[qemu.git] / docs / system / authz.rst

.. _client authorization:

Client authorization
--------------------

When configuring a QEMU network backend with either TLS certificates or SASL
authentication, access will be granted if the client successfully proves
their identity. If the authorization identity database is scoped to the QEMU
client this may be sufficient. It is common, however, for the identity database
to be much broader and thus authentication alone does not enable sufficient
access control. In this case QEMU provides a flexible system for enforcing
finer grained authorization on clients post-authentication.

Identity providers
~~~~~~~~~~~~~~~~~~

At the time of writing there are two authentication frameworks used by QEMU
that emit an identity upon completion.

 * TLS x509 certificate distinguished name.

   When configuring the QEMU backend as a network server with TLS, there
   are a choice of credentials to use. The most common scenario is to utilize
   x509 certificates. The simplest configuration only involves issuing
   certificates to the servers, allowing the client to avoid a MITM attack
   against their intended server.

   It is possible, however, to enable mutual verification by requiring that
   the client provide a certificate to the server to prove its own identity.
   This is done by setting the property ``verify-peer=yes`` on the
   ``tls-creds-x509`` object, which is in fact the default.

   When peer verification is enabled, client will need to be issued with a
   certificate by the same certificate authority as the server. If this is
   still not sufficiently strong access control the Distinguished Name of
   the certificate can be used as an identity in the QEMU authorization
   framework.

 * SASL username.

   When configuring the QEMU backend as a network server with SASL, upon
   completion of the SASL authentication mechanism, a username will be
   provided. The format of this username will vary depending on the choice
   of mechanism configured for SASL. It might be a simple UNIX style user
   ``joebloggs``, while if using Kerberos/GSSAPI it can have a realm
   attached ``[email protected]``.  Whatever format the username is presented
   in, it can be used with the QEMU authorization framework.

Authorization drivers
~~~~~~~~~~~~~~~~~~~~~

The QEMU authorization framework is a general purpose design with choice of
user customizable drivers. These are provided as objects that can be
created at startup using the ``-object`` argument, or at runtime using the
``object_add`` monitor command.

Simple
^^^^^^

This authorization driver provides a simple mechanism for granting access
based on an exact match against a single identity. This is useful when it is
known that only a single client is to be allowed access.

A possible use case would be when configuring QEMU for an incoming live
migration. It is known exactly which source QEMU the migration is expected
to arrive from. The x509 certificate associated with this source QEMU would
thus be used as the identity to match against. Alternatively if the virtual
machine is dedicated to a specific tenant, then the VNC server would be
configured with SASL and the username of only that tenant listed.

To create an instance of this driver via QMP:

::

   {
     "execute": "object-add",
     "arguments": {
       "qom-type": "authz-simple",
       "id": "authz0",
       "identity": "fred"
     }
   }


Or via the command line

::

   -object authz-simple,id=authz0,identity=fred


List
^^^^

In some network backends it will be desirable to grant access to a range of
clients. This authorization driver provides a list mechanism for granting
access by matching identities against a list of permitted one. Each match
rule has an associated policy and a catch all policy applies if no rule
matches. The match can either be done as an exact string comparison, or can
use the shell-like glob syntax, which allows for use of wildcards.

To create an instance of this class via QMP:

::

   {
     "execute": "object-add",
     "arguments": {
       "qom-type": "authz-list",
       "id": "authz0",
       "rules": [
          { "match": "fred", "policy": "allow", "format": "exact" },
          { "match": "bob", "policy": "allow", "format": "exact" },
          { "match": "danb", "policy": "deny", "format": "exact" },
          { "match": "dan*", "policy": "allow", "format": "glob" }
       ],
       "policy": "deny"
     }
   }


Due to the way this driver requires setting nested properties, creating
it on the command line will require use of the JSON syntax for ``-object``.
In most cases, however, the next driver will be more suitable.

List file
^^^^^^^^^

This is a variant on the previous driver that allows for a more dynamic
access control policy by storing the match rules in a standalone file
that can be reloaded automatically upon change.

To create an instance of this class via QMP:

::

   {
     "execute": "object-add",
     "arguments": {
       "qom-type": "authz-list-file",
       "id": "authz0",
       "filename": "/etc/qemu/myvm-vnc.acl",
       "refresh": true
     }
   }


If ``refresh`` is ``yes``, inotify is used to monitor for changes
to the file and auto-reload the rules.

The ``myvm-vnc.acl`` file should contain the match rules in a format that
closely matches the previous driver:

::

   {
     "rules": [
       { "match": "fred", "policy": "allow", "format": "exact" },
       { "match": "bob", "policy": "allow", "format": "exact" },
       { "match": "danb", "policy": "deny", "format": "exact" },
       { "match": "dan*", "policy": "allow", "format": "glob" }
     ],
     "policy": "deny"
   }


The object can be created on the command line using

::

   -object authz-list-file,id=authz0,\
           filename=/etc/qemu/myvm-vnc.acl,refresh=on


PAM
^^^

In some scenarios it might be desirable to integrate with authorization
mechanisms that are implemented outside of QEMU. In order to allow maximum
flexibility, QEMU provides a driver that uses the ``PAM`` framework.

To create an instance of this class via QMP:

::

   {
     "execute": "object-add",
     "arguments": {
       "qom-type": "authz-pam",
       "id": "authz0",
       "parameters": {
         "service": "qemu-vnc-tls"
       }
     }
   }


The driver only uses the PAM "account" verification
subsystem. The above config would require a config
file /etc/pam.d/qemu-vnc-tls. For a simple file
lookup it would contain

::

   account requisite  pam_listfile.so item=user sense=allow \
           file=/etc/qemu/vnc.allow


The external file would then contain a list of usernames.
If x509 cert was being used as the username, a suitable
entry would match the distinguished name:

::

   CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB


On the command line it can be created using

::

   -object authz-pam,id=authz0,service=qemu-vnc-tls


There are a variety of PAM plugins that can be used which are not illustrated
here, and it is possible to implement brand new plugins using the PAM API.


Connecting backends
~~~~~~~~~~~~~~~~~~~

The authorization driver is created using the ``-object`` argument and then
needs to be associated with a network service. The authorization driver object
will be given a unique ID that needs to be referenced.

The property to set in the network service will vary depending on the type of
identity to verify. By convention, any network server backend that uses TLS
will provide ``tls-authz`` property, while any server using SASL will provide
a ``sasl-authz`` property.

Thus an example using SASL and authorization for the VNC server would look
like:

::

   $QEMU --object authz-simple,id=authz0,identity=fred \
         --vnc 0.0.0.0:1,sasl,sasl-authz=authz0

While to validate both the x509 certificate and SASL username:

::

   echo "CN=laptop.qemu.org,O=QEMU Project,L=London,ST=London,C=GB" >> tls.acl
   $QEMU --object authz-simple,id=authz0,identity=fred \
         --object authz-list-file,id=authz1,filename=tls.acl \
	 --object tls-creds-x509,id=tls0,dir=/etc/qemu/tls,verify-peer=yes \
         --vnc 0.0.0.0:1,sasl,sasl-authz=auth0,tls-creds=tls0,tls-authz=authz1
Commit	Line	Data
1c45af36 DB	1	.. _client authorization:
	2
	3	Client authorization
	4	--------------------
	5
	6	When configuring a QEMU network backend with either TLS certificates or SASL
	7	authentication, access will be granted if the client successfully proves
	8	their identity. If the authorization identity database is scoped to the QEMU
	9	client this may be sufficient. It is common, however, for the identity database
	10	to be much broader and thus authentication alone does not enable sufficient
	11	access control. In this case QEMU provides a flexible system for enforcing
	12	finer grained authorization on clients post-authentication.
	13
	14	Identity providers
	15	~~~~~~~~~~~~~~~~~~
	16
	17	At the time of writing there are two authentication frameworks used by QEMU
	18	that emit an identity upon completion.
	19
	20	* TLS x509 certificate distinguished name.
	21
	22	When configuring the QEMU backend as a network server with TLS, there
	23	are a choice of credentials to use. The most common scenario is to utilize
	24	x509 certificates. The simplest configuration only involves issuing
	25	certificates to the servers, allowing the client to avoid a MITM attack
	26	against their intended server.
	27
	28	It is possible, however, to enable mutual verification by requiring that
	29	the client provide a certificate to the server to prove its own identity.
	30	This is done by setting the property ``verify-peer=yes`` on the
	31	``tls-creds-x509`` object, which is in fact the default.
	32
	33	When peer verification is enabled, client will need to be issued with a
	34	certificate by the same certificate authority as the server. If this is
	35	still not sufficiently strong access control the Distinguished Name of
	36	the certificate can be used as an identity in the QEMU authorization
	37	framework.
	38
	39	* SASL username.
	40
	41	When configuring the QEMU backend as a network server with SASL, upon
	42	completion of the SASL authentication mechanism, a username will be
	43	provided. The format of this username will vary depending on the choice
	44	of mechanism configured for SASL. It might be a simple UNIX style user
	45	``joebloggs``, while if using Kerberos/GSSAPI it can have a realm
	46	attached ``[email protected]``. Whatever format the username is presented
	47	in, it can be used with the QEMU authorization framework.
	48
	49	Authorization drivers
	50	~~~~~~~~~~~~~~~~~~~~~
	51
	52	The QEMU authorization framework is a general purpose design with choice of
	53	user customizable drivers. These are provided as objects that can be
	54	created at startup using the ``-object`` argument, or at runtime using the
	55	``object_add`` monitor command.
	56
	57	Simple
	58	^^^^^^
	59
	60	This authorization driver provides a simple mechanism for granting access
	61	based on an exact match against a single identity. This is useful when it is
	62	known that only a single client is to be allowed access.
	63
	64	A possible use case would be when configuring QEMU for an incoming live
65	migration. It is known exactly which source QEMU the migration is expected
66	to arrive from. The x509 certificate associated with this source QEMU would
67	thus be used as the identity to match against. Alternatively if the virtual
68	machine is dedicated to a specific tenant, then the VNC server would be
69	configured with SASL and the username of only that tenant listed.
70
71	To create an instance of this driver via QMP:
72
73	::
74
75	{
76	"execute": "object-add",
77	"arguments": {
78	"qom-type": "authz-simple",
79	"id": "authz0",
8f75cae2	80	"identity": "fred"
1c45af36 DB	81	}
	82	}
	83
	84
	85	Or via the command line
	86
	87	::
	88
	89	-object authz-simple,id=authz0,identity=fred
	90
	91
	92	List
	93	^^^^
	94
	95	In some network backends it will be desirable to grant access to a range of
	96	clients. This authorization driver provides a list mechanism for granting
	97	access by matching identities against a list of permitted one. Each match
	98	rule has an associated policy and a catch all policy applies if no rule
	99	matches. The match can either be done as an exact string comparison, or can
	100	use the shell-like glob syntax, which allows for use of wildcards.
	101
	102	To create an instance of this class via QMP:
	103
	104	::
	105
	106	{
	107	"execute": "object-add",
	108	"arguments": {
	109	"qom-type": "authz-list",
	110	"id": "authz0",
8f75cae2 RL	111	"rules": [
	112	{ "match": "fred", "policy": "allow", "format": "exact" },
	113	{ "match": "bob", "policy": "allow", "format": "exact" },
	114	{ "match": "danb", "policy": "deny", "format": "exact" },
	115	{ "match": "dan*", "policy": "allow", "format": "glob" }
	116	],
	117	"policy": "deny"
1c45af36 DB	118	}
	119	}
	120
	121
	122	Due to the way this driver requires setting nested properties, creating
	123	it on the command line will require use of the JSON syntax for ``-object``.
	124	In most cases, however, the next driver will be more suitable.
	125
	126	List file
	127	^^^^^^^^^
	128
	129	This is a variant on the previous driver that allows for a more dynamic
	130	access control policy by storing the match rules in a standalone file
	131	that can be reloaded automatically upon change.
	132
	133	To create an instance of this class via QMP:
	134
	135	::
	136
	137	{
	138	"execute": "object-add",
	139	"arguments": {
	140	"qom-type": "authz-list-file",
	141	"id": "authz0",
8f75cae2 RL	142	"filename": "/etc/qemu/myvm-vnc.acl",
8f75cae2 RL	143	"refresh": true
1c45af36 DB	144	}
	145	}
	146
	147
	148	If ``refresh`` is ``yes``, inotify is used to monitor for changes
	149	to the file and auto-reload the rules.
	150
	151	The ``myvm-vnc.acl`` file should contain the match rules in a format that
	152	closely matches the previous driver:
	153
	154	::
	155
	156	{
	157	"rules": [
	158	{ "match": "fred", "policy": "allow", "format": "exact" },
	159	{ "match": "bob", "policy": "allow", "format": "exact" },
	160	{ "match": "danb", "policy": "deny", "format": "exact" },
	161	{ "match": "dan*", "policy": "allow", "format": "glob" }
	162	],
	163	"policy": "deny"
	164	}
	165
	166
	167	The object can be created on the command line using
	168
	169	::
	170
	171	-object authz-list-file,id=authz0,\
	172	filename=/etc/qemu/myvm-vnc.acl,refresh=on
	173
	174
	175	PAM
	176	^^^
	177
	178	In some scenarios it might be desirable to integrate with authorization
	179	mechanisms that are implemented outside of QEMU. In order to allow maximum
	180	flexibility, QEMU provides a driver that uses the ``PAM`` framework.
	181
	182	To create an instance of this class via QMP:
	183
	184	::
	185
	186	{
	187	"execute": "object-add",
	188	"arguments": {
	189	"qom-type": "authz-pam",
	190	"id": "authz0",
	191	"parameters": {
	192	"service": "qemu-vnc-tls"
	193	}
	194	}
	195	}
	196
	197
	198	The driver only uses the PAM "account" verification
	199	subsystem. The above config would require a config
	200	file /etc/pam.d/qemu-vnc-tls. For a simple file
	201	lookup it would contain
	202
	203	::
	204
	205	account requisite pam_listfile.so item=user sense=allow \
	206	file=/etc/qemu/vnc.allow
	207
208
209	The external file would then contain a list of usernames.
210	If x509 cert was being used as the username, a suitable
211	entry would match the distinguished name:
212
213	::
214
215	CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB
216
217
218	On the command line it can be created using
219
220	::
221
222	-object authz-pam,id=authz0,service=qemu-vnc-tls
223
224
225	There are a variety of PAM plugins that can be used which are not illustrated
226	here, and it is possible to implement brand new plugins using the PAM API.
227
228
229	Connecting backends
230	~~~~~~~~~~~~~~~~~~~
231
232	The authorization driver is created using the ``-object`` argument and then
233	needs to be associated with a network service. The authorization driver object
234	will be given a unique ID that needs to be referenced.
235
236	The property to set in the network service will vary depending on the type of
237	identity to verify. By convention, any network server backend that uses TLS
238	will provide ``tls-authz`` property, while any server using SASL will provide
239	a ``sasl-authz`` property.
240
241	Thus an example using SASL and authorization for the VNC server would look
242	like:
243
244	::
245
246	$QEMU --object authz-simple,id=authz0,identity=fred \
247	--vnc 0.0.0.0:1,sasl,sasl-authz=authz0
248
249	While to validate both the x509 certificate and SASL username:
250
251	::
252
253	echo "CN=laptop.qemu.org,O=QEMU Project,L=London,ST=London,C=GB" >> tls.acl
254	$QEMU --object authz-simple,id=authz0,identity=fred \
255	--object authz-list-file,id=authz1,filename=tls.acl \
256	--object tls-creds-x509,id=tls0,dir=/etc/qemu/tls,verify-peer=yes \
257	--vnc 0.0.0.0:1,sasl,sasl-authz=auth0,tls-creds=tls0,tls-authz=authz1