cutemeli/server
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2adfbd9ea73fc04955d459a3e37101263067ebdb
server/usr/share/doc/qemu-system-common/system/authz.html
cutemeli 2adfbd9ea7 .gitignore angepasst
2026-01-07 20:52:11 +01:00

379 lines
28 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html class="writer-html5" lang="en" data-content_root="../">
<head>
<meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Client authorization &mdash; QEMU Debian 1:8.2.2+ds-0ubuntu1.11 documentation</title>
<link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" />
<link rel="stylesheet" type="text/css" href="../_static/css/theme.css?v=86f27845" />
<link rel="stylesheet" type="text/css" href="../_static/theme_overrides.css?v=08e6c168" />
<link rel="shortcut icon" href="../_static/qemu_32x32.png"/>
<script src="../_static/jquery.js?v=8dae8fb0"></script>
<script src="../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
<script src="../_static/documentation_options.js?v=802af9f6"></script>
<script src="../_static/doctools.js?v=888ff710"></script>
<script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="../_static/custom.js?v=2ab9f71d"></script>
<script src="../_static/js/theme.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="GDB usage" href="gdb.html" />
<link rel="prev" title="Providing secret data to QEMU" href="secrets.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" style="background: #802400" >
<a href="../index.html" class="icon icon-home">
QEMU
<img src="../_static/qemu_128x128.png" class="logo" alt="Logo"/>
</a>
<div class="version">
8.2.2
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<p class="caption" role="heading"><span class="caption-text">Contents:</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../about/index.html">About QEMU</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">System Emulation</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="introduction.html">Introduction</a></li>
<li class="toctree-l2"><a class="reference internal" href="invocation.html">Invocation</a></li>
<li class="toctree-l2"><a class="reference internal" href="device-emulation.html">Device Emulation</a></li>
<li class="toctree-l2"><a class="reference internal" href="keys.html">Keys in the graphical frontends</a></li>
<li class="toctree-l2"><a class="reference internal" href="mux-chardev.html">Keys in the character backend multiplexer</a></li>
<li class="toctree-l2"><a class="reference internal" href="monitor.html">QEMU Monitor</a></li>
<li class="toctree-l2"><a class="reference internal" href="images.html">Disk Images</a></li>
<li class="toctree-l2"><a class="reference internal" href="virtio-net-failover.html">QEMU virtio-net standby (net_failover)</a></li>
<li class="toctree-l2"><a class="reference internal" href="linuxboot.html">Direct Linux Boot</a></li>
<li class="toctree-l2"><a class="reference internal" href="generic-loader.html">Generic Loader</a></li>
<li class="toctree-l2"><a class="reference internal" href="guest-loader.html">Guest Loader</a></li>
<li class="toctree-l2"><a class="reference internal" href="barrier.html">QEMU Barrier Client</a></li>
<li class="toctree-l2"><a class="reference internal" href="vnc-security.html">VNC security</a></li>
<li class="toctree-l2"><a class="reference internal" href="tls.html">TLS setup for network services</a></li>
<li class="toctree-l2"><a class="reference internal" href="secrets.html">Providing secret data to QEMU</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Client authorization</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#identity-providers">Identity providers</a></li>
<li class="toctree-l3"><a class="reference internal" href="#authorization-drivers">Authorization drivers</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#simple">Simple</a></li>
<li class="toctree-l4"><a class="reference internal" href="#list">List</a></li>
<li class="toctree-l4"><a class="reference internal" href="#list-file">List file</a></li>
<li class="toctree-l4"><a class="reference internal" href="#pam">PAM</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#connecting-backends">Connecting backends</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="gdb.html">GDB usage</a></li>
<li class="toctree-l2"><a class="reference internal" href="replay.html">Record/replay</a></li>
<li class="toctree-l2"><a class="reference internal" href="managed-startup.html">Managed start up options</a></li>
<li class="toctree-l2"><a class="reference internal" href="bootindex.html">Managing device boot order with bootindex properties</a></li>
<li class="toctree-l2"><a class="reference internal" href="cpu-hotplug.html">Virtual CPU hotplug</a></li>
<li class="toctree-l2"><a class="reference internal" href="pr-manager.html">Persistent reservation managers</a></li>
<li class="toctree-l2"><a class="reference internal" href="targets.html">QEMU System Emulator Targets</a></li>
<li class="toctree-l2"><a class="reference internal" href="security.html">Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="multi-process.html">Multi-process QEMU</a></li>
<li class="toctree-l2"><a class="reference internal" href="confidential-guest-support.html">Confidential Guest Support</a></li>
<li class="toctree-l2"><a class="reference internal" href="vm-templating.html">QEMU VM templating</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">User Mode Emulation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../tools/index.html">Tools</a></li>
<li class="toctree-l1"><a class="reference internal" href="../interop/index.html">System Emulation Management and Interoperability</a></li>
<li class="toctree-l1"><a class="reference internal" href="../specs/index.html">System Emulation Guest Hardware Specifications</a></li>
<li class="toctree-l1"><a class="reference internal" href="../devel/index.html">Developer Information</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" style="background: #802400" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../index.html">QEMU</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="../index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item"><a href="index.html">System Emulation</a></li>
<li class="breadcrumb-item active">Client authorization</li>
<li class="wy-breadcrumbs-aside">
<a href="https://gitlab.com/qemu-project/qemu/blob/master/docs/system/authz.rst" class="fa fa-gitlab"> Edit on GitLab</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="client-authorization">
<span id="id1"></span><h1>Client authorization<a class="headerlink" href="#client-authorization" title="Link to this heading"></a></h1>
<p>When configuring a QEMU network backend with either TLS certificates or SASL
authentication, access will be granted if the client successfully proves
their identity. If the authorization identity database is scoped to the QEMU
client this may be sufficient. It is common, however, for the identity database
to be much broader and thus authentication alone does not enable sufficient
access control. In this case QEMU provides a flexible system for enforcing
finer grained authorization on clients post-authentication.</p>
<section id="identity-providers">
<h2>Identity providers<a class="headerlink" href="#identity-providers" title="Link to this heading"></a></h2>
<p>At the time of writing there are two authentication frameworks used by QEMU
that emit an identity upon completion.</p>
<blockquote>
<div><ul>
<li><p>TLS x509 certificate distinguished name.</p>
<p>When configuring the QEMU backend as a network server with TLS, there
are a choice of credentials to use. The most common scenario is to utilize
x509 certificates. The simplest configuration only involves issuing
certificates to the servers, allowing the client to avoid a MITM attack
against their intended server.</p>
<p>It is possible, however, to enable mutual verification by requiring that
the client provide a certificate to the server to prove its own identity.
This is done by setting the property <code class="docutils literal notranslate"><span class="pre">verify-peer=yes</span></code> on the
<code class="docutils literal notranslate"><span class="pre">tls-creds-x509</span></code> object, which is in fact the default.</p>
<p>When peer verification is enabled, client will need to be issued with a
certificate by the same certificate authority as the server. If this is
still not sufficiently strong access control the Distinguished Name of
the certificate can be used as an identity in the QEMU authorization
framework.</p>
</li>
<li><p>SASL username.</p>
<p>When configuring the QEMU backend as a network server with SASL, upon
completion of the SASL authentication mechanism, a username will be
provided. The format of this username will vary depending on the choice
of mechanism configured for SASL. It might be a simple UNIX style user
<code class="docutils literal notranslate"><span class="pre">joebloggs</span></code>, while if using Kerberos/GSSAPI it can have a realm
attached <code class="docutils literal notranslate"><span class="pre">joebloggs&#64;QEMU.ORG</span></code>. Whatever format the username is presented
in, it can be used with the QEMU authorization framework.</p>
</li>
</ul>
</div></blockquote>
</section>
<section id="authorization-drivers">
<h2>Authorization drivers<a class="headerlink" href="#authorization-drivers" title="Link to this heading"></a></h2>
<p>The QEMU authorization framework is a general purpose design with choice of
user customizable drivers. These are provided as objects that can be
created at startup using the <code class="docutils literal notranslate"><span class="pre">-object</span></code> argument, or at runtime using the
<code class="docutils literal notranslate"><span class="pre">object_add</span></code> monitor command.</p>
<section id="simple">
<h3>Simple<a class="headerlink" href="#simple" title="Link to this heading"></a></h3>
<p>This authorization driver provides a simple mechanism for granting access
based on an exact match against a single identity. This is useful when it is
known that only a single client is to be allowed access.</p>
<p>A possible use case would be when configuring QEMU for an incoming live
migration. It is known exactly which source QEMU the migration is expected
to arrive from. The x509 certificate associated with this source QEMU would
thus be used as the identity to match against. Alternatively if the virtual
machine is dedicated to a specific tenant, then the VNC server would be
configured with SASL and the username of only that tenant listed.</p>
<p>To create an instance of this driver via QMP:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s2">&quot;execute&quot;</span><span class="p">:</span> <span class="s2">&quot;object-add&quot;</span><span class="p">,</span>
<span class="s2">&quot;arguments&quot;</span><span class="p">:</span> <span class="p">{</span>
<span class="s2">&quot;qom-type&quot;</span><span class="p">:</span> <span class="s2">&quot;authz-simple&quot;</span><span class="p">,</span>
<span class="s2">&quot;id&quot;</span><span class="p">:</span> <span class="s2">&quot;authz0&quot;</span><span class="p">,</span>
<span class="s2">&quot;identity&quot;</span><span class="p">:</span> <span class="s2">&quot;fred&quot;</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Or via the command line</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">-</span><span class="nb">object</span> <span class="n">authz</span><span class="o">-</span><span class="n">simple</span><span class="p">,</span><span class="nb">id</span><span class="o">=</span><span class="n">authz0</span><span class="p">,</span><span class="n">identity</span><span class="o">=</span><span class="n">fred</span>
</pre></div>
</div>
</section>
<section id="list">
<h3>List<a class="headerlink" href="#list" title="Link to this heading"></a></h3>
<p>In some network backends it will be desirable to grant access to a range of
clients. This authorization driver provides a list mechanism for granting
access by matching identities against a list of permitted one. Each match
rule has an associated policy and a catch all policy applies if no rule
matches. The match can either be done as an exact string comparison, or can
use the shell-like glob syntax, which allows for use of wildcards.</p>
<p>To create an instance of this class via QMP:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s2">&quot;execute&quot;</span><span class="p">:</span> <span class="s2">&quot;object-add&quot;</span><span class="p">,</span>
<span class="s2">&quot;arguments&quot;</span><span class="p">:</span> <span class="p">{</span>
<span class="s2">&quot;qom-type&quot;</span><span class="p">:</span> <span class="s2">&quot;authz-list&quot;</span><span class="p">,</span>
<span class="s2">&quot;id&quot;</span><span class="p">:</span> <span class="s2">&quot;authz0&quot;</span><span class="p">,</span>
<span class="s2">&quot;rules&quot;</span><span class="p">:</span> <span class="p">[</span>
<span class="p">{</span> <span class="s2">&quot;match&quot;</span><span class="p">:</span> <span class="s2">&quot;fred&quot;</span><span class="p">,</span> <span class="s2">&quot;policy&quot;</span><span class="p">:</span> <span class="s2">&quot;allow&quot;</span><span class="p">,</span> <span class="s2">&quot;format&quot;</span><span class="p">:</span> <span class="s2">&quot;exact&quot;</span> <span class="p">},</span>
<span class="p">{</span> <span class="s2">&quot;match&quot;</span><span class="p">:</span> <span class="s2">&quot;bob&quot;</span><span class="p">,</span> <span class="s2">&quot;policy&quot;</span><span class="p">:</span> <span class="s2">&quot;allow&quot;</span><span class="p">,</span> <span class="s2">&quot;format&quot;</span><span class="p">:</span> <span class="s2">&quot;exact&quot;</span> <span class="p">},</span>
<span class="p">{</span> <span class="s2">&quot;match&quot;</span><span class="p">:</span> <span class="s2">&quot;danb&quot;</span><span class="p">,</span> <span class="s2">&quot;policy&quot;</span><span class="p">:</span> <span class="s2">&quot;deny&quot;</span><span class="p">,</span> <span class="s2">&quot;format&quot;</span><span class="p">:</span> <span class="s2">&quot;exact&quot;</span> <span class="p">},</span>
<span class="p">{</span> <span class="s2">&quot;match&quot;</span><span class="p">:</span> <span class="s2">&quot;dan*&quot;</span><span class="p">,</span> <span class="s2">&quot;policy&quot;</span><span class="p">:</span> <span class="s2">&quot;allow&quot;</span><span class="p">,</span> <span class="s2">&quot;format&quot;</span><span class="p">:</span> <span class="s2">&quot;glob&quot;</span> <span class="p">}</span>
<span class="p">],</span>
<span class="s2">&quot;policy&quot;</span><span class="p">:</span> <span class="s2">&quot;deny&quot;</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Due to the way this driver requires setting nested properties, creating
it on the command line will require use of the JSON syntax for <code class="docutils literal notranslate"><span class="pre">-object</span></code>.
In most cases, however, the next driver will be more suitable.</p>
</section>
<section id="list-file">
<h3>List file<a class="headerlink" href="#list-file" title="Link to this heading"></a></h3>
<p>This is a variant on the previous driver that allows for a more dynamic
access control policy by storing the match rules in a standalone file
that can be reloaded automatically upon change.</p>
<p>To create an instance of this class via QMP:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s2">&quot;execute&quot;</span><span class="p">:</span> <span class="s2">&quot;object-add&quot;</span><span class="p">,</span>
<span class="s2">&quot;arguments&quot;</span><span class="p">:</span> <span class="p">{</span>
<span class="s2">&quot;qom-type&quot;</span><span class="p">:</span> <span class="s2">&quot;authz-list-file&quot;</span><span class="p">,</span>
<span class="s2">&quot;id&quot;</span><span class="p">:</span> <span class="s2">&quot;authz0&quot;</span><span class="p">,</span>
<span class="s2">&quot;filename&quot;</span><span class="p">:</span> <span class="s2">&quot;/etc/qemu/myvm-vnc.acl&quot;</span><span class="p">,</span>
<span class="s2">&quot;refresh&quot;</span><span class="p">:</span> <span class="n">true</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>If <code class="docutils literal notranslate"><span class="pre">refresh</span></code> is <code class="docutils literal notranslate"><span class="pre">yes</span></code>, inotify is used to monitor for changes
to the file and auto-reload the rules.</p>
<p>The <code class="docutils literal notranslate"><span class="pre">myvm-vnc.acl</span></code> file should contain the match rules in a format that
closely matches the previous driver:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s2">&quot;rules&quot;</span><span class="p">:</span> <span class="p">[</span>
<span class="p">{</span> <span class="s2">&quot;match&quot;</span><span class="p">:</span> <span class="s2">&quot;fred&quot;</span><span class="p">,</span> <span class="s2">&quot;policy&quot;</span><span class="p">:</span> <span class="s2">&quot;allow&quot;</span><span class="p">,</span> <span class="s2">&quot;format&quot;</span><span class="p">:</span> <span class="s2">&quot;exact&quot;</span> <span class="p">},</span>
<span class="p">{</span> <span class="s2">&quot;match&quot;</span><span class="p">:</span> <span class="s2">&quot;bob&quot;</span><span class="p">,</span> <span class="s2">&quot;policy&quot;</span><span class="p">:</span> <span class="s2">&quot;allow&quot;</span><span class="p">,</span> <span class="s2">&quot;format&quot;</span><span class="p">:</span> <span class="s2">&quot;exact&quot;</span> <span class="p">},</span>
<span class="p">{</span> <span class="s2">&quot;match&quot;</span><span class="p">:</span> <span class="s2">&quot;danb&quot;</span><span class="p">,</span> <span class="s2">&quot;policy&quot;</span><span class="p">:</span> <span class="s2">&quot;deny&quot;</span><span class="p">,</span> <span class="s2">&quot;format&quot;</span><span class="p">:</span> <span class="s2">&quot;exact&quot;</span> <span class="p">},</span>
<span class="p">{</span> <span class="s2">&quot;match&quot;</span><span class="p">:</span> <span class="s2">&quot;dan*&quot;</span><span class="p">,</span> <span class="s2">&quot;policy&quot;</span><span class="p">:</span> <span class="s2">&quot;allow&quot;</span><span class="p">,</span> <span class="s2">&quot;format&quot;</span><span class="p">:</span> <span class="s2">&quot;glob&quot;</span> <span class="p">}</span>
<span class="p">],</span>
<span class="s2">&quot;policy&quot;</span><span class="p">:</span> <span class="s2">&quot;deny&quot;</span>
<span class="p">}</span>
</pre></div>
</div>
<p>The object can be created on the command line using</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">-</span><span class="nb">object</span> <span class="n">authz</span><span class="o">-</span><span class="nb">list</span><span class="o">-</span><span class="n">file</span><span class="p">,</span><span class="nb">id</span><span class="o">=</span><span class="n">authz0</span><span class="p">,</span>\
<span class="n">filename</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">qemu</span><span class="o">/</span><span class="n">myvm</span><span class="o">-</span><span class="n">vnc</span><span class="o">.</span><span class="n">acl</span><span class="p">,</span><span class="n">refresh</span><span class="o">=</span><span class="n">on</span>
</pre></div>
</div>
</section>
<section id="pam">
<h3>PAM<a class="headerlink" href="#pam" title="Link to this heading"></a></h3>
<p>In some scenarios it might be desirable to integrate with authorization
mechanisms that are implemented outside of QEMU. In order to allow maximum
flexibility, QEMU provides a driver that uses the <code class="docutils literal notranslate"><span class="pre">PAM</span></code> framework.</p>
<p>To create an instance of this class via QMP:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s2">&quot;execute&quot;</span><span class="p">:</span> <span class="s2">&quot;object-add&quot;</span><span class="p">,</span>
<span class="s2">&quot;arguments&quot;</span><span class="p">:</span> <span class="p">{</span>
<span class="s2">&quot;qom-type&quot;</span><span class="p">:</span> <span class="s2">&quot;authz-pam&quot;</span><span class="p">,</span>
<span class="s2">&quot;id&quot;</span><span class="p">:</span> <span class="s2">&quot;authz0&quot;</span><span class="p">,</span>
<span class="s2">&quot;parameters&quot;</span><span class="p">:</span> <span class="p">{</span>
<span class="s2">&quot;service&quot;</span><span class="p">:</span> <span class="s2">&quot;qemu-vnc-tls&quot;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>The driver only uses the PAM “account” verification
subsystem. The above config would require a config
file /etc/pam.d/qemu-vnc-tls. For a simple file
lookup it would contain</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">account</span> <span class="n">requisite</span> <span class="n">pam_listfile</span><span class="o">.</span><span class="n">so</span> <span class="n">item</span><span class="o">=</span><span class="n">user</span> <span class="n">sense</span><span class="o">=</span><span class="n">allow</span> \
<span class="n">file</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">qemu</span><span class="o">/</span><span class="n">vnc</span><span class="o">.</span><span class="n">allow</span>
</pre></div>
</div>
<p>The external file would then contain a list of usernames.
If x509 cert was being used as the username, a suitable
entry would match the distinguished name:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">CN</span><span class="o">=</span><span class="n">laptop</span><span class="o">.</span><span class="n">berrange</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="n">O</span><span class="o">=</span><span class="n">Berrange</span> <span class="n">Home</span><span class="p">,</span><span class="n">L</span><span class="o">=</span><span class="n">London</span><span class="p">,</span><span class="n">ST</span><span class="o">=</span><span class="n">London</span><span class="p">,</span><span class="n">C</span><span class="o">=</span><span class="n">GB</span>
</pre></div>
</div>
<p>On the command line it can be created using</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">-</span><span class="nb">object</span> <span class="n">authz</span><span class="o">-</span><span class="n">pam</span><span class="p">,</span><span class="nb">id</span><span class="o">=</span><span class="n">authz0</span><span class="p">,</span><span class="n">service</span><span class="o">=</span><span class="n">qemu</span><span class="o">-</span><span class="n">vnc</span><span class="o">-</span><span class="n">tls</span>
</pre></div>
</div>
<p>There are a variety of PAM plugins that can be used which are not illustrated
here, and it is possible to implement brand new plugins using the PAM API.</p>
</section>
</section>
<section id="connecting-backends">
<h2>Connecting backends<a class="headerlink" href="#connecting-backends" title="Link to this heading"></a></h2>
<p>The authorization driver is created using the <code class="docutils literal notranslate"><span class="pre">-object</span></code> argument and then
needs to be associated with a network service. The authorization driver object
will be given a unique ID that needs to be referenced.</p>
<p>The property to set in the network service will vary depending on the type of
identity to verify. By convention, any network server backend that uses TLS
will provide <code class="docutils literal notranslate"><span class="pre">tls-authz</span></code> property, while any server using SASL will provide
a <code class="docutils literal notranslate"><span class="pre">sasl-authz</span></code> property.</p>
<p>Thus an example using SASL and authorization for the VNC server would look
like:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$QEMU --object authz-simple,id=authz0,identity=fred \
--vnc 0.0.0.0:1,sasl,sasl-authz=authz0
</pre></div>
</div>
<p>While to validate both the x509 certificate and SASL username:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>echo &quot;CN=laptop.qemu.org,O=QEMU Project,L=London,ST=London,C=GB&quot; &gt;&gt; tls.acl
$QEMU --object authz-simple,id=authz0,identity=fred \
--object authz-list-file,id=authz1,filename=tls.acl \
--object tls-creds-x509,id=tls0,dir=/etc/qemu/tls,verify-peer=yes \
--vnc 0.0.0.0:1,sasl,sasl-authz=auth0,tls-creds=tls0,tls-authz=authz1
</pre></div>
</div>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="secrets.html" class="btn btn-neutral float-left" title="Providing secret data to QEMU" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="gdb.html" class="btn btn-neutral float-right" title="GDB usage" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright 2025, The QEMU Project Developers.</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
<!-- Empty para to force a blank line after "Built with Sphinx ..." -->
<p></p>
<p>This documentation is for QEMU version 8.2.2.</p>
<p><a href="../about/license.html">QEMU and this manual are released under the
GNU General Public License, version 2.</a></p>
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink