[Kimchi-devel] [PATCH 4/4] set the password for spice and VNC page.

wenwang wenwang at linux.vnet.ibm.com
Mon May 26 08:43:43 UTC 2014 

 From my personal perspective, I don't think changing password that 
often is that good a solution.

Security is definitely our first priority for Kimchi whereas playing 
with the password might not seem to be that professional. Our intention 
is to make Kimchi a robust and secured tool for managing the VMs, due to 
which, I have a thought might be of some help to this issue:

Since we want to prevent the connection from users who are not the maker 
of certain VMs, Why not set a tag that indicate which user is authorized 
to use certain VMs? It functions like this:

1) If the authentication by tags failed, we can disable any action from 
that user.
2) VNC password is required and can be set either by Kimchi password or 
user himself/herself, once set, users can use the SSO method to connect 
VM using Kimchi and VNC has a password that user know.
3) For the issue of other users may connect to VMs by copying the url, I 
think we can set a token that expire once logged in. Without the token, 
User need to log in Kimchi again for safety concern.

Best Regards

Wang Wen


On 05/20/2014 11:27 PM, shaohef at linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>
> get the password from cookie and pass them in url to spice and VNC page.
> For spice we need to get the password from this url and pass it to
> websocket connection.
>
> Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
> ---
>   ui/pages/spice.html.tmpl         | 3 ++-
>   ui/pages/websockify/console.html | 5 +++++
>   2 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/ui/pages/spice.html.tmpl b/ui/pages/spice.html.tmpl
> index 213d216..c2bdffe 100644
> --- a/ui/pages/spice.html.tmpl
> +++ b/ui/pages/spice.html.tmpl
> @@ -64,6 +64,7 @@
>               host = getParameter("listen");
>               port = getParameter("port");
>               token = getParameter("token");
> +            password = getParameter("password")
>               document.getElementById("host").value = host;
>               document.getElementById("port").value = port;
>               if ((!host) || (!port)) {
> @@ -82,7 +83,7 @@
>                       screen_id : "spice-screen",
>                       dump_id : "debug-div",
>                       message_id : "message-div",
> -                    password : "",
> +                    password : password,
>                       onerror : spice_error
>                   });
>               } catch (e) {
> diff --git a/ui/pages/websockify/console.html b/ui/pages/websockify/console.html
> index a536e38..7706074 100644
> --- a/ui/pages/websockify/console.html
> +++ b/ui/pages/websockify/console.html
> @@ -16,6 +16,11 @@
>           var url = "https://" + location.hostname + ":" + kimchi_port + "/";
>           url += path + query
>
> +        var cookieRe = new RegExp(';?\\\s*(ticketVM)=(\s*[^;]*);?', 'g');
> +        var match = cookieRe.exec(document.cookie);
> +        var ticket = match ? decodeURIComponent(match[2]) : undefined;
> +        url += ticket ? "&password=" + ticket : '';
> +
>           window.location.replace(url)
>         }
>       </script>

More information about the Kimchi-devel mailing list