Decipher traffic between ovirt-engine and ovirt-node (vdsm)
Hello! I was successful in deciphering the traffic between the client and ovirt-engine, actually, only by dumping the premaster key from the browser, which was generated during the session and providing it to wireshark. How it can be done for ovirt-engine and vdsm communication? Should the engine private key be provided? Actually to my surprise I don't see any ssl communication between engine and node when for example turn on the virtual machine, only tcp packets. But this page https://ovirt.org/develop/release-management/features/infra/pki/ states that there should be one. And also should I look for any xml rpc dissector? I know that for example virt-manager uses rpc protocol, I found a dissector for that case, but seems I need another one here.
On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
Hello! I was successful in deciphering the traffic between the client and ovirt-engine,
Why do you need to do this? it is easier to add logging to vdsm of you want to see more info about the messages. Anyway Piotr may help. Nir actually, only by dumping the premaster key from the browser, which was
generated during the session and providing it to wireshark.
How it can be done for ovirt-engine and vdsm communication? Should the engine private key be provided? Actually to my surprise I don't see any ssl communication between engine and node when for example turn on the virtual machine, only tcp packets. But this page https://ovirt.org/develop/release-management/features/infra/pki/ states that there should be one. And also should I look for any xml rpc dissector? I know that for example virt-manager uses rpc protocol, I found a dissector for that case, but seems I need another one here. _______________________________________________ Devel mailing list -- devel@ovirt.org To unsubscribe send an email to devel-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NF...
I need this for my proxy, I need to do this analysis "online", not just by analyzing the logs after the action happened. ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
Hello! I was successful in deciphering the traffic between the client and ovirt-engine,
Why do you need to do this? it is easier to add logging to vdsm of you want to see more info about the messages.
Anyway Piotr may help.
Nir
actually, only by dumping the premaster key from the browser, which was
generated during the session and providing it to wireshark.
How it can be done for ovirt-engine and vdsm communication? Should the engine private key be provided? Actually to my surprise I don't see any ssl communication between engine and node when for example turn on the virtual machine, only tcp packets. But this page https://ovirt.org/develop/release-management/features/infra/pki/ states that there should be one. And also should I look for any xml rpc dissector? I know that for example virt-manager uses rpc protocol, I found a dissector for that case, but seems I need another one here. _______________________________________________ Devel mailing list -- devel@ovirt.org To unsubscribe send an email to devel-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NF...
On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
I need this for my proxy,
What is your proxy? I need to do this analysis "online", not just by analyzing the logs after
the action happened.
ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
Hello! I was successful in deciphering the traffic between the client and ovirt-engine,
Why do you need to do this? it is easier to add logging to vdsm of you want to see more info about the messages.
Anyway Piotr may help.
Nir
actually, only by dumping the premaster key from the browser, which was
generated during the session and providing it to wireshark.
How it can be done for ovirt-engine and vdsm communication? Should the engine private key be provided? Actually to my surprise I don't see any ssl communication between engine and node when for example turn on the virtual machine, only tcp packets. But this page https://ovirt.org/develop/release-management/features/infra/pki/ states that there should be one. And also should I look for any xml rpc dissector? I know that for example virt-manager uses rpc protocol, I found a dissector for that case, but seems I need another one here. _______________________________________________ Devel mailing list -- devel@ovirt.org To unsubscribe send an email to devel-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NF...
My proxy is based on mitmproxy, so I want to analyze messages coming from client to ovirt-engine or from engine to node and based on the content permit the actions or not. I know that there is access control inside oVirt, but I need to implement the similar thing by myself using proxy. From ovirt-engine to vdsm it is trickier as there I have no users and session ids to identify the actor, I can determine only actions. But anyway, I can decipher normal rpc ( for virt-manager), got familiar with gwt -rpc ( client-engine) and now trying to understand what is happening with xml rpc. ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
I need this for my proxy,
What is your proxy?
I need to do this analysis "online", not just by analyzing the logs after
the action happened.
ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
Hello! I was successful in deciphering the traffic between the client and ovirt-engine,
Why do you need to do this? it is easier to add logging to vdsm of you want to see more info about the messages.
Anyway Piotr may help.
Nir
actually, only by dumping the premaster key from the browser, which was
generated during the session and providing it to wireshark.
How it can be done for ovirt-engine and vdsm communication? Should the engine private key be provided? Actually to my surprise I don't see any ssl communication between engine and node when for example turn on the virtual machine, only tcp packets. But this page https://ovirt.org/develop/release-management/features/infra/pki/ states that there should be one. And also should I look for any xml rpc dissector? I know that for example virt-manager uses rpc protocol, I found a dissector for that case, but seems I need another one here. _______________________________________________ Devel mailing list -- devel@ovirt.org To unsubscribe send an email to devel-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NF...
On Wed, 24 Oct 2018, 20:34 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
My proxy is based on mitmproxy,
this is http/s proxy... so I want to analyze messages coming from client to ovirt-engine or from
engine to node and based on the content permit the actions or not. I know that there is access control inside oVirt, but I need to implement the similar thing by myself using proxy. From ovirt-engine to vdsm it is trickier as there I have no users and session ids to identify the actor, I can determine only actions.
But anyway, I can decipher normal rpc ( for virt-manager), got familiar with gwt -rpc ( client-engine) and now trying to understand what is happening with xml rpc.
but engine and vdsm are using jsonrpc over stomp, which is similar to http, but not the same.
ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
I need this for my proxy,
What is your proxy?
I need to do this analysis "online", not just by analyzing the logs after
the action happened.
ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
Hello! I was successful in deciphering the traffic between the client and ovirt-engine,
Why do you need to do this? it is easier to add logging to vdsm of you want to see more info about the messages.
Anyway Piotr may help.
Nir
actually, only by dumping the premaster key from the browser, which was
generated during the session and providing it to wireshark.
How it can be done for ovirt-engine and vdsm communication? Should the engine private key be provided? Actually to my surprise I don't see any ssl communication between engine and node when for example turn on the virtual machine, only tcp packets. But this page https://ovirt.org/develop/release-management/features/infra/pki/ states that there should be one. And also should I look for any xml rpc dissector? I know that for example virt-manager uses rpc protocol, I found a dissector for that case, but seems I need another one here. _______________________________________________ Devel mailing list -- devel@ovirt.org To unsubscribe send an email to devel-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NF...
On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> wrote:
My proxy is based on mitmproxy, so I want to analyze messages coming from client to ovirt-engine or from engine to node and based on the content permit the actions or not. I know that there is access control inside oVirt, but I need to implement the similar thing by myself using proxy. From ovirt-engine to vdsm it is trickier as there I have no users and session ids to identify the actor, I can determine only actions.
By using engine or vdsm certs you could decrypt the traffic. How would you prevent command from being executed. If you drop packet(s) the engine would attempt to retry or consider vdsm to be down/dead. In either case engine would be confused. I would not recommend such approach because it may prevent you from using oVirt or break it.
But anyway, I can decipher normal rpc ( for virt-manager), got familiar with gwt -rpc ( client-engine) and now trying to understand what is happening with xml rpc.
As Nir mentioned we estabilish tcp connection and send jsonrpc over stomp.
ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
I need this for my proxy,
What is your proxy?
I need to do this analysis "online", not just by analyzing the logs after
the action happened.
ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
Hello! I was successful in deciphering the traffic between the client and ovirt-engine,
Why do you need to do this? it is easier to add logging to vdsm of you want to see more info about the messages.
Anyway Piotr may help.
Nir
actually, only by dumping the premaster key from the browser, which was
generated during the session and providing it to wireshark.
How it can be done for ovirt-engine and vdsm communication? Should the engine private key be provided? Actually to my surprise I don't see any ssl communication between engine and node when for example turn on the virtual machine, only tcp packets. But this page https://ovirt.org/develop/release-management/features/infra/pki/ states that there should be one. And also should I look for any xml rpc dissector? I know that for example virt-manager uses rpc protocol, I found a dissector for that case, but seems I need another one here. _______________________________________________ Devel mailing list -- devel@ovirt.org To unsubscribe send an email to devel-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NF...
In virt-manager for the same purpose there was an option to send error messages with help of mitmproxy. I modified a little bit this proxy to be able to use it with any tcp connection. And this error message was correctly processed. But the amount of source code for analysis in that case was rather small and I found rather quickly how error messages should be sent and encoded in rpc. Is there any possibility like this here? чт, 25 окт. 2018 г. в 0:47, Piotr Kliczewski <pkliczew@redhat.com>:
On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> wrote:
My proxy is based on mitmproxy, so I want to analyze messages coming from client to ovirt-engine or from engine to node and based on the content permit the actions or not. I know that there is access control inside oVirt, but I need to implement the similar thing by myself using proxy. From ovirt-engine to vdsm it is trickier as there I have no users and session ids to identify the actor, I can determine only actions.
By using engine or vdsm certs you could decrypt the traffic. How would you prevent command from being executed. If you drop packet(s) the engine would attempt to retry or consider vdsm to be down/dead. In either case engine would be confused. I would not recommend such approach because it may prevent you from using oVirt or break it.
But anyway, I can decipher normal rpc ( for virt-manager), got familiar with gwt -rpc ( client-engine) and now trying to understand what is happening with xml rpc.
As Nir mentioned we estabilish tcp connection and send jsonrpc over stomp.
ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
I need this for my proxy,
What is your proxy?
I need to do this analysis "online", not just by analyzing the logs
after the action happened.
ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
Hello! I was successful in deciphering the traffic between the client and ovirt-engine,
Why do you need to do this? it is easier to add logging to vdsm of you want to see more info about the messages.
Anyway Piotr may help.
Nir
actually, only by dumping the premaster key from the browser, which
was generated during the session and providing it to wireshark.
How it can be done for ovirt-engine and vdsm communication? Should the engine private key be provided? Actually to my surprise I don't see any ssl communication between engine and node when for example turn on the virtual machine, only tcp packets. But this page https://ovirt.org/develop/release-management/features/infra/pki/ states that there should be one. And also should I look for any xml rpc dissector? I know that for example virt-manager uses rpc protocol, I found a dissector for that case, but seems I need another one here. _______________________________________________ Devel mailing list -- devel@ovirt.org To unsubscribe send an email to devel-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NF...
Also in official docs of oVirt it is written that xml rpc is used. For example here : https://ovirt.org/documentation/architecture/architecture/ So, this is an incorrect info, right? чт, 25 окт. 2018 г. в 7:28, Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru>:
In virt-manager for the same purpose there was an option to send error messages with help of mitmproxy. I modified a little bit this proxy to be able to use it with any tcp connection. And this error message was correctly processed. But the amount of source code for analysis in that case was rather small and I found rather quickly how error messages should be sent and encoded in rpc.
Is there any possibility like this here?
чт, 25 окт. 2018 г. в 0:47, Piotr Kliczewski <pkliczew@redhat.com>:
On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> wrote:
My proxy is based on mitmproxy, so I want to analyze messages coming from client to ovirt-engine or from engine to node and based on the content permit the actions or not. I know that there is access control inside oVirt, but I need to implement the similar thing by myself using proxy. From ovirt-engine to vdsm it is trickier as there I have no users and session ids to identify the actor, I can determine only actions.
By using engine or vdsm certs you could decrypt the traffic. How would you prevent command from being executed. If you drop packet(s) the engine would attempt to retry or consider vdsm to be down/dead. In either case engine would be confused. I would not recommend such approach because it may prevent you from using oVirt or break it.
But anyway, I can decipher normal rpc ( for virt-manager), got familiar with gwt -rpc ( client-engine) and now trying to understand what is happening with xml rpc.
As Nir mentioned we estabilish tcp connection and send jsonrpc over stomp.
ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
I need this for my proxy,
What is your proxy?
I need to do this analysis "online", not just by analyzing the logs
after the action happened.
ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
> Hello! > I was successful in deciphering the traffic between the client and > ovirt-engine, >
Why do you need to do this? it is easier to add logging to vdsm of you want to see more info about the messages.
Anyway Piotr may help.
Nir
actually, only by dumping the premaster key from the browser, which > was generated during the session and providing it to wireshark. > > How it can be done for ovirt-engine and vdsm communication? Should > the engine private key be provided? Actually to my surprise I don't see any > ssl communication between engine and node when for example turn on the > virtual machine, only tcp packets. But this page > https://ovirt.org/develop/release-management/features/infra/pki/ > states that there should be one. And also should I look for any xml rpc > dissector? I know that for example virt-manager uses rpc protocol, I found > a dissector for that case, but seems I need another one here. > _______________________________________________ > Devel mailing list -- devel@ovirt.org > To unsubscribe send an email to devel-leave@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NF... >
czw., 25 paź 2018, 06:32 użytkownik Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> napisał:
Also in official docs of oVirt it is written that xml rpc is used. For example here : https://ovirt.org/documentation/architecture/architecture/ So, this is an incorrect info, right?
This doc seems not to up to date for quite some time. Now we use jsonrpc over stomp.
чт, 25 окт. 2018 г. в 7:28, Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru>:
In virt-manager for the same purpose there was an option to send error messages with help of mitmproxy. I modified a little bit this proxy to be able to use it with any tcp connection. And this error message was correctly processed. But the amount of source code for analysis in that case was rather small and I found rather quickly how error messages should be sent and encoded in rpc.
Is there any possibility like this here?
чт, 25 окт. 2018 г. в 0:47, Piotr Kliczewski <pkliczew@redhat.com>:
On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> wrote:
My proxy is based on mitmproxy, so I want to analyze messages coming from client to ovirt-engine or from engine to node and based on the content permit the actions or not. I know that there is access control inside oVirt, but I need to implement the similar thing by myself using proxy. From ovirt-engine to vdsm it is trickier as there I have no users and session ids to identify the actor, I can determine only actions.
By using engine or vdsm certs you could decrypt the traffic. How would you prevent command from being executed. If you drop packet(s) the engine would attempt to retry or consider vdsm to be down/dead. In either case engine would be confused. I would not recommend such approach because it may prevent you from using oVirt or break it.
But anyway, I can decipher normal rpc ( for virt-manager), got familiar with gwt -rpc ( client-engine) and now trying to understand what is happening with xml rpc.
As Nir mentioned we estabilish tcp connection and send jsonrpc over stomp.
ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
I need this for my proxy,
What is your proxy?
I need to do this analysis "online", not just by analyzing the logs
after the action happened.
ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>:
> > On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < > anastasiya.ruzhanskaya@frtk.ru> wrote: > >> Hello! >> I was successful in deciphering the traffic between the client and >> ovirt-engine, >> > > Why do you need to do this? it is easier to add logging to vdsm of > you want to see more info about the messages. > > Anyway Piotr may help. > > Nir > > actually, only by dumping the premaster key from the browser, which >> was generated during the session and providing it to wireshark. >> >> How it can be done for ovirt-engine and vdsm communication? Should >> the engine private key be provided? Actually to my surprise I don't see any >> ssl communication between engine and node when for example turn on the >> virtual machine, only tcp packets. But this page >> https://ovirt.org/develop/release-management/features/infra/pki/ >> states that there should be one. And also should I look for any xml rpc >> dissector? I know that for example virt-manager uses rpc protocol, I found >> a dissector for that case, but seems I need another one here. >> _______________________________________________ >> Devel mailing list -- devel@ovirt.org >> To unsubscribe send an email to devel-leave@ovirt.org >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NF... >> >
Ok, I understood. Thank you for the information. And could you please somehow comment the approach with error sending which I described in a previous email? четверг, 25 октября 2018 г. пользователь Piotr Kliczewski написал:
czw., 25 paź 2018, 06:32 użytkownik Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> napisał:
Also in official docs of oVirt it is written that xml rpc is used. For example here : https://ovirt.org/documentation/architecture/architecture/ So, this is an incorrect info, right?
This doc seems not to up to date for quite some time. Now we use jsonrpc over stomp.
чт, 25 окт. 2018 г. в 7:28, Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru>:
In virt-manager for the same purpose there was an option to send error messages with help of mitmproxy. I modified a little bit this proxy to be able to use it with any tcp connection. And this error message was correctly processed. But the amount of source code for analysis in that case was rather small and I found rather quickly how error messages should be sent and encoded in rpc.
Is there any possibility like this here?
чт, 25 окт. 2018 г. в 0:47, Piotr Kliczewski <pkliczew@redhat.com>:
On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> wrote:
My proxy is based on mitmproxy, so I want to analyze messages coming from client to ovirt-engine or from engine to node and based on the content permit the actions or not. I know that there is access control inside oVirt, but I need to implement the similar thing by myself using proxy. From ovirt-engine to vdsm it is trickier as there I have no users and session ids to identify the actor, I can determine only actions.
By using engine or vdsm certs you could decrypt the traffic. How would you prevent command from being executed. If you drop packet(s) the engine would attempt to retry or consider vdsm to be down/dead. In either case engine would be confused. I would not recommend such approach because it may prevent you from using oVirt or break it.
But anyway, I can decipher normal rpc ( for virt-manager), got familiar with gwt -rpc ( client-engine) and now trying to understand what is happening with xml rpc.
As Nir mentioned we estabilish tcp connection and send jsonrpc over stomp.
ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer@redhat.com>:
On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < anastasiya.ruzhanskaya@frtk.ru> wrote:
> I need this for my proxy, >
What is your proxy?
I need to do this analysis "online", not just by analyzing the logs > after the action happened. > > ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>: > >> >> On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < >> anastasiya.ruzhanskaya@frtk.ru> wrote: >> >>> Hello! >>> I was successful in deciphering the traffic between the client and >>> ovirt-engine, >>> >> >> Why do you need to do this? it is easier to add logging to vdsm of >> you want to see more info about the messages. >> >> Anyway Piotr may help. >> >> Nir >> >> actually, only by dumping the premaster key from the browser, which >>> was generated during the session and providing it to wireshark. >>> >>> How it can be done for ovirt-engine and vdsm communication? Should >>> the engine private key be provided? Actually to my surprise I don't see any >>> ssl communication between engine and node when for example turn on the >>> virtual machine, only tcp packets. But this page >>> https://ovirt.org/develop/release-management/features/infra/pki/ >>> states that there should be one. And also should I look for any xml rpc >>> dissector? I know that for example virt-manager uses rpc protocol, I found >>> a dissector for that case, but seems I need another one here. >>> _______________________________________________ >>> Devel mailing list -- devel@ovirt.org >>> To unsubscribe send an email to devel-leave@ovirt.org >>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>> oVirt Code of Conduct: https://www.ovirt.org/ >>> community/about/community-guidelines/ >>> List Archives: https://lists.ovirt.org/ >>> archives/list/devel@ovirt.org/message/ >>> HJOBKO5MOF56NFEXX6Z2T7RBTFX6OACP/ >>> >>
On Thu, Oct 25, 2018 at 10:10 AM Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> wrote:
Ok, I understood. Thank you for the information. And could you please somehow comment the approach with error sending which I described in a previous email?
I am not sure what would be correct error to return here since every error has a meaning for engine. For some we fail the action but for others we attempt to retry fix, fix the issue by soft fencing the host. Can you share with me what are you missing from current authorization model so you need to filter the calls?
четверг, 25 октября 2018 г. пользователь Piotr Kliczewski написал:
czw., 25 paź 2018, 06:32 użytkownik Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> napisał:
Also in official docs of oVirt it is written that xml rpc is used. For example here : https://ovirt.org/documentation/architecture/architecture/ So, this is an incorrect info, right?
This doc seems not to up to date for quite some time. Now we use jsonrpc over stomp.
чт, 25 окт. 2018 г. в 7:28, Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru>:
In virt-manager for the same purpose there was an option to send error messages with help of mitmproxy. I modified a little bit this proxy to be able to use it with any tcp connection. And this error message was correctly processed. But the amount of source code for analysis in that case was rather small and I found rather quickly how error messages should be sent and encoded in rpc.
Is there any possibility like this here?
чт, 25 окт. 2018 г. в 0:47, Piotr Kliczewski <pkliczew@redhat.com>:
On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> wrote:
My proxy is based on mitmproxy, so I want to analyze messages coming from client to ovirt-engine or from engine to node and based on the content permit the actions or not. I know that there is access control inside oVirt, but I need to implement the similar thing by myself using proxy. From ovirt-engine to vdsm it is trickier as there I have no users and session ids to identify the actor, I can determine only actions.
By using engine or vdsm certs you could decrypt the traffic. How would you prevent command from being executed. If you drop packet(s) the engine would attempt to retry or consider vdsm to be down/dead. In either case engine would be confused. I would not recommend such approach because it may prevent you from using oVirt or break it.
But anyway, I can decipher normal rpc ( for virt-manager), got familiar with gwt -rpc ( client-engine) and now trying to understand what is happening with xml rpc.
As Nir mentioned we estabilish tcp connection and send jsonrpc over stomp.
ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer@redhat.com>:
> > > On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < > anastasiya.ruzhanskaya@frtk.ru> wrote: > >> I need this for my proxy, >> > > What is your proxy? > > I need to do this analysis "online", not just by analyzing the logs >> after the action happened. >> >> ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>: >> >>> >>> On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < >>> anastasiya.ruzhanskaya@frtk.ru> wrote: >>> >>>> Hello! >>>> I was successful in deciphering the traffic between the client >>>> and ovirt-engine, >>>> >>> >>> Why do you need to do this? it is easier to add logging to vdsm of >>> you want to see more info about the messages. >>> >>> Anyway Piotr may help. >>> >>> Nir >>> >>> actually, only by dumping the premaster key from the browser, >>>> which was generated during the session and providing it to wireshark. >>>> >>>> How it can be done for ovirt-engine and vdsm communication? >>>> Should the engine private key be provided? Actually to my surprise I don't >>>> see any ssl communication between engine and node when for example turn on >>>> the virtual machine, only tcp packets. But this page >>>> https://ovirt.org/develop/release-management/features/infra/pki/ >>>> states that there should be one. And also should I look for any xml rpc >>>> dissector? I know that for example virt-manager uses rpc protocol, I found >>>> a dissector for that case, but seems I need another one here. >>>> _______________________________________________ >>>> Devel mailing list -- devel@ovirt.org >>>> To unsubscribe send an email to devel-leave@ovirt.org >>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>> oVirt Code of Conduct: >>>> https://www.ovirt.org/community/about/community-guidelines/ >>>> List Archives: >>>> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NF... >>>> >>>
I just need to make an overlay on this system as in our organization it will be more problematic to certify the whole ovirt than our tool for calls filtering. Just the organizational reason. Also we want to use an attribute based model. чт, 25 окт. 2018 г. в 23:02, Piotr Kliczewski <pkliczew@redhat.com>:
On Thu, Oct 25, 2018 at 10:10 AM Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> wrote:
Ok, I understood. Thank you for the information. And could you please somehow comment the approach with error sending which I described in a previous email?
I am not sure what would be correct error to return here since every error has a meaning for engine. For some we fail the action but for others we attempt to retry fix, fix the issue by soft fencing the host.
Can you share with me what are you missing from current authorization model so you need to filter the calls?
четверг, 25 октября 2018 г. пользователь Piotr Kliczewski написал:
czw., 25 paź 2018, 06:32 użytkownik Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> napisał:
Also in official docs of oVirt it is written that xml rpc is used. For example here : https://ovirt.org/documentation/architecture/architecture/ So, this is an incorrect info, right?
This doc seems not to up to date for quite some time. Now we use jsonrpc over stomp.
чт, 25 окт. 2018 г. в 7:28, Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru>:
In virt-manager for the same purpose there was an option to send error messages with help of mitmproxy. I modified a little bit this proxy to be able to use it with any tcp connection. And this error message was correctly processed. But the amount of source code for analysis in that case was rather small and I found rather quickly how error messages should be sent and encoded in rpc.
Is there any possibility like this here?
чт, 25 окт. 2018 г. в 0:47, Piotr Kliczewski <pkliczew@redhat.com>:
On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> wrote:
> My proxy is based on mitmproxy, so I want to analyze messages coming > from client to ovirt-engine or from engine to node and based on the content > permit the actions or not. I know that there is access control inside > oVirt, but I need to implement the similar thing by myself using proxy. > From ovirt-engine to vdsm it is trickier as there I have no users and > session ids to identify the actor, I can determine only actions. >
By using engine or vdsm certs you could decrypt the traffic. How would you prevent command from being executed. If you drop packet(s) the engine would attempt to retry or consider vdsm to be down/dead. In either case engine would be confused. I would not recommend such approach because it may prevent you from using oVirt or break it.
> > But anyway, I can decipher normal rpc ( for virt-manager), got > familiar with gwt -rpc ( client-engine) and now trying to understand what > is happening with xml rpc. >
As Nir mentioned we estabilish tcp connection and send jsonrpc over stomp.
> > ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer@redhat.com>: > >> >> >> On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < >> anastasiya.ruzhanskaya@frtk.ru> wrote: >> >>> I need this for my proxy, >>> >> >> What is your proxy? >> >> I need to do this analysis "online", not just by analyzing the logs >>> after the action happened. >>> >>> ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>: >>> >>>> >>>> On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < >>>> anastasiya.ruzhanskaya@frtk.ru> wrote: >>>> >>>>> Hello! >>>>> I was successful in deciphering the traffic between the client >>>>> and ovirt-engine, >>>>> >>>> >>>> Why do you need to do this? it is easier to add logging to vdsm >>>> of you want to see more info about the messages. >>>> >>>> Anyway Piotr may help. >>>> >>>> Nir >>>> >>>> actually, only by dumping the premaster key from the browser, >>>>> which was generated during the session and providing it to wireshark. >>>>> >>>>> How it can be done for ovirt-engine and vdsm communication? >>>>> Should the engine private key be provided? Actually to my surprise I don't >>>>> see any ssl communication between engine and node when for example turn on >>>>> the virtual machine, only tcp packets. But this page >>>>> https://ovirt.org/develop/release-management/features/infra/pki/ >>>>> states that there should be one. And also should I look for any xml rpc >>>>> dissector? I know that for example virt-manager uses rpc protocol, I found >>>>> a dissector for that case, but seems I need another one here. >>>>> _______________________________________________ >>>>> Devel mailing list -- devel@ovirt.org >>>>> To unsubscribe send an email to devel-leave@ovirt.org >>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>> oVirt Code of Conduct: >>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>> List Archives: >>>>> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NF... >>>>> >>>>
On Sat, Oct 27, 2018 at 6:14 AM Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> wrote:
I just need to make an overlay on this system as in our organization it will be more problematic to certify the whole ovirt than our tool for calls filtering. Just the organizational reason. Also we want to use an attribute based model.
I still fail to understand why do you need network level filtering. Structure of your organization should be model using permissions. Which calls/functionality is problematic?
чт, 25 окт. 2018 г. в 23:02, Piotr Kliczewski <pkliczew@redhat.com>:
On Thu, Oct 25, 2018 at 10:10 AM Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> wrote:
Ok, I understood. Thank you for the information. And could you please somehow comment the approach with error sending which I described in a previous email?
I am not sure what would be correct error to return here since every error has a meaning for engine. For some we fail the action but for others we attempt to retry fix, fix the issue by soft fencing the host.
Can you share with me what are you missing from current authorization model so you need to filter the calls?
четверг, 25 октября 2018 г. пользователь Piotr Kliczewski написал:
czw., 25 paź 2018, 06:32 użytkownik Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> napisał:
Also in official docs of oVirt it is written that xml rpc is used. For example here : https://ovirt.org/documentation/architecture/architecture/ So, this is an incorrect info, right?
This doc seems not to up to date for quite some time. Now we use jsonrpc over stomp.
чт, 25 окт. 2018 г. в 7:28, Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru>:
In virt-manager for the same purpose there was an option to send error messages with help of mitmproxy. I modified a little bit this proxy to be able to use it with any tcp connection. And this error message was correctly processed. But the amount of source code for analysis in that case was rather small and I found rather quickly how error messages should be sent and encoded in rpc.
Is there any possibility like this here?
чт, 25 окт. 2018 г. в 0:47, Piotr Kliczewski <pkliczew@redhat.com>:
> > > On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < > anastasiya.ruzhanskaya@frtk.ru> wrote: > >> My proxy is based on mitmproxy, so I want to analyze messages >> coming from client to ovirt-engine or from engine to node and based on the >> content permit the actions or not. I know that there is access control >> inside oVirt, but I need to implement the similar thing by myself using >> proxy. From ovirt-engine to vdsm it is trickier as there I have no users >> and session ids to identify the actor, I can determine only actions. >> > > By using engine or vdsm certs you could decrypt the traffic. How > would you prevent command from being executed. If you drop packet(s) the > engine would attempt to retry or consider vdsm to be down/dead. In either > case engine would be confused. > I would not recommend such approach because it may prevent you from > using oVirt or break it. > > >> >> But anyway, I can decipher normal rpc ( for virt-manager), got >> familiar with gwt -rpc ( client-engine) and now trying to understand what >> is happening with xml rpc. >> > > As Nir mentioned we estabilish tcp connection and send jsonrpc over > stomp. > > >> >> ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer@redhat.com>: >> >>> >>> >>> On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < >>> anastasiya.ruzhanskaya@frtk.ru> wrote: >>> >>>> I need this for my proxy, >>>> >>> >>> What is your proxy? >>> >>> I need to do this analysis "online", not just by analyzing the >>>> logs after the action happened. >>>> >>>> ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>: >>>> >>>>> >>>>> On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < >>>>> anastasiya.ruzhanskaya@frtk.ru> wrote: >>>>> >>>>>> Hello! >>>>>> I was successful in deciphering the traffic between the client >>>>>> and ovirt-engine, >>>>>> >>>>> >>>>> Why do you need to do this? it is easier to add logging to vdsm >>>>> of you want to see more info about the messages. >>>>> >>>>> Anyway Piotr may help. >>>>> >>>>> Nir >>>>> >>>>> actually, only by dumping the premaster key from the browser, >>>>>> which was generated during the session and providing it to wireshark. >>>>>> >>>>>> How it can be done for ovirt-engine and vdsm communication? >>>>>> Should the engine private key be provided? Actually to my surprise I don't >>>>>> see any ssl communication between engine and node when for example turn on >>>>>> the virtual machine, only tcp packets. But this page >>>>>> https://ovirt.org/develop/release-management/features/infra/pki/ >>>>>> states that there should be one. And also should I look for any xml rpc >>>>>> dissector? I know that for example virt-manager uses rpc protocol, I found >>>>>> a dissector for that case, but seems I need another one here. >>>>>> _______________________________________________ >>>>>> Devel mailing list -- devel@ovirt.org >>>>>> To unsubscribe send an email to devel-leave@ovirt.org >>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>>> oVirt Code of Conduct: >>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>> List Archives: >>>>>> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NF... >>>>>> >>>>>
So, the requirements for me are: during the certification of the product (which includes code inspection on some undeclared possibilities, testing, verifying that this code is appropriate to use in specific companies) I don't want to make the certification for the whole ovirt (as the code inspection should be taken every time the ovirt version changes and it takes really long). So, I want to build a more lightweight service that just checks accesses and which I can give for certification less frequently than the ovirt (which will need this procedure on every released update). I don't want to touch or modify any ovirt functionality, so filtering on the network level seems to be the best solution for this. This certification procedure is essential, as every product that supply security aspects (here access control) should be thoroughly checked. And we mostly try to develop these overlay services. понедельник, 29 октября 2018 г. пользователь Piotr Kliczewski написал:
On Sat, Oct 27, 2018 at 6:14 AM Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> wrote:
I just need to make an overlay on this system as in our organization it will be more problematic to certify the whole ovirt than our tool for calls filtering. Just the organizational reason. Also we want to use an attribute based model.
I still fail to understand why do you need network level filtering. Structure of your organization should be model using permissions. Which calls/functionality is problematic?
чт, 25 окт. 2018 г. в 23:02, Piotr Kliczewski <pkliczew@redhat.com>:
On Thu, Oct 25, 2018 at 10:10 AM Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> wrote:
Ok, I understood. Thank you for the information. And could you please somehow comment the approach with error sending which I described in a previous email?
I am not sure what would be correct error to return here since every error has a meaning for engine. For some we fail the action but for others we attempt to retry fix, fix the issue by soft fencing the host.
Can you share with me what are you missing from current authorization model so you need to filter the calls?
четверг, 25 октября 2018 г. пользователь Piotr Kliczewski написал:
czw., 25 paź 2018, 06:32 użytkownik Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru> napisał:
Also in official docs of oVirt it is written that xml rpc is used. For example here : https://ovirt.org/documentation/architecture/architecture/ So, this is an incorrect info, right?
This doc seems not to up to date for quite some time. Now we use jsonrpc over stomp.
чт, 25 окт. 2018 г. в 7:28, Anastasiya Ruzhanskaya < anastasiya.ruzhanskaya@frtk.ru>:
> In virt-manager for the same purpose there was an option to send > error messages with help of mitmproxy. I modified a little bit this proxy > to be able to use it with any tcp connection. > And this error message was correctly processed. But the amount of > source code for analysis in that case was rather small and I found rather > quickly how error messages should be sent and encoded in rpc. > > Is there any possibility like this here? > > чт, 25 окт. 2018 г. в 0:47, Piotr Kliczewski <pkliczew@redhat.com>: > >> >> >> On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < >> anastasiya.ruzhanskaya@frtk.ru> wrote: >> >>> My proxy is based on mitmproxy, so I want to analyze messages >>> coming from client to ovirt-engine or from engine to node and based on the >>> content permit the actions or not. I know that there is access control >>> inside oVirt, but I need to implement the similar thing by myself using >>> proxy. From ovirt-engine to vdsm it is trickier as there I have no users >>> and session ids to identify the actor, I can determine only actions. >>> >> >> By using engine or vdsm certs you could decrypt the traffic. How >> would you prevent command from being executed. If you drop packet(s) the >> engine would attempt to retry or consider vdsm to be down/dead. In either >> case engine would be confused. >> I would not recommend such approach because it may prevent you from >> using oVirt or break it. >> >> >>> >>> But anyway, I can decipher normal rpc ( for virt-manager), got >>> familiar with gwt -rpc ( client-engine) and now trying to understand what >>> is happening with xml rpc. >>> >> >> As Nir mentioned we estabilish tcp connection and send jsonrpc over >> stomp. >> >> >>> >>> ср, 24 окт. 2018 г. в 21:41, Nir Soffer <nsoffer@redhat.com>: >>> >>>> >>>> >>>> On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < >>>> anastasiya.ruzhanskaya@frtk.ru> wrote: >>>> >>>>> I need this for my proxy, >>>>> >>>> >>>> What is your proxy? >>>> >>>> I need to do this analysis "online", not just by analyzing the >>>>> logs after the action happened. >>>>> >>>>> ср, 24 окт. 2018 г. в 19:00, Nir Soffer <nsoffer@redhat.com>: >>>>> >>>>>> >>>>>> On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < >>>>>> anastasiya.ruzhanskaya@frtk.ru> wrote: >>>>>> >>>>>>> Hello! >>>>>>> I was successful in deciphering the traffic between the client >>>>>>> and ovirt-engine, >>>>>>> >>>>>> >>>>>> Why do you need to do this? it is easier to add logging to vdsm >>>>>> of you want to see more info about the messages. >>>>>> >>>>>> Anyway Piotr may help. >>>>>> >>>>>> Nir >>>>>> >>>>>> actually, only by dumping the premaster key from the browser, >>>>>>> which was generated during the session and providing it to wireshark. >>>>>>> >>>>>>> How it can be done for ovirt-engine and vdsm communication? >>>>>>> Should the engine private key be provided? Actually to my surprise I don't >>>>>>> see any ssl communication between engine and node when for example turn on >>>>>>> the virtual machine, only tcp packets. But this page >>>>>>> https://ovirt.org/develop/release-management/features/infra/pki/ >>>>>>> states that there should be one. And also should I look for any xml rpc >>>>>>> dissector? I know that for example virt-manager uses rpc protocol, I found >>>>>>> a dissector for that case, but seems I need another one here. >>>>>>> _______________________________________________ >>>>>>> Devel mailing list -- devel@ovirt.org >>>>>>> To unsubscribe send an email to devel-leave@ovirt.org >>>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>>>> oVirt Code of Conduct: >>>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>>> List Archives: >>>>>>> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/HJOBKO5MOF56NF... >>>>>>> >>>>>>
participants (3)
-
Anastasiya Ruzhanskaya -
Nir Soffer -
Piotr Kliczewski