Re: [Kimchi-devel] [PATCH 4/4] set the password for spice and VNC page.

From my personal perspective, I don't think changing password that often is that good a solution. Security is definitely our first priority for Kimchi whereas playing with the password might not seem to be that professional. Our intention is to make Kimchi a robust and secured tool for managing the VMs, due to which, I have a thought might be of some help to this issue: Since we want to prevent the connection from users who are not the maker of certain VMs, Why not set a tag that indicate which user is authorized to use certain VMs? It functions like this: 1) If the authentication by tags failed, we can disable any action from that user.

2) VNC password is required and can be set either by Kimchi password or user himself/herself, once set, users can use the SSO method to connect VM using Kimchi and VNC has a password that user know. 3) For the issue of other users may connect to VMs by copying the url, I think we can set a token that expire once logged in. Without the token, User need to log in Kimchi again for safety concern.

Best Regards Wang Wen On 05/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote: > From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com&gt; > > get the password from cookie and pass them in url to spice and VNC page. > For spice we need to get the password from this url and pass it to > websocket connection. > > Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com&gt; > --- > ui/pages/spice.html.tmpl | 3 ++- > ui/pages/websockify/console.html | 5 +++++ > 2 files changed, 7 insertions(+), 1 deletion(-) > > diff --git a/ui/pages/spice.html.tmpl b/ui/pages/spice.html.tmpl > index 213d216..c2bdffe 100644 > --- a/ui/pages/spice.html.tmpl > +++ b/ui/pages/spice.html.tmpl > @@ -64,6 +64,7 @@ > host = getParameter("listen"); > port = getParameter("port"); > token = getParameter("token"); > + password = getParameter("password") > document.getElementById("host").value = host; > document.getElementById("port").value = port; > if ((!host) || (!port)) { > @@ -82,7 +83,7 @@ > screen_id : "spice-screen", > dump_id : "debug-div", > message_id : "message-div", > - password : "", > + password : password, > onerror : spice_error > }); > } catch (e) { > diff --git a/ui/pages/websockify/console.html > b/ui/pages/websockify/console.html > index a536e38..7706074 100644 > --- a/ui/pages/websockify/console.html > +++ b/ui/pages/websockify/console.html > @@ -16,6 +16,11 @@ > var url = "https://" + location.hostname + ":" + kimchi_port + "/"; > url += path + query > > + var cookieRe = new RegExp(';?\\\s*(ticketVM)=(\s*[^;]*);?', 'g'); > + var match = cookieRe.exec(document.cookie); > + var ticket = match ? decodeURIComponent(match[2]) : undefined; > + url += ticket ? "&password=" + ticket : ''; > + > window.location.replace(url) > } > </script> _______________________________________________ Kimchi-devel mailing list Kimchi-devel(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel