Added hypervisors mutual authentication.
When TLS is enabled libvirt allows to math remote host by DN field in
cert.
This patch allows to configure tls_allowed_dn_list option via
nova:compute:libvirt:tls:allowed_dn_list
For more infromation about this option please refer to
https://libvirt.org/remote.html#Remote_TLS_client_certificates
Change-Id: I3fdbc608b6cf73f030b1fd896c3dd42ad794c660
Related-PROD: PROD-22086
diff --git a/README.rst b/README.rst
index 42ba8db..2720bdd 100644
--- a/README.rst
+++ b/README.rst
@@ -986,6 +986,32 @@
key: (certificate content)
cert: (certificate content)
+Controlling access by `tls_allowed_dn_list`.
+Enable an access control list of client certificate Distinguished Names (DNs)
+which can connect to the TLS port on this server. The default is that DNs are
+not checked. This list may contain wildcards such as
+"C=GB,ST=London,L=London,O=Libvirt Project,CN=*" See the POSIX fnmatch function
+for the format of the wildcards.
+Note that if this is an empty list, no client can connect.
+Note also that GnuTLS returns DNs without spaces after commas between
+the fields (and this is what we check against), but the openssl x509 tool
+shows spaces.
+
+.. code-block:: yaml
+
+ nova:
+ compute:
+ libvirt:
+ tls:
+ tls_allowed_dn_list:
+ host1:
+ enabled: true
+ value: 'C=foo,CN=cmp1'
+ host2:
+ enabled: true
+ value: 'C=foo,CN=cmp2'
+
+
You can read more about live migration over TLS here:
https://wiki.libvirt.org/page/TLSCreateServerCerts
diff --git a/nova/files/pike/libvirtd.conf.Debian b/nova/files/pike/libvirtd.conf.Debian
index d8836f9..aab457c 100644
--- a/nova/files/pike/libvirtd.conf.Debian
+++ b/nova/files/pike/libvirtd.conf.Debian
@@ -28,6 +28,14 @@
{%- set ca_file = compute.libvirt.tls.ca_file %}
{%- set unix_sock_ro_perms = "0000" %}
{%- set unix_sock_rw_perms = "0000" %}
+{%- if compute.libvirt.tls.allowed_dn_list is defined %}
+ {% set tls_allowed_dn_list = [] %}
+ {%- for _,item in compute.libvirt.tls.allowed_dn_list.iteritems() %}
+ {%- if item.enabled %}
+ {%- do tls_allowed_dn_list.append(item.value) %}
+ {%- endif %}
+ {%- endfor %}
+{%- endif %}
{%- else %}
{%- set listen_tls = 0 %}
{%- set listen_tcp = 1 %}
@@ -250,6 +258,9 @@
# By default, no DN's are checked
#tls_allowed_dn_list = ["DN1", "DN2"]
+{%- if tls_allowed_dn_list is defined %}
+tls_allowed_dn_list = {{ tls_allowed_dn_list }}
+{%- endif %}
# A whitelist of allowed SASL usernames. The format for usernames
# depends on the SASL authentication mechanism. Kerberos usernames
diff --git a/nova/files/queens/libvirtd.conf.Debian b/nova/files/queens/libvirtd.conf.Debian
index d8836f9..aab457c 100644
--- a/nova/files/queens/libvirtd.conf.Debian
+++ b/nova/files/queens/libvirtd.conf.Debian
@@ -28,6 +28,14 @@
{%- set ca_file = compute.libvirt.tls.ca_file %}
{%- set unix_sock_ro_perms = "0000" %}
{%- set unix_sock_rw_perms = "0000" %}
+{%- if compute.libvirt.tls.allowed_dn_list is defined %}
+ {% set tls_allowed_dn_list = [] %}
+ {%- for _,item in compute.libvirt.tls.allowed_dn_list.iteritems() %}
+ {%- if item.enabled %}
+ {%- do tls_allowed_dn_list.append(item.value) %}
+ {%- endif %}
+ {%- endfor %}
+{%- endif %}
{%- else %}
{%- set listen_tls = 0 %}
{%- set listen_tcp = 1 %}
@@ -250,6 +258,9 @@
# By default, no DN's are checked
#tls_allowed_dn_list = ["DN1", "DN2"]
+{%- if tls_allowed_dn_list is defined %}
+tls_allowed_dn_list = {{ tls_allowed_dn_list }}
+{%- endif %}
# A whitelist of allowed SASL usernames. The format for usernames
# depends on the SASL authentication mechanism. Kerberos usernames