3:43 a.m.
From my personal perspective, I don't think changing password that
often is that good a solution.
Security is definitely our first priority for Kimchi whereas playing
with the password might not seem to be that professional. Our intention
is to make Kimchi a robust and secured tool for managing the VMs, due to
which, I have a thought might be of some help to this issue:
Since we want to prevent the connection from users who are not the maker
of certain VMs, Why not set a tag that indicate which user is authorized
to use certain VMs? It functions like this:
1) If the authentication by tags failed, we can disable any action from
that user.
2) VNC password is required and can be set either by Kimchi password or
user himself/herself, once set, users can use the SSO method to connect
VM using Kimchi and VNC has a password that user know.
3) For the issue of other users may connect to VMs by copying the url, I
think we can set a token that expire once logged in. Without the token,
User need to log in Kimchi again for safety concern.
Best Regards
Wang Wen
On 05/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
get the password from cookie and pass them in url to spice and VNC page.
For spice we need to get the password from this url and pass it to
websocket connection.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
---
ui/pages/spice.html.tmpl | 3 ++-
ui/pages/websockify/console.html | 5 +++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ui/pages/spice.html.tmpl b/ui/pages/spice.html.tmpl
index 213d216..c2bdffe 100644
--- a/ui/pages/spice.html.tmpl
+++ b/ui/pages/spice.html.tmpl
@@ -64,6 +64,7 @@
host = getParameter("listen");
port = getParameter("port");
token = getParameter("token");
+ password = getParameter("password")
document.getElementById("host").value = host;
document.getElementById("port").value = port;
if ((!host) || (!port)) {
@@ -82,7 +83,7 @@
screen_id : "spice-screen",
dump_id : "debug-div",
message_id : "message-div",
- password : "",
+ password : password,
onerror : spice_error
});
} catch (e) {
diff --git a/ui/pages/websockify/console.html b/ui/pages/websockify/console.html
index a536e38..7706074 100644
--- a/ui/pages/websockify/console.html
+++ b/ui/pages/websockify/console.html
@@ -16,6 +16,11 @@
var url = "https://" + location.hostname + ":" +
kimchi_port + "/";
url += path + query
+ var cookieRe = new RegExp(';?\\\s*(ticketVM)=(\s*[^;]*);?',
'g');
+ var match = cookieRe.exec(document.cookie);
+ var ticket = match ? decodeURIComponent(match[2]) : undefined;
+ url += ticket ? "&password=" + ticket : '';
+
window.location.replace(url)
}
</script>