Change in ovirt-engine[master]: core: Console stealing fix
tjelinek at redhat.com
tjelinek at redhat.com
Fri Mar 25 19:02:36 UTC 2016
Tomas Jelinek has submitted this change and it was merged.
Change subject: core: Console stealing fix
......................................................................
core: Console stealing fix
Only users with permission "VM" > "Administrative Operations" >
"Override opened console session" (in code ActionGroup.RECONNECT_TO_VM)
are able to connect to console someone else already have connected to
(before next restart). This applies to if "Edit" VM dialog > "Console"
tab > "Advanced parameters" > "Disable strict user checking" is disabled
(in code VmBase#allowConsoleReconnect == false).
If Strict user checking is disabled, anyone can steal console form
anyone.
Method SetVmTicketCommand#checkPermissions was removed and thus its
tests were removed.
"General command failure" was removed. Any error in SetVmTicketCommand
that is not related to unauthorized console stealing is reporated by
ConfigureConsoleOptionsQuery as EngineMessage.SETTING_VM_TICKET_FAILED.
Previously it might happen that unauthorized attempt to steal console
resulted in locked screen for current console user. This was caused by
firing VDSM command "desktopLogin" earlier than execution
SetVmTicketCommand (which actually verifies the permissions).
It is solved by fixing frontend permission checking that prevents firing
any command if SetVmTicketCommand would fail on permission check. User
is notified about console being used by other user by pure fronend
dialog.
VM#getConsoleCurrentUserName() was replace by
VM#getConsoleCurrentUserId() in ConsoleModel
#executeCommandWithConsoleSafenessWarning() as
getConsoleCurrentUserName() is not reliable (it is nulled in
VdsEventListener#processOnClientIpChange()).
Change-Id: Ib47107b2e2f85e4d05b13c3fe35ab4ad449d0ca5
Bug-Url: https://bugzilla.redhat.com/1297018
Signed-off-by: Jakub Niedermertl <jniederm at redhat.com>
---
M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ConfigureConsoleOptionsQuery.java
M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/SetVmTicketCommand.java
M backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/SetVmTicketCommandTest.java
M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/EngineMessage.java
M backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties
M frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java
M frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/vms/ConsoleModel.java
M frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/UIConstants.java
M frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties
M frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties
10 files changed, 24 insertions(+), 127 deletions(-)
Approvals:
Tomas Jelinek: Looks good to me, but someone else must approve
Jakub Niedermertl: Verified
Jenkins CI: Passed CI tests
Arik Hadas: Looks good to me, approved
--
To view, visit https://gerrit.ovirt.org/54228
To unsubscribe, visit https://gerrit.ovirt.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ib47107b2e2f85e4d05b13c3fe35ab4ad449d0ca5
Gerrit-PatchSet: 9
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Jakub Niedermertl <jniederm at redhat.com>
Gerrit-Reviewer: Arik Hadas <ahadas at redhat.com>
Gerrit-Reviewer: Jakub Niedermertl <jniederm at redhat.com>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Tomas Jelinek <tjelinek at redhat.com>
Gerrit-Reviewer: gerrit-hooks <automation at ovirt.org>
More information about the Engine-commits
mailing list