1*1c45af36SDaniel P. Berrangé.. _client authorization: 2*1c45af36SDaniel P. Berrangé 3*1c45af36SDaniel P. BerrangéClient authorization 4*1c45af36SDaniel P. Berrangé-------------------- 5*1c45af36SDaniel P. Berrangé 6*1c45af36SDaniel P. BerrangéWhen configuring a QEMU network backend with either TLS certificates or SASL 7*1c45af36SDaniel P. Berrangéauthentication, access will be granted if the client successfully proves 8*1c45af36SDaniel P. Berrangétheir identity. If the authorization identity database is scoped to the QEMU 9*1c45af36SDaniel P. Berrangéclient this may be sufficient. It is common, however, for the identity database 10*1c45af36SDaniel P. Berrangéto be much broader and thus authentication alone does not enable sufficient 11*1c45af36SDaniel P. Berrangéaccess control. In this case QEMU provides a flexible system for enforcing 12*1c45af36SDaniel P. Berrangéfiner grained authorization on clients post-authentication. 13*1c45af36SDaniel P. Berrangé 14*1c45af36SDaniel P. BerrangéIdentity providers 15*1c45af36SDaniel P. Berrangé~~~~~~~~~~~~~~~~~~ 16*1c45af36SDaniel P. Berrangé 17*1c45af36SDaniel P. BerrangéAt the time of writing there are two authentication frameworks used by QEMU 18*1c45af36SDaniel P. Berrangéthat emit an identity upon completion. 19*1c45af36SDaniel P. Berrangé 20*1c45af36SDaniel P. Berrangé * TLS x509 certificate distinguished name. 21*1c45af36SDaniel P. Berrangé 22*1c45af36SDaniel P. Berrangé When configuring the QEMU backend as a network server with TLS, there 23*1c45af36SDaniel P. Berrangé are a choice of credentials to use. The most common scenario is to utilize 24*1c45af36SDaniel P. Berrangé x509 certificates. The simplest configuration only involves issuing 25*1c45af36SDaniel P. Berrangé certificates to the servers, allowing the client to avoid a MITM attack 26*1c45af36SDaniel P. Berrangé against their intended server. 27*1c45af36SDaniel P. Berrangé 28*1c45af36SDaniel P. Berrangé It is possible, however, to enable mutual verification by requiring that 29*1c45af36SDaniel P. Berrangé the client provide a certificate to the server to prove its own identity. 30*1c45af36SDaniel P. Berrangé This is done by setting the property ``verify-peer=yes`` on the 31*1c45af36SDaniel P. Berrangé ``tls-creds-x509`` object, which is in fact the default. 32*1c45af36SDaniel P. Berrangé 33*1c45af36SDaniel P. Berrangé When peer verification is enabled, client will need to be issued with a 34*1c45af36SDaniel P. Berrangé certificate by the same certificate authority as the server. If this is 35*1c45af36SDaniel P. Berrangé still not sufficiently strong access control the Distinguished Name of 36*1c45af36SDaniel P. Berrangé the certificate can be used as an identity in the QEMU authorization 37*1c45af36SDaniel P. Berrangé framework. 38*1c45af36SDaniel P. Berrangé 39*1c45af36SDaniel P. Berrangé * SASL username. 40*1c45af36SDaniel P. Berrangé 41*1c45af36SDaniel P. Berrangé When configuring the QEMU backend as a network server with SASL, upon 42*1c45af36SDaniel P. Berrangé completion of the SASL authentication mechanism, a username will be 43*1c45af36SDaniel P. Berrangé provided. The format of this username will vary depending on the choice 44*1c45af36SDaniel P. Berrangé of mechanism configured for SASL. It might be a simple UNIX style user 45*1c45af36SDaniel P. Berrangé ``joebloggs``, while if using Kerberos/GSSAPI it can have a realm 46*1c45af36SDaniel P. Berrangé attached ``joebloggs@QEMU.ORG``. Whatever format the username is presented 47*1c45af36SDaniel P. Berrangé in, it can be used with the QEMU authorization framework. 48*1c45af36SDaniel P. Berrangé 49*1c45af36SDaniel P. BerrangéAuthorization drivers 50*1c45af36SDaniel P. Berrangé~~~~~~~~~~~~~~~~~~~~~ 51*1c45af36SDaniel P. Berrangé 52*1c45af36SDaniel P. BerrangéThe QEMU authorization framework is a general purpose design with choice of 53*1c45af36SDaniel P. Berrangéuser customizable drivers. These are provided as objects that can be 54*1c45af36SDaniel P. Berrangécreated at startup using the ``-object`` argument, or at runtime using the 55*1c45af36SDaniel P. Berrangé``object_add`` monitor command. 56*1c45af36SDaniel P. Berrangé 57*1c45af36SDaniel P. BerrangéSimple 58*1c45af36SDaniel P. Berrangé^^^^^^ 59*1c45af36SDaniel P. Berrangé 60*1c45af36SDaniel P. BerrangéThis authorization driver provides a simple mechanism for granting access 61*1c45af36SDaniel P. Berrangébased on an exact match against a single identity. This is useful when it is 62*1c45af36SDaniel P. Berrangéknown that only a single client is to be allowed access. 63*1c45af36SDaniel P. Berrangé 64*1c45af36SDaniel P. BerrangéA possible use case would be when configuring QEMU for an incoming live 65*1c45af36SDaniel P. Berrangémigration. It is known exactly which source QEMU the migration is expected 66*1c45af36SDaniel P. Berrangéto arrive from. The x509 certificate associated with this source QEMU would 67*1c45af36SDaniel P. Berrangéthus be used as the identity to match against. Alternatively if the virtual 68*1c45af36SDaniel P. Berrangémachine is dedicated to a specific tenant, then the VNC server would be 69*1c45af36SDaniel P. Berrangéconfigured with SASL and the username of only that tenant listed. 70*1c45af36SDaniel P. Berrangé 71*1c45af36SDaniel P. BerrangéTo create an instance of this driver via QMP: 72*1c45af36SDaniel P. Berrangé 73*1c45af36SDaniel P. Berrangé:: 74*1c45af36SDaniel P. Berrangé 75*1c45af36SDaniel P. Berrangé { 76*1c45af36SDaniel P. Berrangé "execute": "object-add", 77*1c45af36SDaniel P. Berrangé "arguments": { 78*1c45af36SDaniel P. Berrangé "qom-type": "authz-simple", 79*1c45af36SDaniel P. Berrangé "id": "authz0", 80*1c45af36SDaniel P. Berrangé "identity": "fred" 81*1c45af36SDaniel P. Berrangé } 82*1c45af36SDaniel P. Berrangé } 83*1c45af36SDaniel P. Berrangé 84*1c45af36SDaniel P. Berrangé 85*1c45af36SDaniel P. BerrangéOr via the command line 86*1c45af36SDaniel P. Berrangé 87*1c45af36SDaniel P. Berrangé:: 88*1c45af36SDaniel P. Berrangé 89*1c45af36SDaniel P. Berrangé -object authz-simple,id=authz0,identity=fred 90*1c45af36SDaniel P. Berrangé 91*1c45af36SDaniel P. Berrangé 92*1c45af36SDaniel P. BerrangéList 93*1c45af36SDaniel P. Berrangé^^^^ 94*1c45af36SDaniel P. Berrangé 95*1c45af36SDaniel P. BerrangéIn some network backends it will be desirable to grant access to a range of 96*1c45af36SDaniel P. Berrangéclients. This authorization driver provides a list mechanism for granting 97*1c45af36SDaniel P. Berrangéaccess by matching identities against a list of permitted one. Each match 98*1c45af36SDaniel P. Berrangérule has an associated policy and a catch all policy applies if no rule 99*1c45af36SDaniel P. Berrangématches. The match can either be done as an exact string comparison, or can 100*1c45af36SDaniel P. Berrangéuse the shell-like glob syntax, which allows for use of wildcards. 101*1c45af36SDaniel P. Berrangé 102*1c45af36SDaniel P. BerrangéTo create an instance of this class via QMP: 103*1c45af36SDaniel P. Berrangé 104*1c45af36SDaniel P. Berrangé:: 105*1c45af36SDaniel P. Berrangé 106*1c45af36SDaniel P. Berrangé { 107*1c45af36SDaniel P. Berrangé "execute": "object-add", 108*1c45af36SDaniel P. Berrangé "arguments": { 109*1c45af36SDaniel P. Berrangé "qom-type": "authz-list", 110*1c45af36SDaniel P. Berrangé "id": "authz0", 111*1c45af36SDaniel P. Berrangé "rules": [ 112*1c45af36SDaniel P. Berrangé { "match": "fred", "policy": "allow", "format": "exact" }, 113*1c45af36SDaniel P. Berrangé { "match": "bob", "policy": "allow", "format": "exact" }, 114*1c45af36SDaniel P. Berrangé { "match": "danb", "policy": "deny", "format": "exact" }, 115*1c45af36SDaniel P. Berrangé { "match": "dan*", "policy": "allow", "format": "glob" } 116*1c45af36SDaniel P. Berrangé ], 117*1c45af36SDaniel P. Berrangé "policy": "deny" 118*1c45af36SDaniel P. Berrangé } 119*1c45af36SDaniel P. Berrangé } 120*1c45af36SDaniel P. Berrangé 121*1c45af36SDaniel P. Berrangé 122*1c45af36SDaniel P. BerrangéDue to the way this driver requires setting nested properties, creating 123*1c45af36SDaniel P. Berrangéit on the command line will require use of the JSON syntax for ``-object``. 124*1c45af36SDaniel P. BerrangéIn most cases, however, the next driver will be more suitable. 125*1c45af36SDaniel P. Berrangé 126*1c45af36SDaniel P. BerrangéList file 127*1c45af36SDaniel P. Berrangé^^^^^^^^^ 128*1c45af36SDaniel P. Berrangé 129*1c45af36SDaniel P. BerrangéThis is a variant on the previous driver that allows for a more dynamic 130*1c45af36SDaniel P. Berrangéaccess control policy by storing the match rules in a standalone file 131*1c45af36SDaniel P. Berrangéthat can be reloaded automatically upon change. 132*1c45af36SDaniel P. Berrangé 133*1c45af36SDaniel P. BerrangéTo create an instance of this class via QMP: 134*1c45af36SDaniel P. Berrangé 135*1c45af36SDaniel P. Berrangé:: 136*1c45af36SDaniel P. Berrangé 137*1c45af36SDaniel P. Berrangé { 138*1c45af36SDaniel P. Berrangé "execute": "object-add", 139*1c45af36SDaniel P. Berrangé "arguments": { 140*1c45af36SDaniel P. Berrangé "qom-type": "authz-list-file", 141*1c45af36SDaniel P. Berrangé "id": "authz0", 142*1c45af36SDaniel P. Berrangé "filename": "/etc/qemu/myvm-vnc.acl", 143*1c45af36SDaniel P. Berrangé "refresh": true 144*1c45af36SDaniel P. Berrangé } 145*1c45af36SDaniel P. Berrangé } 146*1c45af36SDaniel P. Berrangé 147*1c45af36SDaniel P. Berrangé 148*1c45af36SDaniel P. BerrangéIf ``refresh`` is ``yes``, inotify is used to monitor for changes 149*1c45af36SDaniel P. Berrangéto the file and auto-reload the rules. 150*1c45af36SDaniel P. Berrangé 151*1c45af36SDaniel P. BerrangéThe ``myvm-vnc.acl`` file should contain the match rules in a format that 152*1c45af36SDaniel P. Berrangéclosely matches the previous driver: 153*1c45af36SDaniel P. Berrangé 154*1c45af36SDaniel P. Berrangé:: 155*1c45af36SDaniel P. Berrangé 156*1c45af36SDaniel P. Berrangé { 157*1c45af36SDaniel P. Berrangé "rules": [ 158*1c45af36SDaniel P. Berrangé { "match": "fred", "policy": "allow", "format": "exact" }, 159*1c45af36SDaniel P. Berrangé { "match": "bob", "policy": "allow", "format": "exact" }, 160*1c45af36SDaniel P. Berrangé { "match": "danb", "policy": "deny", "format": "exact" }, 161*1c45af36SDaniel P. Berrangé { "match": "dan*", "policy": "allow", "format": "glob" } 162*1c45af36SDaniel P. Berrangé ], 163*1c45af36SDaniel P. Berrangé "policy": "deny" 164*1c45af36SDaniel P. Berrangé } 165*1c45af36SDaniel P. Berrangé 166*1c45af36SDaniel P. Berrangé 167*1c45af36SDaniel P. BerrangéThe object can be created on the command line using 168*1c45af36SDaniel P. Berrangé 169*1c45af36SDaniel P. Berrangé:: 170*1c45af36SDaniel P. Berrangé 171*1c45af36SDaniel P. Berrangé -object authz-list-file,id=authz0,\ 172*1c45af36SDaniel P. Berrangé filename=/etc/qemu/myvm-vnc.acl,refresh=on 173*1c45af36SDaniel P. Berrangé 174*1c45af36SDaniel P. Berrangé 175*1c45af36SDaniel P. BerrangéPAM 176*1c45af36SDaniel P. Berrangé^^^ 177*1c45af36SDaniel P. Berrangé 178*1c45af36SDaniel P. BerrangéIn some scenarios it might be desirable to integrate with authorization 179*1c45af36SDaniel P. Berrangémechanisms that are implemented outside of QEMU. In order to allow maximum 180*1c45af36SDaniel P. Berrangéflexibility, QEMU provides a driver that uses the ``PAM`` framework. 181*1c45af36SDaniel P. Berrangé 182*1c45af36SDaniel P. BerrangéTo create an instance of this class via QMP: 183*1c45af36SDaniel P. Berrangé 184*1c45af36SDaniel P. Berrangé:: 185*1c45af36SDaniel P. Berrangé 186*1c45af36SDaniel P. Berrangé { 187*1c45af36SDaniel P. Berrangé "execute": "object-add", 188*1c45af36SDaniel P. Berrangé "arguments": { 189*1c45af36SDaniel P. Berrangé "qom-type": "authz-pam", 190*1c45af36SDaniel P. Berrangé "id": "authz0", 191*1c45af36SDaniel P. Berrangé "parameters": { 192*1c45af36SDaniel P. Berrangé "service": "qemu-vnc-tls" 193*1c45af36SDaniel P. Berrangé } 194*1c45af36SDaniel P. Berrangé } 195*1c45af36SDaniel P. Berrangé } 196*1c45af36SDaniel P. Berrangé 197*1c45af36SDaniel P. Berrangé 198*1c45af36SDaniel P. BerrangéThe driver only uses the PAM "account" verification 199*1c45af36SDaniel P. Berrangésubsystem. The above config would require a config 200*1c45af36SDaniel P. Berrangéfile /etc/pam.d/qemu-vnc-tls. For a simple file 201*1c45af36SDaniel P. Berrangélookup it would contain 202*1c45af36SDaniel P. Berrangé 203*1c45af36SDaniel P. Berrangé:: 204*1c45af36SDaniel P. Berrangé 205*1c45af36SDaniel P. Berrangé account requisite pam_listfile.so item=user sense=allow \ 206*1c45af36SDaniel P. Berrangé file=/etc/qemu/vnc.allow 207*1c45af36SDaniel P. Berrangé 208*1c45af36SDaniel P. Berrangé 209*1c45af36SDaniel P. BerrangéThe external file would then contain a list of usernames. 210*1c45af36SDaniel P. BerrangéIf x509 cert was being used as the username, a suitable 211*1c45af36SDaniel P. Berrangéentry would match the distinguished name: 212*1c45af36SDaniel P. Berrangé 213*1c45af36SDaniel P. Berrangé:: 214*1c45af36SDaniel P. Berrangé 215*1c45af36SDaniel P. Berrangé CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB 216*1c45af36SDaniel P. Berrangé 217*1c45af36SDaniel P. Berrangé 218*1c45af36SDaniel P. BerrangéOn the command line it can be created using 219*1c45af36SDaniel P. Berrangé 220*1c45af36SDaniel P. Berrangé:: 221*1c45af36SDaniel P. Berrangé 222*1c45af36SDaniel P. Berrangé -object authz-pam,id=authz0,service=qemu-vnc-tls 223*1c45af36SDaniel P. Berrangé 224*1c45af36SDaniel P. Berrangé 225*1c45af36SDaniel P. BerrangéThere are a variety of PAM plugins that can be used which are not illustrated 226*1c45af36SDaniel P. Berrangéhere, and it is possible to implement brand new plugins using the PAM API. 227*1c45af36SDaniel P. Berrangé 228*1c45af36SDaniel P. Berrangé 229*1c45af36SDaniel P. BerrangéConnecting backends 230*1c45af36SDaniel P. Berrangé~~~~~~~~~~~~~~~~~~~ 231*1c45af36SDaniel P. Berrangé 232*1c45af36SDaniel P. BerrangéThe authorization driver is created using the ``-object`` argument and then 233*1c45af36SDaniel P. Berrangéneeds to be associated with a network service. The authorization driver object 234*1c45af36SDaniel P. Berrangéwill be given a unique ID that needs to be referenced. 235*1c45af36SDaniel P. Berrangé 236*1c45af36SDaniel P. BerrangéThe property to set in the network service will vary depending on the type of 237*1c45af36SDaniel P. Berrangéidentity to verify. By convention, any network server backend that uses TLS 238*1c45af36SDaniel P. Berrangéwill provide ``tls-authz`` property, while any server using SASL will provide 239*1c45af36SDaniel P. Berrangéa ``sasl-authz`` property. 240*1c45af36SDaniel P. Berrangé 241*1c45af36SDaniel P. BerrangéThus an example using SASL and authorization for the VNC server would look 242*1c45af36SDaniel P. Berrangélike: 243*1c45af36SDaniel P. Berrangé 244*1c45af36SDaniel P. Berrangé:: 245*1c45af36SDaniel P. Berrangé 246*1c45af36SDaniel P. Berrangé $QEMU --object authz-simple,id=authz0,identity=fred \ 247*1c45af36SDaniel P. Berrangé --vnc 0.0.0.0:1,sasl,sasl-authz=authz0 248*1c45af36SDaniel P. Berrangé 249*1c45af36SDaniel P. BerrangéWhile to validate both the x509 certificate and SASL username: 250*1c45af36SDaniel P. Berrangé 251*1c45af36SDaniel P. Berrangé:: 252*1c45af36SDaniel P. Berrangé 253*1c45af36SDaniel P. Berrangé echo "CN=laptop.qemu.org,O=QEMU Project,L=London,ST=London,C=GB" >> tls.acl 254*1c45af36SDaniel P. Berrangé $QEMU --object authz-simple,id=authz0,identity=fred \ 255*1c45af36SDaniel P. Berrangé --object authz-list-file,id=authz1,filename=tls.acl \ 256*1c45af36SDaniel P. Berrangé --object tls-creds-x509,id=tls0,dir=/etc/qemu/tls,verify-peer=yes \ 257*1c45af36SDaniel P. Berrangé --vnc 0.0.0.0:1,sasl,sasl-authz=auth0,tls-creds=tls0,tls-authz=authz1 258