checkpoint-delay': 'uint32',
author	Daniel P. Berrange <berrange@redhat.com>
	Wed, 27 Feb 2019 14:53:24 +0000 (14:53 +0000)
committer	Juan Quintela <quintela@redhat.com>
	Mon, 25 Mar 2019 17:13:47 +0000 (18:13 +0100)
hmp.c		patch \| blob \| history
migration/migration.c		patch \| blob \| history
migration/tls.c		patch \| blob \| history
qapi/migration.json		patch \| blob \| history