[Kimchi-devel] [PATCH 2/4] ticket in backend: add a set ticket action for VM resource
Royce Lv
lvroyce at linux.vnet.ibm.com
Wed May 21 06:59:03 UTC 2014
On 05/20/2014 11:27 PM, shaohef at linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>
> Only the user who get the ticket can access the VM console.
>
> the ticket will be invalid when its expire.
>
> We just manange the VM create by kimchi.
> We do not set the ticket for other VMs that created by other managerment tool.
>
> Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
> Signed-off-by: Zhou Zheng Sheng <zhshzhou at linux.vnet.ibm.com>
> ---
> src/kimchi/control/vms.py | 1 +
> src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
> 2 files changed, 29 insertions(+)
>
> diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py
> index 508f478..e3c72d1 100644
> --- a/src/kimchi/control/vms.py
> +++ b/src/kimchi/control/vms.py
> @@ -37,6 +37,7 @@ class VM(Resource):
> self.uri_fmt = '/vms/%s'
> for ident, node in sub_nodes.items():
> setattr(self, ident, node(model, self.ident))
> + self.setticket = self.generate_action_handler('setticket')
> self.start = self.generate_action_handler('start')
> self.poweroff = self.generate_action_handler('poweroff')
> self.shutdown = self.generate_action_handler('shutdown')
> diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
> index 17bda04..0daaea0 100644
> --- a/src/kimchi/model/vms.py
> +++ b/src/kimchi/model/vms.py
> @@ -19,7 +19,10 @@
>
> from lxml.builder import E
> import lxml.etree as ET
> +from lxml import etree, objectify
> import os
> +import random
> +import string
> import time
> import uuid
> from xml.etree import ElementTree
> @@ -353,9 +356,14 @@ class VMModel(object):
> graphics = self._vm_get_graphics(name)
> graphics_type, graphics_listen, graphics_port = graphics
> graphics_port = graphics_port if state == 'running' else None
> + passwd = None
> try:
> if state == 'running' and self._has_video(dom):
> screenshot = self.vmscreenshot.lookup(name)
> + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
> + root = objectify.fromstring(xml)
> + graphic = root.devices.find("graphics")
> + passwd = graphic.attrib.get('passwd')
> elif state == 'shutoff':
> # reset vm stats when it is powered off to avoid sending
> # incorrect (old) data
> @@ -394,6 +402,7 @@ class VMModel(object):
> 'graphics': {"type": graphics_type,
> "listen": graphics_listen,
> "port": graphics_port},
> + 'ticket': passwd,
After talk with Zhengsheng, I got to know the reason we want ticket for
all login user and do not distinguish any group,
I think it can be used here to prevent vnc connection be stolen by user
outside kimchi,
but this is not what ticket used for, right? We can't set ticket and
pass it in the vnc/spice client.
Or export the passwd to specific group user.
But I agree that we can make it as a future extension.
> 'users': users,
> 'groups': groups
> }
> @@ -513,6 +522,25 @@ class VMModel(object):
> else:
> raise OperationFailed("KCHVM0010E", {'name': name})
>
> + def setticket(self, name, password=None, expire=10):
> + dom = self.get_vm(name, self.conn)
> + version, distro = self.vm_get_os_metadata(dom)
> + if distro is None:
> + # this VM is not created by kimchi
> + return
> +
> + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
> + root = objectify.fromstring(xml)
> + graphic = root.devices.find("graphics")
> + password = password if password is not None else "".join(
> + random.sample(string.ascii_letters + string.digits, 8))
> + graphic.attrib['passwd'] = password
> + valid_to = time.strftime('%Y-%m-%dT%H:%M:%S',
> + time.gmtime(time.time() + float(expire)))
> + graphic.attrib['passwdValidTo'] = valid_to
> + graphic_xml = etree.tostring(graphic)
> + dom.updateDeviceFlags(graphic_xml, 0)
> +
> def _vmscreenshot_delete(self, vm_uuid):
> screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore,
> self.conn)
More information about the Kimchi-devel
mailing list