[ovirt-devel] Re: Decipher traffic between ovirt-engine and ovirt-node (vdsm)

Also in official docs of oVirt it is written that xml rpc is used. For example here : https://ovirt.org/documentation/architecture/architecture/ So, this is an incorrect info, right?

чт, 25 окт. 2018 г. в 7:28, Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya(a)frtk.ru&gt;: > In virt-manager for the same purpose there was an option to send error > messages with help of mitmproxy. I modified a little bit this proxy to be > able to use it with any tcp connection. > And this error message was correctly processed. But the amount of source > code for analysis in that case was rather small and I found rather quickly > how error messages should be sent and encoded in rpc. > > Is there any possibility like this here? > > чт, 25 окт. 2018 г. в 0:47, Piotr Kliczewski <pkliczew(a)redhat.com&gt;: > >> >> >> On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < >> anastasiya.ruzhanskaya(a)frtk.ru&gt; wrote: >> >>> My proxy is based on mitmproxy, so I want to analyze messages coming >>> from client to ovirt-engine or from engine to node and based on the content >>> permit the actions or not. I know that there is access control inside >>> oVirt, but I need to implement the similar thing by myself using proxy. >>> From ovirt-engine to vdsm it is trickier as there I have no users and >>> session ids to identify the actor, I can determine only actions. >>> >> >> By using engine or vdsm certs you could decrypt the traffic. How would >> you prevent command from being executed. If you drop packet(s) the engine >> would attempt to retry or consider vdsm to be down/dead. In either case >> engine would be confused. >> I would not recommend such approach because it may prevent you from >> using oVirt or break it. >> >> >>> >>> But anyway, I can decipher normal rpc ( for virt-manager), got familiar >>> with gwt -rpc ( client-engine) and now trying to understand what is >>> happening with xml rpc. >>> >> >> As Nir mentioned we estabilish tcp connection and send jsonrpc over >> stomp. >> >> >>> >>> ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer(a)redhat.com&gt;: >>> >>>> >>>> >>>> On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < >>>> anastasiya.ruzhanskaya(a)frtk.ru&gt; wrote: >>>> >>>>> I need this for my proxy, >>>>> >>>> >>>> What is your proxy? >>>> >>>> I need to do this analysis "online", not just by analyzing the logs >>>>> after the action happened. >>>>> >>>>> ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer(a)redhat.com&gt;: >>>>> >>>>>> >>>>>> On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < >>>>>> anastasiya.ruzhanskaya(a)frtk.ru&gt; wrote: >>>>>> >>>>>>> Hello! >>>>>>> I was successful in deciphering the traffic between the client and >>>>>>> ovirt-engine, >>>>>>> >>>>>> >>>>>> Why do you need to do this? it is easier to add logging to vdsm of >>>>>> you want to see more info about the messages. >>>>>> >>>>>> Anyway Piotr may help. >>>>>> >>>>>> Nir >>>>>> >>>>>> actually, only by dumping the premaster key from the browser, which >>>>>>> was generated during the session and providing it to wireshark. >>>>>>> >>>>>>> How it can be done for ovirt-engine and vdsm communication? Should >>>>>>> the engine private key be provided? Actually to my surprise I don't see any >>>>>>> ssl communication between engine and node when for example turn on the >>>>>>> virtual machine, only tcp packets. But this page >>>>>>> https://ovirt.org/develop/release-management/features/infra/pki/ >>>>>>> states that there should be one. And also should I look for any xml rpc >>>>>>> dissector? I know that for example virt-manager uses rpc protocol, I found >>>>>>> a dissector for that case, but seems I need another one here. >>>>>>> _______________________________________________ >>>>>>> Devel mailing list -- devel(a)ovirt.org >>>>>>> To unsubscribe send an email to devel-leave(a)ovirt.org >>>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>>>> oVirt Code of Conduct: >>>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>>> List Archives: >>>>>>> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF5... >>>>>>> >>>>>>