[Kimchi-devel] [PATCH 4/4] set the password for spice and VNC page.

Tue May 27 01:54:00 UTC 2014

On 05/26/2014 10:14 PM, Sheldon wrote:
> On 05/26/2014 04:43 PM, wenwang wrote:
>> From my personal perspective, I don't think changing password that 
>> often is that good a solution.
>>
>> Security is definitely our first priority for Kimchi whereas playing 
>> with the password might not seem to be that professional. Our 
>> intention is to make Kimchi a robust and secured tool for managing 
>> the VMs, due to which, I have a thought might be of some help to this 
>> issue:
>>
>> Since we want to prevent the connection from users who are not the 
>> maker of certain VMs, Why not set a tag that indicate which user is 
>> authorized to use certain VMs? It functions like this:
>>
>> 1) If the authentication by tags failed, we can disable any action 
>> from that user.
> do you means role on every action?
What if we just break the connection from unauthenticated users like if 
one user doesn't have the right to connect certain VMs, just don't let 
him connect to those VMs, He can do nothing that violet the security, right?
>
>> 2) VNC password is required and can be set either by Kimchi password 
>> or user himself/herself, once set, users can use the SSO method to 
>> connect VM using Kimchi and VNC has a password that user know.
>> 3) For the issue of other users may connect to VMs by copying the 
>> url, I think we can set a token that expire once logged in. Without 
>> the token, User need to log in Kimchi again for safety concern.
> who will check the token?
> the http(s) server or ws(s) server?
This token is for authentication check. so it should be sent by the 
server from VNC side and checked by them.
>>
>> Best Regards
>>
>> Wang Wen
>>
>>
>> On 05/20/2014 11:27 PM, shaohef at linux.vnet.ibm.com wrote:
>>> From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>>>
>>> get the password from cookie and pass them in url to spice and VNC 
>>> page.
>>> For spice we need to get the password from this url and pass it to
>>> websocket connection.
>>>
>>> Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>>> ---
>>> ui/pages/spice.html.tmpl | 3 ++-
>>> ui/pages/websockify/console.html | 5 +++++
>>> 2 files changed, 7 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/ui/pages/spice.html.tmpl b/ui/pages/spice.html.tmpl
>>> index 213d216..c2bdffe 100644
>>> --- a/ui/pages/spice.html.tmpl
>>> +++ b/ui/pages/spice.html.tmpl
>>> @@ -64,6 +64,7 @@
>>> host = getParameter("listen");
>>> port = getParameter("port");
>>> token = getParameter("token");
>>> + password = getParameter("password")
>>> document.getElementById("host").value = host;
>>> document.getElementById("port").value = port;
>>> if ((!host) || (!port)) {
>>> @@ -82,7 +83,7 @@
>>> screen_id : "spice-screen",
>>> dump_id : "debug-div",
>>> message_id : "message-div",
>>> - password : "",
>>> + password : password,
>>> onerror : spice_error
>>> });
>>> } catch (e) {
>>> diff --git a/ui/pages/websockify/console.html 
>>> b/ui/pages/websockify/console.html
>>> index a536e38..7706074 100644
>>> --- a/ui/pages/websockify/console.html
>>> +++ b/ui/pages/websockify/console.html
>>> @@ -16,6 +16,11 @@
>>> var url = "https://" + location.hostname + ":" + kimchi_port + "/";
>>> url += path + query
>>>
>>> + var cookieRe = new RegExp(';?\\\s*(ticketVM)=(\s*[^;]*);?', 'g');
>>> + var match = cookieRe.exec(document.cookie);
>>> + var ticket = match ? decodeURIComponent(match[2]) : undefined;
>>> + url += ticket ? "&password=" + ticket : '';
>>> +
>>> window.location.replace(url)
>>> }
>>> </script>
>>
>> _______________________________________________
>> Kimchi-devel mailing list
>> Kimchi-devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>>
>>
>>
>
>