The term "access control list" better describes the concept involved.
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
<dt><code>virNetSASLContextPtr</code> (virnetsaslcontext.h)</dt>
<dd>The virNetSASLContext APIs maintain SASL state for a network
service (server or client). This is primarily used on the server
- to provide a whitelist of allowed SASL usernames for clients.
+ to provide an access control list of SASL usernames permitted as
+ clients.
</dd>
<dt><code>virNetSASLSessionPtr</code> (virnetsaslcontext.h)</dt>
<dt><code>virNetTLSContextPtr</code> (virnettlscontext.h)</dt>
<dd>The virNetTLSContext APIs maintain TLS state for a network
service (server or client). This is primarily used on the server
- to provide a whitelist of allowed x509 distinguished names, as
+ to provide an access control list of x509 distinguished names, as
well as diffie-hellman keys. It can also do validation of
x509 certificates prior to initiating a connection, in order
to improve detection of configuration errors.
next step is to decode the RPC header. The header is validated to
ensure the request is sensible, ie the server should not receive a
method reply from a client. If the client has not yet authenticated,
- a security check is also applied to make sure the procedure is on the
- whitelist of those allowed prior to auth. If the packet is a method
+ an access control list check is also performed to make sure the procedure
+ is one of those allowed prior to auth. If the packet is a method
call, it will be placed on a global processing queue. The event loop
thread is now done with the packet for the time being.
</p>
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
-# verification - make sure an IP whitelist is set
+# verification.
#tls_no_verify_certificate = 1
-# A whitelist of allowed x509 Distinguished Names
+# An access control list of allowed x509 Distinguished Names
# This list may contain wildcards such as
#
# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
@END@
-# A whitelist of allowed SASL usernames. The format for username
+# An access control list of allowed SASL usernames. The format for username
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
#
if (err == VIR_NET_SASL_CONTINUE) {
ret->complete = 0;
} else {
- /* Check username whitelist ACL */
+ /* Check username ACL */
if ((err = remoteSASLFinish(server, client)) < 0) {
if (err == -2)
goto authdeny;
if (err == VIR_NET_SASL_CONTINUE) {
ret->complete = 0;
} else {
- /* Check username whitelist ACL */
+ /* Check username ACL */
if ((err = remoteSASLFinish(server, client)) < 0) {
if (err == -2)
goto authdeny;
struct _virNetSASLContext {
virObjectLockable parent;
- const char *const*usernameWhitelist;
+ const char *const *usernameACL;
};
struct _virNetSASLSession {
return ctxt;
}
-virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitelist)
+virNetSASLContextPtr virNetSASLContextNewServer(const char *const *usernameACL)
{
virNetSASLContextPtr ctxt;
if (!(ctxt = virObjectLockableNew(virNetSASLContextClass)))
return NULL;
- ctxt->usernameWhitelist = usernameWhitelist;
+ ctxt->usernameACL = usernameACL;
return ctxt;
}
virObjectLock(ctxt);
/* If the list is not set, allow any DN. */
- wildcards = ctxt->usernameWhitelist;
+ wildcards = ctxt->usernameACL;
if (!wildcards) {
ret = 1; /* No ACL, allow all */
goto cleanup;
}
/* Denied */
- VIR_ERROR(_("SASL client identity '%s' not allowed in whitelist"), identity);
+ VIR_ERROR(_("SASL client identity '%s' not allowed by ACL"), identity);
/* This is the most common error: make it informative. */
virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
};
virNetSASLContextPtr virNetSASLContextNewClient(void);
-virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitelist);
+virNetSASLContextPtr virNetSASLContextNewServer(const char *const *usernameACL);
int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,
const char *identity);
bool isServer;
bool requireValidCert;
- const char *const*x509dnWhitelist;
+ const char *const *x509dnACL;
char *priority;
};
/* Check DN is on tls_allowed_dn_list. */
static int
-virNetTLSContextCheckCertDNWhitelist(const char *dname,
- const char *const*wildcards)
+virNetTLSContextCheckCertDNACL(const char *dname,
+ const char *const *wildcards)
{
while (*wildcards) {
if (g_pattern_match_simple(*wildcards, dname))
}
/* Log the client's DN for debugging */
- VIR_DEBUG("Failed whitelist check for client DN '%s'", dname);
+ VIR_DEBUG("Failed ACL check for client DN '%s'", dname);
/* This is the most common error: make it informative. */
virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
const char *certFile,
const char *hostname,
const char *dname,
- const char *const* whitelist)
+ const char *const *acl)
{
- if (whitelist && dname &&
- virNetTLSContextCheckCertDNWhitelist(dname, whitelist) <= 0)
+ if (acl && dname &&
+ virNetTLSContextCheckCertDNACL(dname, acl) <= 0)
return -1;
if (hostname &&
const char *cacrl,
const char *cert,
const char *key,
- const char *const*x509dnWhitelist,
+ const char *const *x509dnACL,
const char *priority,
bool sanityCheckCert,
bool requireValidCert,
}
ctxt->requireValidCert = requireValidCert;
- ctxt->x509dnWhitelist = x509dnWhitelist;
+ ctxt->x509dnACL = x509dnACL;
ctxt->isServer = isServer;
PROBE(RPC_TLS_CONTEXT_NEW,
static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
bool tryUserPkiPath,
- const char *const*x509dnWhitelist,
+ const char *const *x509dnACL,
const char *priority,
bool sanityCheckCert,
bool requireValidCert,
return NULL;
ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
- x509dnWhitelist, priority, sanityCheckCert,
+ x509dnACL, priority, sanityCheckCert,
requireValidCert, isServer);
VIR_FREE(cacert);
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
bool tryUserPkiPath,
- const char *const*x509dnWhitelist,
+ const char *const *x509dnACL,
const char *priority,
bool sanityCheckCert,
bool requireValidCert)
{
- return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist, priority,
+ return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnACL, priority,
sanityCheckCert, requireValidCert, true);
}
const char *cacrl,
const char *cert,
const char *key,
- const char *const*x509dnWhitelist,
+ const char *const *x509dnACL,
const char *priority,
bool sanityCheckCert,
bool requireValidCert)
{
- return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist, priority,
+ return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnACL, priority,
sanityCheckCert, requireValidCert, true);
}
VIR_DEBUG("Peer DN is %s", dname);
if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname, dname,
- ctxt->x509dnWhitelist) < 0) {
+ ctxt->x509dnACL) < 0) {
gnutls_x509_crt_deinit(cert);
goto authdeny;
}
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
bool tryUserPkiPath,
- const char *const*x509dnWhitelist,
+ const char *const *x509dnACL,
const char *priority,
bool sanityCheckCert,
bool requireValidCert);
const char *cacrl,
const char *cert,
const char *key,
- const char *const*x509dnWhitelist,
+ const char *const *x509dnACL,
const char *priority,
bool sanityCheckCert,
bool requireValidCert);
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
-# verification - make sure an IP whitelist is set
+# verification.
tls_no_verify_certificate = 1
-# A whitelist of allowed x509 Distinguished Names
+# An access control list of allowed x509 Distinguished Names
# This list may contain wildcards such as
#
# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
tls_allowed_dn_list = ["DN1", "DN2"]
-# A whitelist of allowed SASL usernames. The format for usernames
+# An access control list of allowed SASL usernames. The format for usernames
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
#
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
-# verification - make sure an IP whitelist is set
+# verification.
tls_no_verify_certificate = 1
-# A whitelist of allowed x509 Distinguished Names
+# An access control list of allowed x509 Distinguished Names
# This list may contain wildcards such as
#
# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
#
# By default, no DN's are checked
tls_allowed_dn_list = [ "DN1", "DN2" ]
-# A whitelist of allowed SASL usernames. The format for usernames
+# An access control list of allowed SASL usernames. The format for usernames
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
#
projects / thirdparty / libvirt.git / commitdiff
