Tomas Jelinek has submitted this change and it was merged. Change subject: core: Console stealing fix ...................................................................... core: Console stealing fix Only users with permission "VM" > "Administrative Operations" > "Override opened console session" (in code ActionGroup.RECONNECT_TO_VM) are able to connect to console someone else already have connected to (before next restart). This applies to if "Edit" VM dialog > "Console" tab > "Advanced parameters" > "Disable strict user checking" is disabled (in code VmBase#allowConsoleReconnect == false). If Strict user checking is disabled, anyone can steal console form anyone. Method SetVmTicketCommand#checkPermissions was removed and thus its tests were removed. "General command failure" was removed. Any error in SetVmTicketCommand that is not related to unauthorized console stealing is reporated by ConfigureConsoleOptionsQuery as EngineMessage.SETTING_VM_TICKET_FAILED. Previously it might happen that unauthorized attempt to steal console resulted in locked screen for current console user. This was caused by firing VDSM command "desktopLogin" earlier than execution SetVmTicketCommand (which actually verifies the permissions). It is solved by fixing frontend permission checking that prevents firing any command if SetVmTicketCommand would fail on permission check. User is notified about console being used by other user by pure fronend dialog. VM#getConsoleCurrentUserName() was replace by VM#getConsoleCurrentUserId() in ConsoleModel #executeCommandWithConsoleSafenessWarning() as getConsoleCurrentUserName() is not reliable (it is nulled in VdsEventListener#processOnClientIpChange()). Change-Id: Ib47107b2e2f85e4d05b13c3fe35ab4ad449d0ca5 Bug-Url: https://bugzilla.redhat.com/1297018 Signed-off-by: Jakub Niedermertl <jniederm@redhat.com> --- M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ConfigureConsoleOptionsQuery.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/SetVmTicketCommand.java M backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/SetVmTicketCommandTest.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/EngineMessage.java M backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties M frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java M frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/vms/ConsoleModel.java M frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/UIConstants.java M frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties M frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties 10 files changed, 24 insertions(+), 127 deletions(-) Approvals: Tomas Jelinek: Looks good to me, but someone else must approve Jakub Niedermertl: Verified Jenkins CI: Passed CI tests Arik Hadas: Looks good to me, approved -- To view, visit https://gerrit.ovirt.org/54228 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ib47107b2e2f85e4d05b13c3fe35ab4ad449d0ca5 Gerrit-PatchSet: 9 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Jakub Niedermertl <jniederm@redhat.com> Gerrit-Reviewer: Arik Hadas <ahadas@redhat.com> Gerrit-Reviewer: Jakub Niedermertl <jniederm@redhat.com> Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Tomas Jelinek <tjelinek@redhat.com> Gerrit-Reviewer: gerrit-hooks <automation@ovirt.org>