On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya <anastasiya.ruzhanskaya@frtk.ru> wrote:
My proxy is based on mitmproxy, so I want to analyze messages coming from client to ovirt-engine or from engine to node and based on the content permit the actions or not. I know that there is access control inside oVirt, but I need to implement the similar thing by myself using proxy. From ovirt-engine to vdsm it is trickier as there I have no users and session ids to identify the actor, I can determine only actions.

By using engine or vdsm certs you could decrypt the traffic. How would you prevent command from being executed. If you drop packet(s) the engine would attempt to retry or consider vdsm to be down/dead. In either case engine would be confused.
I would not recommend such approach because it may prevent you from using oVirt or break it.
 

But anyway, I can decipher normal rpc ( for virt-manager), got familiar with gwt -rpc ( client-engine) and now trying to understand what is happening with xml rpc.

As Nir mentioned we estabilish tcp connection and send jsonrpc over stomp.
 

ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer@redhat.com>:


On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, <anastasiya.ruzhanskaya@frtk.ru> wrote:
I need this for my proxy,

What is your proxy?

I need to do this analysis "online", not just by analyzing the logs after the action happened.

ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>:

On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, <anastasiya.ruzhanskaya@frtk.ru> wrote:
Hello!
I was successful in deciphering the traffic between the client and ovirt-engine,

Why do you need to do this? it is easier to add logging to vdsm of you want to see more info about the messages.

Anyway Piotr may help.

Nir

actually, only by dumping the premaster key from the browser, which was generated during the session and providing it to wireshark.

How it can be done for ovirt-engine and vdsm communication? Should the engine private key be provided? Actually to my surprise I don't see any ssl communication between engine and node when for example turn on the virtual machine, only tcp packets. But this page  https://ovirt.org/develop/release-management/features/infra/pki/  states that there should be one. And also should I look for any xml rpc dissector? I know that for example virt-manager uses rpc protocol, I found a dissector for that case, but seems I need another one here.
_______________________________________________
Devel mailing list -- devel@ovirt.org
To unsubscribe send an email to devel-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NFEXX6Z2T7RBTFX6OACP/