[ovirt-devel] Re: Decipher traffic between ovirt-engine and ovirt-node (vdsm)

czw., 25 paź 2018, 06:32 użytkownik Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya(a)frtk.ru&gt; napisał: > Also in official docs of oVirt it is written that xml rpc is used. For > example here : https://ovirt.org/documentation/architecture/architecture/ > So, this is an incorrect info, right? > This doc seems not to up to date for quite some time. Now we use jsonrpc over stomp. > чт, 25 окт. 2018 г. в 7:28, Anastasiya Ruzhanskaya < > anastasiya.ruzhanskaya(a)frtk.ru&gt;: > >> In virt-manager for the same purpose there was an option to send error >> messages with help of mitmproxy. I modified a little bit this proxy to be >> able to use it with any tcp connection. >> And this error message was correctly processed. But the amount of source >> code for analysis in that case was rather small and I found rather quickly >> how error messages should be sent and encoded in rpc. >> >> Is there any possibility like this here? >> >> чт, 25 окт. 2018 г. в 0:47, Piotr Kliczewski <pkliczew(a)redhat.com&gt;: >> >>> >>> >>> On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < >>> anastasiya.ruzhanskaya(a)frtk.ru&gt; wrote: >>> >>>> My proxy is based on mitmproxy, so I want to analyze messages coming >>>> from client to ovirt-engine or from engine to node and based on the content >>>> permit the actions or not. I know that there is access control inside >>>> oVirt, but I need to implement the similar thing by myself using proxy. >>>> From ovirt-engine to vdsm it is trickier as there I have no users and >>>> session ids to identify the actor, I can determine only actions. >>>> >>> >>> By using engine or vdsm certs you could decrypt the traffic. How would >>> you prevent command from being executed. If you drop packet(s) the engine >>> would attempt to retry or consider vdsm to be down/dead. In either case >>> engine would be confused. >>> I would not recommend such approach because it may prevent you from >>> using oVirt or break it. >>> >>> >>>> >>>> But anyway, I can decipher normal rpc ( for virt-manager), got >>>> familiar with gwt -rpc ( client-engine) and now trying to understand what >>>> is happening with xml rpc. >>>> >>> >>> As Nir mentioned we estabilish tcp connection and send jsonrpc over >>> stomp. >>> >>> >>>> >>>> ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer(a)redhat.com&gt;: >>>> >>>>> >>>>> >>>>> On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < >>>>> anastasiya.ruzhanskaya(a)frtk.ru&gt; wrote: >>>>> >>>>>> I need this for my proxy, >>>>>> >>>>> >>>>> What is your proxy? >>>>> >>>>> I need to do this analysis "online", not just by analyzing the logs >>>>>> after the action happened. >>>>>> >>>>>> ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer(a)redhat.com&gt;: >>>>>> >>>>>>> >>>>>>> On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < >>>>>>> anastasiya.ruzhanskaya(a)frtk.ru&gt; wrote: >>>>>>> >>>>>>>> Hello! >>>>>>>> I was successful in deciphering the traffic between the client and >>>>>>>> ovirt-engine, >>>>>>>> >>>>>>> >>>>>>> Why do you need to do this? it is easier to add logging to vdsm of >>>>>>> you want to see more info about the messages. >>>>>>> >>>>>>> Anyway Piotr may help. >>>>>>> >>>>>>> Nir >>>>>>> >>>>>>> actually, only by dumping the premaster key from the browser, which >>>>>>>> was generated during the session and providing it to wireshark. >>>>>>>> >>>>>>>> How it can be done for ovirt-engine and vdsm communication? Should >>>>>>>> the engine private key be provided? Actually to my surprise I don't see any >>>>>>>> ssl communication between engine and node when for example turn on the >>>>>>>> virtual machine, only tcp packets. But this page >>>>>>>> https://ovirt.org/develop/release-management/features/infra/pki/ >>>>>>>> states that there should be one. And also should I look for any xml rpc >>>>>>>> dissector? I know that for example virt-manager uses rpc protocol, I found >>>>>>>> a dissector for that case, but seems I need another one here. >>>>>>>> _______________________________________________ >>>>>>>> Devel mailing list -- devel(a)ovirt.org >>>>>>>> To unsubscribe send an email to devel-leave(a)ovirt.org >>>>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>>>>> oVirt Code of Conduct: https://www.ovirt.org/ >>>>>>>> community/about/community-guidelines/ >>>>>>>> List Archives: https://lists.ovirt.org/ >>>>>>>> archives/list/devel(a)ovirt.org/message/ >>>>>>>> HJOBKO5MOF56NFEXX6Z2T7RBTFX6OACP/ >>>>>>>> >>>>>>>