[ovirt-devel] Re: Decipher traffic between ovirt-engine and ovirt-node (vdsm)

I just need to make an overlay on this system as in our organization it will be more problematic to certify the whole ovirt than our tool for calls filtering. Just the organizational reason. Also we want to use an attribute based model.

чт, 25 окт. 2018 г. в 23:02, Piotr Kliczewski <pkliczew(a)redhat.com&gt;: > > > On Thu, Oct 25, 2018 at 10:10 AM Anastasiya Ruzhanskaya < > anastasiya.ruzhanskaya(a)frtk.ru&gt; wrote: > >> Ok, I understood. Thank you for the information. And could you please >> somehow comment the approach with error sending which I described in a >> previous email? >> > > I am not sure what would be correct error to return here since every > error has a meaning for engine. For some we fail the action but for others > we attempt to retry fix, fix the issue by > soft fencing the host. > > Can you share with me what are you missing from current authorization > model so you need to filter the calls? > > >> >> четверг, 25 октября 2018 г. пользователь Piotr Kliczewski написал: >> >>> >>> >>> czw., 25 paź 2018, 06:32 użytkownik Anastasiya Ruzhanskaya < >>> anastasiya.ruzhanskaya(a)frtk.ru&gt; napisał: >>> >>>> Also in official docs of oVirt it is written that xml rpc is used. For >>>> example here : >>>> https://ovirt.org/documentation/architecture/architecture/ >>>> So, this is an incorrect info, right? >>>> >>> >>> This doc seems not to up to date for quite some time. Now we use >>> jsonrpc over stomp. >>> >>> >>>> чт, 25 окт. 2018 г. в 7:28, Anastasiya Ruzhanskaya < >>>> anastasiya.ruzhanskaya(a)frtk.ru&gt;: >>>> >>>>> In virt-manager for the same purpose there was an option to send >>>>> error messages with help of mitmproxy. I modified a little bit this proxy >>>>> to be able to use it with any tcp connection. >>>>> And this error message was correctly processed. But the amount of >>>>> source code for analysis in that case was rather small and I found rather >>>>> quickly how error messages should be sent and encoded in rpc. >>>>> >>>>> Is there any possibility like this here? >>>>> >>>>> чт, 25 окт. 2018 г. в 0:47, Piotr Kliczewski <pkliczew(a)redhat.com&gt;: >>>>> >>>>>> >>>>>> >>>>>> On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < >>>>>> anastasiya.ruzhanskaya(a)frtk.ru&gt; wrote: >>>>>> >>>>>>> My proxy is based on mitmproxy, so I want to analyze messages >>>>>>> coming from client to ovirt-engine or from engine to node and based on the >>>>>>> content permit the actions or not. I know that there is access control >>>>>>> inside oVirt, but I need to implement the similar thing by myself using >>>>>>> proxy. From ovirt-engine to vdsm it is trickier as there I have no users >>>>>>> and session ids to identify the actor, I can determine only actions. >>>>>>> >>>>>> >>>>>> By using engine or vdsm certs you could decrypt the traffic. How >>>>>> would you prevent command from being executed. If you drop packet(s) the >>>>>> engine would attempt to retry or consider vdsm to be down/dead. In either >>>>>> case engine would be confused. >>>>>> I would not recommend such approach because it may prevent you from >>>>>> using oVirt or break it. >>>>>> >>>>>> >>>>>>> >>>>>>> But anyway, I can decipher normal rpc ( for virt-manager), got >>>>>>> familiar with gwt -rpc ( client-engine) and now trying to understand what >>>>>>> is happening with xml rpc. >>>>>>> >>>>>> >>>>>> As Nir mentioned we estabilish tcp connection and send jsonrpc over >>>>>> stomp. >>>>>> >>>>>> >>>>>>> >>>>>>> ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer(a)redhat.com&gt;: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < >>>>>>>> anastasiya.ruzhanskaya(a)frtk.ru&gt; wrote: >>>>>>>> >>>>>>>>> I need this for my proxy, >>>>>>>>> >>>>>>>> >>>>>>>> What is your proxy? >>>>>>>> >>>>>>>> I need to do this analysis "online", not just by analyzing the >>>>>>>>> logs after the action happened. >>>>>>>>> >>>>>>>>> ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer(a)redhat.com&gt;: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < >>>>>>>>>> anastasiya.ruzhanskaya(a)frtk.ru&gt; wrote: >>>>>>>>>> >>>>>>>>>>> Hello! >>>>>>>>>>> I was successful in deciphering the traffic between the client >>>>>>>>>>> and ovirt-engine, >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Why do you need to do this? it is easier to add logging to vdsm >>>>>>>>>> of you want to see more info about the messages. >>>>>>>>>> >>>>>>>>>> Anyway Piotr may help. >>>>>>>>>> >>>>>>>>>> Nir >>>>>>>>>> >>>>>>>>>> actually, only by dumping the premaster key from the browser, >>>>>>>>>>> which was generated during the session and providing it to wireshark. >>>>>>>>>>> >>>>>>>>>>> How it can be done for ovirt-engine and vdsm communication? >>>>>>>>>>> Should the engine private key be provided? Actually to my surprise I don't >>>>>>>>>>> see any ssl communication between engine and node when for example turn on >>>>>>>>>>> the virtual machine, only tcp packets. But this page >>>>>>>>>>> https://ovirt.org/develop/release-management/features/infra/pki/ >>>>>>>>>>> states that there should be one. And also should I look for any xml rpc >>>>>>>>>>> dissector? I know that for example virt-manager uses rpc protocol, I found >>>>>>>>>>> a dissector for that case, but seems I need another one here. >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Devel mailing list -- devel(a)ovirt.org >>>>>>>>>>> To unsubscribe send an email to devel-leave(a)ovirt.org >>>>>>>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>>>>>>>> oVirt Code of Conduct: >>>>>>>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>>>>>>> List Archives: >>>>>>>>>>> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF5... >>>>>>>>>>> >>>>>>>>>>