[ovirt-devel] Re: Decipher traffic between ovirt-engine and ovirt-node (vdsm)

Ok, I understood. Thank you for the information. And could you please somehow comment the approach with error sending which I described in a previous email?

четверг, 25 октября 2018 г. пользователь Piotr Kliczewski написал: > > > czw., 25 paź 2018, 06:32 użytkownik Anastasiya Ruzhanskaya < > anastasiya.ruzhanskaya(a)frtk.ru&gt; napisał: > >> Also in official docs of oVirt it is written that xml rpc is used. For >> example here : >> https://ovirt.org/documentation/architecture/architecture/ >> So, this is an incorrect info, right? >> > > This doc seems not to up to date for quite some time. Now we use jsonrpc > over stomp. > > >> чт, 25 окт. 2018 г. в 7:28, Anastasiya Ruzhanskaya < >> anastasiya.ruzhanskaya(a)frtk.ru&gt;: >> >>> In virt-manager for the same purpose there was an option to send error >>> messages with help of mitmproxy. I modified a little bit this proxy to be >>> able to use it with any tcp connection. >>> And this error message was correctly processed. But the amount of >>> source code for analysis in that case was rather small and I found rather >>> quickly how error messages should be sent and encoded in rpc. >>> >>> Is there any possibility like this here? >>> >>> чт, 25 окт. 2018 г. в 0:47, Piotr Kliczewski <pkliczew(a)redhat.com&gt;: >>> >>>> >>>> >>>> On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < >>>> anastasiya.ruzhanskaya(a)frtk.ru&gt; wrote: >>>> >>>>> My proxy is based on mitmproxy, so I want to analyze messages coming >>>>> from client to ovirt-engine or from engine to node and based on the content >>>>> permit the actions or not. I know that there is access control inside >>>>> oVirt, but I need to implement the similar thing by myself using proxy. >>>>> From ovirt-engine to vdsm it is trickier as there I have no users and >>>>> session ids to identify the actor, I can determine only actions. >>>>> >>>> >>>> By using engine or vdsm certs you could decrypt the traffic. How would >>>> you prevent command from being executed. If you drop packet(s) the engine >>>> would attempt to retry or consider vdsm to be down/dead. In either case >>>> engine would be confused. >>>> I would not recommend such approach because it may prevent you from >>>> using oVirt or break it. >>>> >>>> >>>>> >>>>> But anyway, I can decipher normal rpc ( for virt-manager), got >>>>> familiar with gwt -rpc ( client-engine) and now trying to understand what >>>>> is happening with xml rpc. >>>>> >>>> >>>> As Nir mentioned we estabilish tcp connection and send jsonrpc over >>>> stomp. >>>> >>>> >>>>> >>>>> ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer(a)redhat.com&gt;: >>>>> >>>>>> >>>>>> >>>>>> On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < >>>>>> anastasiya.ruzhanskaya(a)frtk.ru&gt; wrote: >>>>>> >>>>>>> I need this for my proxy, >>>>>>> >>>>>> >>>>>> What is your proxy? >>>>>> >>>>>> I need to do this analysis "online", not just by analyzing the logs >>>>>>> after the action happened. >>>>>>> >>>>>>> ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer(a)redhat.com&gt;: >>>>>>> >>>>>>>> >>>>>>>> On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < >>>>>>>> anastasiya.ruzhanskaya(a)frtk.ru&gt; wrote: >>>>>>>> >>>>>>>>> Hello! >>>>>>>>> I was successful in deciphering the traffic between the client >>>>>>>>> and ovirt-engine, >>>>>>>>> >>>>>>>> >>>>>>>> Why do you need to do this? it is easier to add logging to vdsm of >>>>>>>> you want to see more info about the messages. >>>>>>>> >>>>>>>> Anyway Piotr may help. >>>>>>>> >>>>>>>> Nir >>>>>>>> >>>>>>>> actually, only by dumping the premaster key from the browser, >>>>>>>>> which was generated during the session and providing it to wireshark. >>>>>>>>> >>>>>>>>> How it can be done for ovirt-engine and vdsm communication? >>>>>>>>> Should the engine private key be provided? Actually to my surprise I don't >>>>>>>>> see any ssl communication between engine and node when for example turn on >>>>>>>>> the virtual machine, only tcp packets. But this page >>>>>>>>> https://ovirt.org/develop/release-management/features/infra/pki/ >>>>>>>>> states that there should be one. And also should I look for any xml rpc >>>>>>>>> dissector? I know that for example virt-manager uses rpc protocol, I found >>>>>>>>> a dissector for that case, but seems I need another one here. >>>>>>>>> _______________________________________________ >>>>>>>>> Devel mailing list -- devel(a)ovirt.org >>>>>>>>> To unsubscribe send an email to devel-leave(a)ovirt.org >>>>>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>>>>>> oVirt Code of Conduct: >>>>>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>>>>> List Archives: >>>>>>>>> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF5... >>>>>>>>> >>>>>>>>