[PATCH V2 0/4] Authorization: disable non-root user functions in UI
by wenwang@linux.vnet.ibm.com
From: Wen Wang <wenwang(a)linux.vnet.ibm.com>
V1 -> V2:
Store "roles" parameter in cookie instead of each tab's mode.(Aline)
read only "roles" from cookie instead of roles of each tab(Aline)
Minor changes in method of removing "Action" title under network tab
(Hongliang Wang)
This patch defines user privilege according to different user roles In this
release, only two roles are supported: "admin" and "user", conbined with four
modes: "admin", "byInstance", "read-only" and "none", each of which has own
privileges to different tabs as well as instances. modes are stored in cookie
and functions of different roles are protected in the back-end.
Wen Wang (4):
Add roles into cookie
Authorization: remove host/template tabs for non-root users
Authorization: remove [+] icon from non-root users view
Authorization: Remove actions based on roles
ui/css/theme-default/storage.css | 18 +++++++++---------
ui/js/src/kimchi.guest_main.js | 4 ++++
ui/js/src/kimchi.login.js | 16 +++++++++-------
ui/js/src/kimchi.main.js | 24 ++++++++++++++++--------
ui/js/src/kimchi.network.js | 9 +++++++++
ui/js/src/kimchi.storage_main.js | 11 +++++++++++
6 files changed, 58 insertions(+), 24 deletions(-)
9 years, 9 months
[PATCH 0/4] Authorization: disable non-root user functions in UI
by wenwang@linux.vnet.ibm.com
From: Wen Wang <wenwang(a)linux.vnet.ibm.com>
This patch defines user privilege according to different user roles In this
release, only two roles are supported: "admin" and "user", conbined with four
modes: "admin", "byInstance", "read-only" and "none", each of which has own
privileges to different tabs as well as instances. modes are stored in cookie
and functions of different roles are protected in the back-end.
Please apply Aline's patches first before this one. Below are the references:
(1)[Kimchi-devel] [PATCH 0/4 V2] Let frontend redirect user after logging
(2)[Kimchi-devel] [PATCH 0/5 V3] authorization: Backend changes
Apply these two patches in order then this UI changes can work
Wen Wang (4):
Add modes into cookie
Authorization: remove host/template tabs for non-root users
Authorization: remove [+] icon from non-root users view
Authorization: Remove actions based on roles
ui/css/theme-default/storage.css | 18 +++++++++---------
ui/js/src/kimchi.guest_main.js | 4 ++++
ui/js/src/kimchi.login.js | 20 +++++++++++++-------
ui/js/src/kimchi.main.js | 21 +++++++++++++--------
ui/js/src/kimchi.network.js | 9 +++++++++
ui/js/src/kimchi.storage_main.js | 11 +++++++++++
6 files changed, 59 insertions(+), 24 deletions(-)
9 years, 9 months
[PATCH 0/3 WIP] Let frontend redirect user after logging
by alinefm@linux.vnet.ibm.com
From: Aline Manera <alinefm(a)linux.vnet.ibm.com>
This patch set removes useless files related to former login design and redirect
user in frontend after logging - that way frontend can store user information
for authorization matters.
The patch 2 has 2 problems:
1) the next URL is encoded using base64
So in UI I need to decode it. How do I do that?
2) while using kimchi.cookie.get() to get the lastPage it returns the URL with ""
So the redirection fails as it tries to redirect the user to "/#tabs/guests"
How do I remove those "" around the cookie value?
Any help is welcome!
Aline Manera (3):
Remove former login design files
Remove special console rules from nginx configuration
Let frontend redirect user after logging
src/kimchi/auth.py | 6 --
src/kimchi/root.py | 19 +-----
src/nginx.conf.in | 11 ----
ui/js/src/kimchi.login.js | 73 ++++++++++++++++++++++
ui/js/src/kimchi.login_window.js | 128 ---------------------------------------
ui/pages/login-window.html.tmpl | 53 ----------------
ui/pages/login.html.tmpl | 36 ++---------
7 files changed, 78 insertions(+), 248 deletions(-)
create mode 100644 ui/js/src/kimchi.login.js
delete mode 100644 ui/js/src/kimchi.login_window.js
delete mode 100644 ui/pages/login-window.html.tmpl
--
1.9.3
9 years, 9 months
[PATCH] Always use unicode in KimchiException message
by alinefm@linux.vnet.ibm.com
From: Aline Manera <alinefm(a)linux.vnet.ibm.com>
When KimchiException was raised inside a cherrypy application it returned
a unicode message. But if the exception was raised independently the cherrypy
server (ie, using model instance directly) it returned a string message.
To keep the same behavior in all those situations, let KimchiException
always returns a unicode message
Signed-off-by: Aline Manera <alinefm(a)linux.vnet.ibm.com>
---
src/kimchi/exception.py | 35 ++++++++++++++++++-----------------
1 file changed, 18 insertions(+), 17 deletions(-)
diff --git a/src/kimchi/exception.py b/src/kimchi/exception.py
index fcf60cc..d84ddb9 100644
--- a/src/kimchi/exception.py
+++ b/src/kimchi/exception.py
@@ -29,18 +29,29 @@ class KimchiException(Exception):
def __init__(self, code='', args={}):
self.code = code
+ for key, value in args.iteritems():
+ if isinstance(value, unicode):
+ continue
+
+ # value is not unicode: convert it
+ try:
+ # In case the value formats itself to an ascii string.
+ args[key] = unicode(str(value), 'utf-8')
+ except UnicodeEncodeError:
+ # In case the value is a KimchiException or it formats
+ # itself to a unicode string.
+ args[key] = unicode(value)
+
if cherrypy.request.app:
- msg = self._get_translation(args)
+ msg = self._get_translation()
else:
- for key, value in args.iteritems():
- if isinstance(value, unicode):
- args[key] = value.encode('utf-8')
- msg = _messages.get(code, code) % args
+ msg = _messages.get(code, code)
+ msg = unicode(msg, 'utf-8') % args
pattern = "%s: %s" % (code, msg)
Exception.__init__(self, pattern)
- def _get_translation(self, args):
+ def _get_translation(self):
lang = validate_language(get_lang())
paths = cherrypy.request.app.root.paths
domain = cherrypy.request.app.root.domain
@@ -52,17 +63,7 @@ def _get_translation(self, args):
except:
translation = gettext
- for key, value in args.iteritems():
- if not isinstance(value, unicode):
- try:
- # In case the value formats itself to an ascii string.
- args[key] = unicode(str(value), 'utf-8')
- except UnicodeEncodeError:
- # In case the value is a KimchiException or it formats
- # itself to a unicode string.
- args[key] = unicode(value)
-
- return unicode(translation.gettext(text), 'utf-8') % args
+ return translation.gettext(text)
class NotFoundError(KimchiException):
--
1.9.3
9 years, 9 months
[PATCH 0/4 V2] Let frontend redirect user after logging
by alinefm@linux.vnet.ibm.com
From: Aline Manera <alinefm(a)linux.vnet.ibm.com>
V1 -> V2:
- Turn back next_url parameter to fix problems mentioned by Wen Wang
- Use urllib2.quote() to encode next_url in backend
- Use decodeURIcomponent() to decode next_url in JS
Aline Manera (4):
Update test case to reflect new login design
Remove former login design files
Remove special console rules from nginx configuration
Let frontend redirect user after logging
src/kimchi/auth.py | 9 +--
src/kimchi/root.py | 19 +----
src/nginx.conf.in | 11 ---
tests/test_rest.py | 2 +-
ui/css/theme-default/login-window.css | 90 ------------------------
ui/js/src/kimchi.login.js | 71 +++++++++++++++++++
ui/js/src/kimchi.login_window.js | 128 ----------------------------------
ui/pages/login-window.html.tmpl | 53 --------------
ui/pages/login.html.tmpl | 36 ++--------
9 files changed, 79 insertions(+), 340 deletions(-)
delete mode 100644 ui/css/theme-default/login-window.css
create mode 100644 ui/js/src/kimchi.login.js
delete mode 100644 ui/js/src/kimchi.login_window.js
delete mode 100644 ui/pages/login-window.html.tmpl
--
1.9.3
9 years, 9 months
[PATCH 0/5 V3] authorization: Backend changes
by alinefm@linux.vnet.ibm.com
From: Aline Manera <alinefm(a)linux.vnet.ibm.com>
V2 -> V3:
- Update backend authorization rules to reflect our last discussions
- Use .getiterator() instead of .iter() while reading xml files
- Get role according tab instead of sudo rights
To do that I needed to add a new parameter to UrlSubNode() as Kimchi protects
its API URIs and the user role is per tab, I need to know which URIs is used
in each tab
V1 -> V2:
- Add "access" elements to describe role/view for each tab
- Return a role map in /login
For each tab, a role will be returned. That way we have more flexibility to
change user role per tab
- Add "access" parameter to VM.lookup()
As the user will have full access to the VM assigned to it, return
"access=full" for all them
Aline Manera (5):
authorization: Update authorization rules per API
authorization: Update /login to return user roles instead of sudo
parameter
authorization: Add "access" elements to tabs.xml to describe user view
authorization: Add "access" parameter to VM resource
authorization: Get role according to tab instead of sudo rights
config/ui/tabs.xml | 15 +++++++++++++
plugins/sample/ui/config/tab-ext.xml | 3 +++
src/kimchi/auth.py | 42 +++++++++++++++++++++++++-----------
src/kimchi/control/debugreports.py | 2 +-
src/kimchi/control/host.py | 2 +-
src/kimchi/control/interfaces.py | 2 +-
src/kimchi/control/networks.py | 2 +-
src/kimchi/control/storagepools.py | 2 +-
src/kimchi/control/storageservers.py | 2 +-
src/kimchi/control/templates.py | 2 +-
src/kimchi/control/utils.py | 4 +++-
src/kimchi/control/vms.py | 2 +-
src/kimchi/mockmodel.py | 3 ++-
src/kimchi/model/vms.py | 3 ++-
src/kimchi/server.py | 1 +
src/kimchi/utils.py | 15 +++++++++++++
tests/test_authorization.py | 8 +++----
tests/test_mockmodel.py | 3 ++-
tests/test_model.py | 3 ++-
tests/test_rest.py | 8 +++++++
tests/utils.py | 6 +++---
21 files changed, 97 insertions(+), 33 deletions(-)
--
1.9.3
9 years, 9 months
[RFC] ticket of VM
by Sheldon
Now I have send a patch V1, no more comments.
These days, I talk with ZhengSheng about the ticket of VM.
Now we are change our design as follow for we should care the VMs
created by other tools.
1. make the ticket as the sub-resource of a VM.
support GET(lookup) and PUT(update) method.
2. we will not set expire for ticket.
3. kimchi will set a initial random password for VM when create it.
4. PUT(update) method can set a password for a VM created by other tool.
but if expire is set for this VM, kimchi will not change the password.
or kimchi can change the password but not change the expire.
5. when GET method to retrieve the password, if the VM is create by
other-tools.
And expire is set, kimchi raise http 400 error when timeout.
6. pass the ticket to vnc/spice websocket in cookie, not in URL.
vnc/spice login page get the ticket from cookie.
--
Thanks and best regards!
Sheldon Feng(冯少合)<shaohef(a)linux.vnet.ibm.com>
IBM Linux Technology Center
9 years, 9 months
Host Device Passthrough UI Task Discussion
by Zhou Zheng Sheng
Hi,
As in Kimchi 1.3 TODO list
(https://github.com/kimchi-project/kimchi/wiki/Todo-1.3), there is a
task of passthrough support. It is to enable Kimchi to assign hos
devices directly to a VM, thus greately improve VM performance.
Currently we support assigning PCI device, USB device and SCSI LUN. For
example, we can assign an NIC to VM to improve guest network throughput,
or passthrough a USB camera to enable the guest OS to record video.
The back-end patch also handles PCI device grouping (attach and detach
all devices in the same iommu group together) and provides some other
useful features. Since the due day is near, I think we can come up with
an easy and simple UI for 1.3, and mark this feature as experimental.
Then we improve it in future releases. So in this release we may only
expose PCI devices to user and don't mention the iommu grouping logic.
For this version I think we may provide the following operations to the
user.
In the VM edit window, initially, the user sees a list of PCI devices
already assigned to the VM. This maps to GET vms/VM_NAME/hostdevs.
In edit mode, the user can detach device. This maps to DELETE
vms/VM_NAME/hostdevs/DEVICE_NAME.
The user can also select device to attach to VM from a list. The listing
of eligible devices is mapped to GET
host/devices?_passthrough=true&_cap=pci.
To attach a device, just POST a dict containing only the device name to
vms/VM_NAME/hostdevs.
I think these operations forms a basic interaction to enable user to
consume this feature. It may be feasible to finish them before the due day.
--
Zhou Zheng Sheng / 周征晟
E-mail: zhshzhou(a)linux.vnet.ibm.com
Telephone: 86-10-82454397
9 years, 9 months
[PATCH] add a base64 safe url encode and decode to js utils
by shaohef@linux.vnet.ibm.com
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Most webs encode/decode url by base64 to escape the special characters.
base64 encode/decode is similar to base64 safe url encode/decode.
The difference is the alphabet.
The base64 safe url alphabet uses '-' instead of '+' and '_' instead of '/'.
after this patch:
In backend, we can encode an url:
>>> base64.urlsafe_b64encode("/vnc_auto.html?port=64667&path=?token=opensuse12&encrypt=1")
'L3ZuY19hdXRvLmh0bWw_cG9ydD02NDY2NyZwYXRoPT90b2tlbj1vcGVuc3VzZTEyJmVuY3J5cHQ9MQ=='
and in UI, we can decode it:
kimchi.urlSafeB64Decode("L3ZuY19hdXRvLmh0bWw_cG9ydD02NDY2NyZwYXRoPT90b2tlbj1vcGVuc3VzZTEyJmVuY3J5cHQ9MQ==")
"/vnc_auto.html?port=64667&path=?token=opensuse12&encrypt=1"
or
In UI, we can encode an url:
kimchi.urlSafeB64Encode("/vnc_auto.html?port=64667&path=?token=opensuse12&encrypt=1")
"L3ZuY19hdXRvLmh0bWw_cG9ydD02NDY2NyZwYXRoPT90b2tlbj1vcGVuc3VzZTEyJmVuY3J5cHQ9MQ=="
and in backend, we can decode it:
>>> base64.urlsafe_b64decode("L3ZuY19hdXRvLmh0bWw_cG9ydD02NDY2NyZwYXRoPT90b2tlbj1vcGVuc3VzZTEyJmVuY3J5cHQ9MQ==")
'/vnc_auto.html?port=64667&path=?token=opensuse12&encrypt=1'
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
---
ui/js/src/kimchi.utils.js | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/ui/js/src/kimchi.utils.js b/ui/js/src/kimchi.utils.js
index c7103f8..480b9b5 100644
--- a/ui/js/src/kimchi.utils.js
+++ b/ui/js/src/kimchi.utils.js
@@ -183,3 +183,11 @@ kimchi.escapeStr = function(str) {
return str;
};
+
+kimchi.urlSafeB64Decode = function(str) {
+ return atob(str.replace(/-/g, '+').replace(/_/g, '/'));
+}
+
+kimchi.urlSafeB64Encode = function(str) {
+ return btoa(str).replace(/\+/g, '-').replace(/\//g, '_');
+}
--
1.9.3
9 years, 9 months
[PATCH 0/4] Authorization: disable non-root user functions in UI
by wenwang@linux.vnet.ibm.com
From: Wen Wang <wenwang(a)linux.vnet.ibm.com>
This patch defines user privilege according to different user roles In this
release, only two roles are supported: "admin" and "user", conbined with four
modes: "admin", "byInstance", "read-only" and "none", each of which has own
privileges to different tabs as well as instances. modes are stored in cookie
and functions of different roles are protected in the back-end.
Please apply Aline's patches first before this one. Below are the references:
(1)[Kimchi-devel] [PATCH 0/4 V2] Let frontend redirect user after logging
(2)[Kimchi-devel] [PATCH 0/5 V3] authorization: Backend changes
Apply these two patches in order then this UI changes can work
Wen Wang (4):
Add modes into cookie
Authorization: remove host/template tabs for non-root users
Authorization: remove [+] icon from non-root users view
Authorization: Remove actions based on roles
ui/css/theme-default/storage.css | 18 +++++++++---------
ui/js/src/kimchi.guest_main.js | 4 ++++
ui/js/src/kimchi.login.js | 20 +++++++++++++-------
ui/js/src/kimchi.main.js | 21 +++++++++++++--------
ui/js/src/kimchi.network.js | 9 +++++++++
ui/js/src/kimchi.storage_main.js | 11 +++++++++++
6 files changed, 59 insertions(+), 24 deletions(-)
9 years, 9 months