[PATCH 0/4] ticket support for guest
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> ticket support for guest ShaoHe Feng (4): update API.md ticket in backend: add a set ticket action for VM resource support ticket in UI. set the password for spice and VNC page. docs/API.md | 4 ++++ src/kimchi/control/vms.py | 1 + src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++ ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++- ui/pages/spice.html.tmpl | 3 ++- ui/pages/websockify/console.html | 5 +++++ 6 files changed, 72 insertions(+), 2 deletions(-) -- 1.9.0
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- docs/API.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/API.md b/docs/API.md index 9217a37..d4b7291 100644 --- a/docs/API.md +++ b/docs/API.md @@ -111,6 +111,10 @@ the following general conventions: **Actions (POST):** +* setticket: set a ticket for VM, only the one get the ticket can access this VM. + * password *(optional)*: the password of ticket. + * expire *(optional)*: the ticket is invalid when expire, default is 30 + seconds. * start: Power on a VM * poweroff: Power off a VM forcefully. Note this action may produce undesirable results, for example unflushed disk cache in the guest. -- 1.9.0
Minor grammar changes... On Tue, 2014-05-20 at 23:27 +0800, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- docs/API.md | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/docs/API.md b/docs/API.md index 9217a37..d4b7291 100644 --- a/docs/API.md +++ b/docs/API.md @@ -111,6 +111,10 @@ the following general conventions:
**Actions (POST):**
+* setticket: set a ticket for VM, only the one get the ticket can access this VM. set a ticket for a VM. Only the one with the ticket can access this VM. + * password *(optional)*: the password of ticket. + * expire *(optional)*: the ticket is invalid when expire, default is 30 + seconds. Either change "expire" to "expired" or here's a more concise suggestion: : lifetime of a ticket. Default is 30s.
* start: Power on a VM * poweroff: Power off a VM forcefully. Note this action may produce undesirable results, for example unflushed disk cache in the guest.
Regards, - Christy
Minor grammar changes...
On Tue, 2014-05-20 at 23:27 +0800, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- docs/API.md | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/docs/API.md b/docs/API.md index 9217a37..d4b7291 100644 --- a/docs/API.md +++ b/docs/API.md @@ -111,6 +111,10 @@ the following general conventions:
**Actions (POST):**
+* setticket: set a ticket for VM, only the one get the ticket can access this VM. set a ticket for a VM. Only the one with the ticket can access this VM. + * password *(optional)*: the password of ticket. + * expire *(optional)*: the ticket is invalid when expire, default is 30 + seconds. Either change "expire" to "expired" or here's a more concise suggestion: : lifetime of a ticket. Default is 30s. ACK.
On 05/21/2014 04:17 AM, Christy Perez wrote: thanks for comment.
* start: Power on a VM * poweroff: Power off a VM forcefully. Note this action may produce undesirable results, for example unflushed disk cache in the guest. Regards,
- Christy
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Only the user who get the ticket can access the VM console. the ticket will be invalid when its expire. We just manange the VM create by kimchi. We do not set the ticket for other VMs that created by other managerment tool. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Zhou Zheng Sheng <zhshzhou@linux.vnet.ibm.com> --- src/kimchi/control/vms.py | 1 + src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py index 508f478..e3c72d1 100644 --- a/src/kimchi/control/vms.py +++ b/src/kimchi/control/vms.py @@ -37,6 +37,7 @@ class VM(Resource): self.uri_fmt = '/vms/%s' for ident, node in sub_nodes.items(): setattr(self, ident, node(model, self.ident)) + self.setticket = self.generate_action_handler('setticket') self.start = self.generate_action_handler('start') self.poweroff = self.generate_action_handler('poweroff') self.shutdown = self.generate_action_handler('shutdown') diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py index 17bda04..0daaea0 100644 --- a/src/kimchi/model/vms.py +++ b/src/kimchi/model/vms.py @@ -19,7 +19,10 @@ from lxml.builder import E import lxml.etree as ET +from lxml import etree, objectify import os +import random +import string import time import uuid from xml.etree import ElementTree @@ -353,9 +356,14 @@ class VMModel(object): graphics = self._vm_get_graphics(name) graphics_type, graphics_listen, graphics_port = graphics graphics_port = graphics_port if state == 'running' else None + passwd = None try: if state == 'running' and self._has_video(dom): screenshot = self.vmscreenshot.lookup(name) + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE) + root = objectify.fromstring(xml) + graphic = root.devices.find("graphics") + passwd = graphic.attrib.get('passwd') elif state == 'shutoff': # reset vm stats when it is powered off to avoid sending # incorrect (old) data @@ -394,6 +402,7 @@ class VMModel(object): 'graphics': {"type": graphics_type, "listen": graphics_listen, "port": graphics_port}, + 'ticket': passwd, 'users': users, 'groups': groups } @@ -513,6 +522,25 @@ class VMModel(object): else: raise OperationFailed("KCHVM0010E", {'name': name}) + def setticket(self, name, password=None, expire=10): + dom = self.get_vm(name, self.conn) + version, distro = self.vm_get_os_metadata(dom) + if distro is None: + # this VM is not created by kimchi + return + + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE) + root = objectify.fromstring(xml) + graphic = root.devices.find("graphics") + password = password if password is not None else "".join( + random.sample(string.ascii_letters + string.digits, 8)) + graphic.attrib['passwd'] = password + valid_to = time.strftime('%Y-%m-%dT%H:%M:%S', + time.gmtime(time.time() + float(expire))) + graphic.attrib['passwdValidTo'] = valid_to + graphic_xml = etree.tostring(graphic) + dom.updateDeviceFlags(graphic_xml, 0) + def _vmscreenshot_delete(self, vm_uuid): screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore, self.conn) -- 1.9.0
One comment inline... On Tue, 2014-05-20 at 23:27 +0800, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Only the user who get the ticket can access the VM console.
the ticket will be invalid when its expire.
We just manange the VM create by kimchi. We do not set the ticket for other VMs that created by other managerment tool.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Zhou Zheng Sheng <zhshzhou@linux.vnet.ibm.com> --- src/kimchi/control/vms.py | 1 + src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+)
diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py index 508f478..e3c72d1 100644 --- a/src/kimchi/control/vms.py +++ b/src/kimchi/control/vms.py @@ -37,6 +37,7 @@ class VM(Resource): self.uri_fmt = '/vms/%s' for ident, node in sub_nodes.items(): setattr(self, ident, node(model, self.ident)) + self.setticket = self.generate_action_handler('setticket') self.start = self.generate_action_handler('start') self.poweroff = self.generate_action_handler('poweroff') self.shutdown = self.generate_action_handler('shutdown') diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py index 17bda04..0daaea0 100644 --- a/src/kimchi/model/vms.py +++ b/src/kimchi/model/vms.py @@ -19,7 +19,10 @@
from lxml.builder import E import lxml.etree as ET +from lxml import etree, objectify import os +import random +import string import time import uuid from xml.etree import ElementTree @@ -353,9 +356,14 @@ class VMModel(object): graphics = self._vm_get_graphics(name) graphics_type, graphics_listen, graphics_port = graphics graphics_port = graphics_port if state == 'running' else None + passwd = None try: if state == 'running' and self._has_video(dom): screenshot = self.vmscreenshot.lookup(name) + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE) + root = objectify.fromstring(xml) + graphic = root.devices.find("graphics") + passwd = graphic.attrib.get('passwd') elif state == 'shutoff': # reset vm stats when it is powered off to avoid sending # incorrect (old) data @@ -394,6 +402,7 @@ class VMModel(object): 'graphics': {"type": graphics_type, "listen": graphics_listen, "port": graphics_port}, + 'ticket': passwd, 'users': users, 'groups': groups } @@ -513,6 +522,25 @@ class VMModel(object): else: raise OperationFailed("KCHVM0010E", {'name': name})
+ def setticket(self, name, password=None, expire=10): The default is 10, not 30?
+ dom = self.get_vm(name, self.conn) + version, distro = self.vm_get_os_metadata(dom) + if distro is None: + # this VM is not created by kimchi + return + + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE) + root = objectify.fromstring(xml) + graphic = root.devices.find("graphics") + password = password if password is not None else "".join( + random.sample(string.ascii_letters + string.digits, 8)) + graphic.attrib['passwd'] = password + valid_to = time.strftime('%Y-%m-%dT%H:%M:%S', + time.gmtime(time.time() + float(expire))) + graphic.attrib['passwdValidTo'] = valid_to + graphic_xml = etree.tostring(graphic) + dom.updateDeviceFlags(graphic_xml, 0) + def _vmscreenshot_delete(self, vm_uuid): screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore, self.conn)
Regards, - Christy
On 05/21/2014 04:17 AM, Christy Perez wrote:
One comment inline...
On Tue, 2014-05-20 at 23:27 +0800, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Only the user who get the ticket can access the VM console.
the ticket will be invalid when its expire.
We just manange the VM create by kimchi. We do not set the ticket for other VMs that created by other managerment tool.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Zhou Zheng Sheng <zhshzhou@linux.vnet.ibm.com> --- src/kimchi/control/vms.py | 1 + src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+)
diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py index 508f478..e3c72d1 100644 --- a/src/kimchi/control/vms.py +++ b/src/kimchi/control/vms.py @@ -37,6 +37,7 @@ class VM(Resource): self.uri_fmt = '/vms/%s' for ident, node in sub_nodes.items(): setattr(self, ident, node(model, self.ident)) + self.setticket = self.generate_action_handler('setticket') self.start = self.generate_action_handler('start') self.poweroff = self.generate_action_handler('poweroff') self.shutdown = self.generate_action_handler('shutdown') diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py index 17bda04..0daaea0 100644 --- a/src/kimchi/model/vms.py +++ b/src/kimchi/model/vms.py @@ -19,7 +19,10 @@
from lxml.builder import E import lxml.etree as ET +from lxml import etree, objectify import os +import random +import string import time import uuid from xml.etree import ElementTree @@ -353,9 +356,14 @@ class VMModel(object): graphics = self._vm_get_graphics(name) graphics_type, graphics_listen, graphics_port = graphics graphics_port = graphics_port if state == 'running' else None + passwd = None try: if state == 'running' and self._has_video(dom): screenshot = self.vmscreenshot.lookup(name) + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE) + root = objectify.fromstring(xml) + graphic = root.devices.find("graphics") + passwd = graphic.attrib.get('passwd') elif state == 'shutoff': # reset vm stats when it is powered off to avoid sending # incorrect (old) data @@ -394,6 +402,7 @@ class VMModel(object): 'graphics': {"type": graphics_type, "listen": graphics_listen, "port": graphics_port}, + 'ticket': passwd, 'users': users, 'groups': groups } @@ -513,6 +522,25 @@ class VMModel(object): else: raise OperationFailed("KCHVM0010E", {'name': name})
+ def setticket(self, name, password=None, expire=10): The default is 10, not 30? still need to discuss about the default value.
now we can distinguish the guest are created by kimchi or other tools. Now there's my proposal: 1. if the guest are created by other tools, such as virt-manager. if he does not set a password, we will not let kimchi to add a password for it. if he sets a password for guest, we will not let kimchi to change the password. and we will not return this password to UI, we let user type in the password by himself. 2. if the guest are created by kimchi. kimchi set ticket. and UI get the ticket automatically to access guest. so 10s maybe OK. but we should consider: do we allow other tools such as virt-manager to access the guest created by kimchi? Then 10s is not enough. and also how does the user get the ticket? He use the virt-manager re-set the password? or kimchi support a way to show them the password?
+ dom = self.get_vm(name, self.conn) + version, distro = self.vm_get_os_metadata(dom) + if distro is None: + # this VM is not created by kimchi + return + + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE) + root = objectify.fromstring(xml) + graphic = root.devices.find("graphics") + password = password if password is not None else "".join( + random.sample(string.ascii_letters + string.digits, 8)) + graphic.attrib['passwd'] = password + valid_to = time.strftime('%Y-%m-%dT%H:%M:%S', + time.gmtime(time.time() + float(expire))) + graphic.attrib['passwdValidTo'] = valid_to + graphic_xml = etree.tostring(graphic) + dom.updateDeviceFlags(graphic_xml, 0) + def _vmscreenshot_delete(self, vm_uuid): screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore, self.conn) Regards,
- Christy
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Only the user who get the ticket can access the VM console.
the ticket will be invalid when its expire.
We just manange the VM create by kimchi. We do not set the ticket for other VMs that created by other managerment tool.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Zhou Zheng Sheng <zhshzhou@linux.vnet.ibm.com> --- src/kimchi/control/vms.py | 1 + src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+)
diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py index 508f478..e3c72d1 100644 --- a/src/kimchi/control/vms.py +++ b/src/kimchi/control/vms.py @@ -37,6 +37,7 @@ class VM(Resource): self.uri_fmt = '/vms/%s' for ident, node in sub_nodes.items(): setattr(self, ident, node(model, self.ident)) + self.setticket = self.generate_action_handler('setticket') self.start = self.generate_action_handler('start') self.poweroff = self.generate_action_handler('poweroff') self.shutdown = self.generate_action_handler('shutdown') diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py index 17bda04..0daaea0 100644 --- a/src/kimchi/model/vms.py +++ b/src/kimchi/model/vms.py @@ -19,7 +19,10 @@
from lxml.builder import E import lxml.etree as ET +from lxml import etree, objectify import os +import random +import string import time import uuid from xml.etree import ElementTree @@ -353,9 +356,14 @@ class VMModel(object): graphics = self._vm_get_graphics(name) graphics_type, graphics_listen, graphics_port = graphics graphics_port = graphics_port if state == 'running' else None + passwd = None try: if state == 'running' and self._has_video(dom): screenshot = self.vmscreenshot.lookup(name) + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE) + root = objectify.fromstring(xml) + graphic = root.devices.find("graphics") + passwd = graphic.attrib.get('passwd') elif state == 'shutoff': # reset vm stats when it is powered off to avoid sending # incorrect (old) data @@ -394,6 +402,7 @@ class VMModel(object): 'graphics': {"type": graphics_type, "listen": graphics_listen, "port": graphics_port}, + 'ticket': passwd, After talk with Zhengsheng, I got to know the reason we want ticket for all login user and do not distinguish any group, I think it can be used here to prevent vnc connection be stolen by user outside kimchi, but this is not what ticket used for, right? We can't set ticket and
On 05/20/2014 11:27 PM, shaohef@linux.vnet.ibm.com wrote: pass it in the vnc/spice client. Or export the passwd to specific group user. But I agree that we can make it as a future extension.
'users': users, 'groups': groups } @@ -513,6 +522,25 @@ class VMModel(object): else: raise OperationFailed("KCHVM0010E", {'name': name})
+ def setticket(self, name, password=None, expire=10): + dom = self.get_vm(name, self.conn) + version, distro = self.vm_get_os_metadata(dom) + if distro is None: + # this VM is not created by kimchi + return + + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE) + root = objectify.fromstring(xml) + graphic = root.devices.find("graphics") + password = password if password is not None else "".join( + random.sample(string.ascii_letters + string.digits, 8)) + graphic.attrib['passwd'] = password + valid_to = time.strftime('%Y-%m-%dT%H:%M:%S', + time.gmtime(time.time() + float(expire))) + graphic.attrib['passwdValidTo'] = valid_to + graphic_xml = etree.tostring(graphic) + dom.updateDeviceFlags(graphic_xml, 0) + def _vmscreenshot_delete(self, vm_uuid): screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore, self.conn)
On 05/21/2014 02:59 PM, Royce Lv wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Only the user who get the ticket can access the VM console.
the ticket will be invalid when its expire.
We just manange the VM create by kimchi. We do not set the ticket for other VMs that created by other managerment tool.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Zhou Zheng Sheng <zhshzhou@linux.vnet.ibm.com> --- src/kimchi/control/vms.py | 1 + src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+)
diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py index 508f478..e3c72d1 100644 --- a/src/kimchi/control/vms.py +++ b/src/kimchi/control/vms.py @@ -37,6 +37,7 @@ class VM(Resource): self.uri_fmt = '/vms/%s' for ident, node in sub_nodes.items(): setattr(self, ident, node(model, self.ident)) + self.setticket = self.generate_action_handler('setticket') self.start = self.generate_action_handler('start') self.poweroff = self.generate_action_handler('poweroff') self.shutdown = self.generate_action_handler('shutdown') diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py index 17bda04..0daaea0 100644 --- a/src/kimchi/model/vms.py +++ b/src/kimchi/model/vms.py @@ -19,7 +19,10 @@
from lxml.builder import E import lxml.etree as ET +from lxml import etree, objectify import os +import random +import string import time import uuid from xml.etree import ElementTree @@ -353,9 +356,14 @@ class VMModel(object): graphics = self._vm_get_graphics(name) graphics_type, graphics_listen, graphics_port = graphics graphics_port = graphics_port if state == 'running' else None + passwd = None try: if state == 'running' and self._has_video(dom): screenshot = self.vmscreenshot.lookup(name) + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE) + root = objectify.fromstring(xml) + graphic = root.devices.find("graphics") + passwd = graphic.attrib.get('passwd') elif state == 'shutoff': # reset vm stats when it is powered off to avoid sending # incorrect (old) data @@ -394,6 +402,7 @@ class VMModel(object): 'graphics': {"type": graphics_type, "listen": graphics_listen, "port": graphics_port}, + 'ticket': passwd, After talk with Zhengsheng, I got to know the reason we want ticket for all login user and do not distinguish any group, I think it can be used here to prevent vnc connection be stolen by user outside kimchi, but this is not what ticket used for, right? We can't set ticket and
On 05/20/2014 11:27 PM, shaohef@linux.vnet.ibm.com wrote: pass it in the vnc/spice client. yes. Or export the passwd to specific group user. But I agree that we can make it as a future extension. ACK
'users': users, 'groups': groups } @@ -513,6 +522,25 @@ class VMModel(object): else: raise OperationFailed("KCHVM0010E", {'name': name})
+ def setticket(self, name, password=None, expire=10): + dom = self.get_vm(name, self.conn) + version, distro = self.vm_get_os_metadata(dom) + if distro is None: + # this VM is not created by kimchi + return + + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE) + root = objectify.fromstring(xml) + graphic = root.devices.find("graphics") + password = password if password is not None else "".join( + random.sample(string.ascii_letters + string.digits, 8)) + graphic.attrib['passwd'] = password + valid_to = time.strftime('%Y-%m-%dT%H:%M:%S', + time.gmtime(time.time() + float(expire))) + graphic.attrib['passwdValidTo'] = valid_to + graphic_xml = etree.tostring(graphic) + dom.updateDeviceFlags(graphic_xml, 0) + def _vmscreenshot_delete(self, vm_uuid): screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore, self.conn)
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
于 2014年05月20日 23:27, shaohef@linux.vnet.ibm.com 写道:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Only the user who get the ticket can access the VM console.
the ticket will be invalid when its expire.
We just manange the VM create by kimchi. We do not set the ticket for other VMs that created by other managerment tool.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Zhou Zheng Sheng <zhshzhou@linux.vnet.ibm.com> --- src/kimchi/control/vms.py | 1 + src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+)
diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py index 508f478..e3c72d1 100644 --- a/src/kimchi/control/vms.py +++ b/src/kimchi/control/vms.py @@ -37,6 +37,7 @@ class VM(Resource): self.uri_fmt = '/vms/%s' for ident, node in sub_nodes.items(): setattr(self, ident, node(model, self.ident)) + self.setticket = self.generate_action_handler('setticket') self.start = self.generate_action_handler('start') self.poweroff = self.generate_action_handler('poweroff') self.shutdown = self.generate_action_handler('shutdown') diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py index 17bda04..0daaea0 100644 --- a/src/kimchi/model/vms.py +++ b/src/kimchi/model/vms.py @@ -19,7 +19,10 @@
from lxml.builder import E import lxml.etree as ET +from lxml import etree, objectify import os +import random +import string import time import uuid from xml.etree import ElementTree @@ -353,9 +356,14 @@ class VMModel(object): graphics = self._vm_get_graphics(name) graphics_type, graphics_listen, graphics_port = graphics graphics_port = graphics_port if state == 'running' else None + passwd = None try: if state == 'running' and self._has_video(dom): screenshot = self.vmscreenshot.lookup(name) + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE) + root = objectify.fromstring(xml) + graphic = root.devices.find("graphics") + passwd = graphic.attrib.get('passwd') elif state == 'shutoff': # reset vm stats when it is powered off to avoid sending # incorrect (old) data @@ -394,6 +402,7 @@ class VMModel(object): 'graphics': {"type": graphics_type, "listen": graphics_listen, "port": graphics_port}, + 'ticket': passwd, 'users': users, 'groups': groups } @@ -513,6 +522,25 @@ class VMModel(object): else: raise OperationFailed("KCHVM0010E", {'name': name})
+ def setticket(self, name, password=None, expire=10): + dom = self.get_vm(name, self.conn) + version, distro = self.vm_get_os_metadata(dom) + if distro is None: + # this VM is not created by kimchi + return + + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE) + root = objectify.fromstring(xml) + graphic = root.devices.find("graphics")
It seems the code for getting password can be extracted into a new function then we can reuse it.
+ password = password if password is not None else "".join( + random.sample(string.ascii_letters + string.digits, 8)) + graphic.attrib['passwd'] = password + valid_to = time.strftime('%Y-%m-%dT%H:%M:%S', + time.gmtime(time.time() + float(expire))) + graphic.attrib['passwdValidTo'] = valid_to + graphic_xml = etree.tostring(graphic) + dom.updateDeviceFlags(graphic_xml, 0) + def _vmscreenshot_delete(self, vm_uuid): screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore, self.conn)
-- Zhou Zheng Sheng / 周征晟 E-mail: zhshzhou@linux.vnet.ibm.com Telephone: 86-10-82454397
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Add a set ticket API in UI. set a ticket for a VM before connect it. also set a cookie to store this ticket. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Zhou Zheng Sheng <zhshzhou@linux.vnet.ibm.com> --- ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 7d85fdf..1a34b3b 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -311,6 +311,19 @@ var kimchi = { }); }, + setTicketVM: function(vm, data, suc, err, sync) { + kimchi.requestJSON({ + url : kimchi.url + 'vms/' + encodeURIComponent(vm) + '/setticket', + type : 'POST', + contentType : 'application/json', + dataType : 'json', + async : !sync, + data : JSON.stringify(data || {}), + success : suc, + error : err + }); + }, + vncToVM : function(vm) { kimchi.requestJSON({ url : '/config', @@ -318,16 +331,25 @@ var kimchi = { dataType : 'json' }).done(function(data, textStatus, xhr) { proxy_port = data['display_proxy_port']; + var ticket; + kimchi.setTicketVM(vm, function(data) { + }, function(){ + kimchi.message.error.code('KCHAPI6002E'); + }, true); kimchi.requestJSON({ url : "/vms/" + encodeURIComponent(vm) + "/connect", type : "POST", dataType : "json" - }).done(function() { + }).done(function(data, textStatus, xhr) { + ticket = data['ticket']; + alert(ticket) url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; url += "&path=?token=" + encodeURIComponent(vm); url += "&kimchi=" + location.port; url += '&encrypt=1'; + kimchi.cookie.remove("ticketVM"); + ticket != null && kimchi.cookie.set("ticketVM", ticket, 100); window.open(url); }); }).error(function() { @@ -342,17 +364,26 @@ var kimchi = { dataType : 'json' }).done(function(data, textStatus, xhr) { proxy_port = data['display_proxy_port']; + var ticket; + kimchi.setTicketVM(vm, function(data) { + }, function(){ + kimchi.message.error.code('KCHAPI6002E'); + }, true); kimchi.requestJSON({ url : "/vms/" + encodeURIComponent(vm) + "/connect", type : "POST", dataType : "json" }).done(function(data, textStatus, xhr) { + ticket = data['ticket']; + alert(ticket) url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; url += "&token=" + encodeURIComponent(vm); url += "&kimchi=" + location.port; url += '&encrypt=1'; + kimchi.cookie.remove("ticketVM"); + ticket != null && kimchi.cookie.set("ticketVM", ticket, 100); window.open(url); }); }).error(function() { -- 1.9.0
On Tue, 2014-05-20 at 23:27 +0800, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Add a set ticket API in UI. set a ticket for a VM before connect it.
also set a cookie to store this ticket.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Zhou Zheng Sheng <zhshzhou@linux.vnet.ibm.com> --- ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 7d85fdf..1a34b3b 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -311,6 +311,19 @@ var kimchi = { }); },
+ setTicketVM: function(vm, data, suc, err, sync) { + kimchi.requestJSON({ + url : kimchi.url + 'vms/' + encodeURIComponent(vm) + '/setticket', + type : 'POST', + contentType : 'application/json', + dataType : 'json', + async : !sync, + data : JSON.stringify(data || {}), + success : suc, + error : err + }); + }, + vncToVM : function(vm) { kimchi.requestJSON({ url : '/config', @@ -318,16 +331,25 @@ var kimchi = { dataType : 'json' }).done(function(data, textStatus, xhr) { proxy_port = data['display_proxy_port']; + var ticket; + kimchi.setTicketVM(vm, function(data) { + }, function(){ + kimchi.message.error.code('KCHAPI6002E'); + }, true); kimchi.requestJSON({ url : "/vms/" + encodeURIComponent(vm) + "/connect", type : "POST", dataType : "json" - }).done(function() { + }).done(function(data, textStatus, xhr) { + ticket = data['ticket']; + alert(ticket) url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; url += "&path=?token=" + encodeURIComponent(vm); url += "&kimchi=" + location.port; url += '&encrypt=1'; + kimchi.cookie.remove("ticketVM"); + ticket != null && kimchi.cookie.set("ticketVM", ticket, 100); window.open(url); }); }).error(function() { @@ -342,17 +364,26 @@ var kimchi = { dataType : 'json' }).done(function(data, textStatus, xhr) { proxy_port = data['display_proxy_port']; + var ticket; + kimchi.setTicketVM(vm, function(data) { + }, function(){ + kimchi.message.error.code('KCHAPI6002E'); + }, true); kimchi.requestJSON({ url : "/vms/" + encodeURIComponent(vm) + "/connect", type : "POST", dataType : "json" }).done(function(data, textStatus, xhr) { + ticket = data['ticket']; + alert(ticket) url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; url += "&token=" + encodeURIComponent(vm); url += "&kimchi=" + location.port; url += '&encrypt=1'; + kimchi.cookie.remove("ticketVM"); + ticket != null && kimchi.cookie.set("ticketVM", ticket, 100);
I had to change this a bit to get it to work for me: + if (ticket != null) kimchi.cookie.set("ticketVM", ticket, 100); After that, though, I could easily copy/paste in the password and the VNC console came up. Very cool!
window.open(url); }); }).error(function() {
Regards, - Christy
On 05/20/2014 11:27 PM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Add a set ticket API in UI. set a ticket for a VM before connect it.
also set a cookie to store this ticket.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Zhou Zheng Sheng <zhshzhou@linux.vnet.ibm.com> --- ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 7d85fdf..1a34b3b 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -311,6 +311,19 @@ var kimchi = { }); },
+ setTicketVM: function(vm, data, suc, err, sync) { + kimchi.requestJSON({ + url : kimchi.url + 'vms/' + encodeURIComponent(vm) + '/setticket', + type : 'POST', + contentType : 'application/json', + dataType : 'json', + async : !sync, + data : JSON.stringify(data || {}), + success : suc, + error : err + }); + }, + vncToVM : function(vm) { kimchi.requestJSON({ url : '/config', @@ -318,16 +331,25 @@ var kimchi = { dataType : 'json' }).done(function(data, textStatus, xhr) { proxy_port = data['display_proxy_port']; + var ticket; + kimchi.setTicketVM(vm, function(data) { + }, function(){ + kimchi.message.error.code('KCHAPI6002E'); + }, true); kimchi.requestJSON({ url : "/vms/" + encodeURIComponent(vm) + "/connect", type : "POST", dataType : "json" - }).done(function() { + }).done(function(data, textStatus, xhr) { + ticket = data['ticket']; + alert(ticket) Intended or debug? url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; url += "&path=?token=" + encodeURIComponent(vm); url += "&kimchi=" + location.port; url += '&encrypt=1'; + kimchi.cookie.remove("ticketVM"); + ticket != null && kimchi.cookie.set("ticketVM", ticket, 100); window.open(url); }); }).error(function() { @@ -342,17 +364,26 @@ var kimchi = { dataType : 'json' }).done(function(data, textStatus, xhr) { proxy_port = data['display_proxy_port']; + var ticket; + kimchi.setTicketVM(vm, function(data) { + }, function(){ + kimchi.message.error.code('KCHAPI6002E'); + }, true); kimchi.requestJSON({ url : "/vms/" + encodeURIComponent(vm) + "/connect", type : "POST", dataType : "json" }).done(function(data, textStatus, xhr) { + ticket = data['ticket']; + alert(ticket) url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; url += "&token=" + encodeURIComponent(vm); url += "&kimchi=" + location.port; url += '&encrypt=1'; + kimchi.cookie.remove("ticketVM"); + ticket != null && kimchi.cookie.set("ticketVM", ticket, 100); window.open(url); }); }).error(function() {
On 05/21/2014 03:01 PM, Royce Lv wrote:
On 05/20/2014 11:27 PM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Add a set ticket API in UI. set a ticket for a VM before connect it.
also set a cookie to store this ticket.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Zhou Zheng Sheng <zhshzhou@linux.vnet.ibm.com> --- ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 7d85fdf..1a34b3b 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -311,6 +311,19 @@ var kimchi = { }); },
+ setTicketVM: function(vm, data, suc, err, sync) { + kimchi.requestJSON({ + url : kimchi.url + 'vms/' + encodeURIComponent(vm) + '/setticket', + type : 'POST', + contentType : 'application/json', + dataType : 'json', + async : !sync, + data : JSON.stringify(data || {}), + success : suc, + error : err + }); + }, + vncToVM : function(vm) { kimchi.requestJSON({ url : '/config', @@ -318,16 +331,25 @@ var kimchi = { dataType : 'json' }).done(function(data, textStatus, xhr) { proxy_port = data['display_proxy_port']; + var ticket; + kimchi.setTicketVM(vm, function(data) { + }, function(){ + kimchi.message.error.code('KCHAPI6002E'); + }, true); kimchi.requestJSON({ url : "/vms/" + encodeURIComponent(vm) + "/connect", type : "POST", dataType : "json" - }).done(function() { + }).done(function(data, textStatus, xhr) { + ticket = data['ticket']; + alert(ticket) Intended or debug? good catch. debug. url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; url += "&path=?token=" + encodeURIComponent(vm); url += "&kimchi=" + location.port; url += '&encrypt=1'; + kimchi.cookie.remove("ticketVM"); + ticket != null && kimchi.cookie.set("ticketVM", ticket, 100); window.open(url); }); }).error(function() { @@ -342,17 +364,26 @@ var kimchi = { dataType : 'json' }).done(function(data, textStatus, xhr) { proxy_port = data['display_proxy_port']; + var ticket; + kimchi.setTicketVM(vm, function(data) { + }, function(){ + kimchi.message.error.code('KCHAPI6002E'); + }, true); kimchi.requestJSON({ url : "/vms/" + encodeURIComponent(vm) + "/connect", type : "POST", dataType : "json" }).done(function(data, textStatus, xhr) { + ticket = data['ticket']; + alert(ticket) url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; url += "&token=" + encodeURIComponent(vm); url += "&kimchi=" + location.port; url += '&encrypt=1'; + kimchi.cookie.remove("ticketVM"); + ticket != null && kimchi.cookie.set("ticketVM", ticket, 100); window.open(url); }); }).error(function() {
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> get the password from cookie and pass them in url to spice and VNC page. For spice we need to get the password from this url and pass it to websocket connection. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- ui/pages/spice.html.tmpl | 3 ++- ui/pages/websockify/console.html | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ui/pages/spice.html.tmpl b/ui/pages/spice.html.tmpl index 213d216..c2bdffe 100644 --- a/ui/pages/spice.html.tmpl +++ b/ui/pages/spice.html.tmpl @@ -64,6 +64,7 @@ host = getParameter("listen"); port = getParameter("port"); token = getParameter("token"); + password = getParameter("password") document.getElementById("host").value = host; document.getElementById("port").value = port; if ((!host) || (!port)) { @@ -82,7 +83,7 @@ screen_id : "spice-screen", dump_id : "debug-div", message_id : "message-div", - password : "", + password : password, onerror : spice_error }); } catch (e) { diff --git a/ui/pages/websockify/console.html b/ui/pages/websockify/console.html index a536e38..7706074 100644 --- a/ui/pages/websockify/console.html +++ b/ui/pages/websockify/console.html @@ -16,6 +16,11 @@ var url = "https://" + location.hostname + ":" + kimchi_port + "/"; url += path + query + var cookieRe = new RegExp(';?\\\s*(ticketVM)=(\s*[^;]*);?', 'g'); + var match = cookieRe.exec(document.cookie); + var ticket = match ? decodeURIComponent(match[2]) : undefined; + url += ticket ? "&password=" + ticket : ''; + window.location.replace(url) } </script> -- 1.9.0
From my personal perspective, I don't think changing password that often is that good a solution. Security is definitely our first priority for Kimchi whereas playing with the password might not seem to be that professional. Our intention is to make Kimchi a robust and secured tool for managing the VMs, due to which, I have a thought might be of some help to this issue: Since we want to prevent the connection from users who are not the maker of certain VMs, Why not set a tag that indicate which user is authorized to use certain VMs? It functions like this: 1) If the authentication by tags failed, we can disable any action from that user. 2) VNC password is required and can be set either by Kimchi password or user himself/herself, once set, users can use the SSO method to connect VM using Kimchi and VNC has a password that user know. 3) For the issue of other users may connect to VMs by copying the url, I think we can set a token that expire once logged in. Without the token, User need to log in Kimchi again for safety concern. Best Regards Wang Wen On 05/20/2014 11:27 PM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
get the password from cookie and pass them in url to spice and VNC page. For spice we need to get the password from this url and pass it to websocket connection.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- ui/pages/spice.html.tmpl | 3 ++- ui/pages/websockify/console.html | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ui/pages/spice.html.tmpl b/ui/pages/spice.html.tmpl index 213d216..c2bdffe 100644 --- a/ui/pages/spice.html.tmpl +++ b/ui/pages/spice.html.tmpl @@ -64,6 +64,7 @@ host = getParameter("listen"); port = getParameter("port"); token = getParameter("token"); + password = getParameter("password") document.getElementById("host").value = host; document.getElementById("port").value = port; if ((!host) || (!port)) { @@ -82,7 +83,7 @@ screen_id : "spice-screen", dump_id : "debug-div", message_id : "message-div", - password : "", + password : password, onerror : spice_error }); } catch (e) { diff --git a/ui/pages/websockify/console.html b/ui/pages/websockify/console.html index a536e38..7706074 100644 --- a/ui/pages/websockify/console.html +++ b/ui/pages/websockify/console.html @@ -16,6 +16,11 @@ var url = "https://" + location.hostname + ":" + kimchi_port + "/"; url += path + query
+ var cookieRe = new RegExp(';?\\\s*(ticketVM)=(\s*[^;]*);?', 'g'); + var match = cookieRe.exec(document.cookie); + var ticket = match ? decodeURIComponent(match[2]) : undefined; + url += ticket ? "&password=" + ticket : ''; + window.location.replace(url) } </script>
From my personal perspective, I don't think changing password that often is that good a solution.
Security is definitely our first priority for Kimchi whereas playing with the password might not seem to be that professional. Our intention is to make Kimchi a robust and secured tool for managing the VMs, due to which, I have a thought might be of some help to this issue:
Since we want to prevent the connection from users who are not the maker of certain VMs, Why not set a tag that indicate which user is authorized to use certain VMs? It functions like this:
1) If the authentication by tags failed, we can disable any action from that user. do you means role on every action? 2) VNC password is required and can be set either by Kimchi password or user himself/herself, once set, users can use the SSO method to connect VM using Kimchi and VNC has a password that user know. 3) For the issue of other users may connect to VMs by copying the url, I think we can set a token that expire once logged in. Without the token, User need to log in Kimchi again for safety concern. who will check the token?
On 05/26/2014 04:43 PM, wenwang wrote: the http(s) server or ws(s) server?
Best Regards
Wang Wen
On 05/20/2014 11:27 PM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
get the password from cookie and pass them in url to spice and VNC page. For spice we need to get the password from this url and pass it to websocket connection.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- ui/pages/spice.html.tmpl | 3 ++- ui/pages/websockify/console.html | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ui/pages/spice.html.tmpl b/ui/pages/spice.html.tmpl index 213d216..c2bdffe 100644 --- a/ui/pages/spice.html.tmpl +++ b/ui/pages/spice.html.tmpl @@ -64,6 +64,7 @@ host = getParameter("listen"); port = getParameter("port"); token = getParameter("token"); + password = getParameter("password") document.getElementById("host").value = host; document.getElementById("port").value = port; if ((!host) || (!port)) { @@ -82,7 +83,7 @@ screen_id : "spice-screen", dump_id : "debug-div", message_id : "message-div", - password : "", + password : password, onerror : spice_error }); } catch (e) { diff --git a/ui/pages/websockify/console.html b/ui/pages/websockify/console.html index a536e38..7706074 100644 --- a/ui/pages/websockify/console.html +++ b/ui/pages/websockify/console.html @@ -16,6 +16,11 @@ var url = "https://" + location.hostname + ":" + kimchi_port + "/"; url += path + query
+ var cookieRe = new RegExp(';?\\\s*(ticketVM)=(\s*[^;]*);?', 'g'); + var match = cookieRe.exec(document.cookie); + var ticket = match ? decodeURIComponent(match[2]) : undefined; + url += ticket ? "&password=" + ticket : ''; + window.location.replace(url) } </script>
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
On 05/26/2014 10:14 PM, Sheldon wrote:
On 05/26/2014 04:43 PM, wenwang wrote:
From my personal perspective, I don't think changing password that often is that good a solution.
Security is definitely our first priority for Kimchi whereas playing with the password might not seem to be that professional. Our intention is to make Kimchi a robust and secured tool for managing the VMs, due to which, I have a thought might be of some help to this issue:
Since we want to prevent the connection from users who are not the maker of certain VMs, Why not set a tag that indicate which user is authorized to use certain VMs? It functions like this:
1) If the authentication by tags failed, we can disable any action from that user. do you means role on every action? What if we just break the connection from unauthenticated users like if one user doesn't have the right to connect certain VMs, just don't let him connect to those VMs, He can do nothing that violet the security, right?
2) VNC password is required and can be set either by Kimchi password or user himself/herself, once set, users can use the SSO method to connect VM using Kimchi and VNC has a password that user know. 3) For the issue of other users may connect to VMs by copying the url, I think we can set a token that expire once logged in. Without the token, User need to log in Kimchi again for safety concern. who will check the token? the http(s) server or ws(s) server? This token is for authentication check. so it should be sent by the server from VNC side and checked by them.
Best Regards
Wang Wen
On 05/20/2014 11:27 PM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
get the password from cookie and pass them in url to spice and VNC page. For spice we need to get the password from this url and pass it to websocket connection.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- ui/pages/spice.html.tmpl | 3 ++- ui/pages/websockify/console.html | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ui/pages/spice.html.tmpl b/ui/pages/spice.html.tmpl index 213d216..c2bdffe 100644 --- a/ui/pages/spice.html.tmpl +++ b/ui/pages/spice.html.tmpl @@ -64,6 +64,7 @@ host = getParameter("listen"); port = getParameter("port"); token = getParameter("token"); + password = getParameter("password") document.getElementById("host").value = host; document.getElementById("port").value = port; if ((!host) || (!port)) { @@ -82,7 +83,7 @@ screen_id : "spice-screen", dump_id : "debug-div", message_id : "message-div", - password : "", + password : password, onerror : spice_error }); } catch (e) { diff --git a/ui/pages/websockify/console.html b/ui/pages/websockify/console.html index a536e38..7706074 100644 --- a/ui/pages/websockify/console.html +++ b/ui/pages/websockify/console.html @@ -16,6 +16,11 @@ var url = "https://" + location.hostname + ":" + kimchi_port + "/"; url += path + query
+ var cookieRe = new RegExp(';?\\\s*(ticketVM)=(\s*[^;]*);?', 'g'); + var match = cookieRe.exec(document.cookie); + var ticket = match ? decodeURIComponent(match[2]) : undefined; + url += ticket ? "&password=" + ticket : ''; + window.location.replace(url) } </script>
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
I strongly dislike the way to change password frequently. Password is designed for user to recognize himself for authentication. Frequently changing password make password itself meaningless to user. As it is VNC password, this will almost make vnc unaccessible to user. Personally, I dislike to use browser to console the VM at all. I suspect whether there is *a justification reasonable enough* to take the way that "changing password". So please exactly clarify what *threat* this "change password" strategy is protecting against? On 5/20/2014 11:27 PM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
ticket support for guest
ShaoHe Feng (4): update API.md ticket in backend: add a set ticket action for VM resource support ticket in UI. set the password for spice and VNC page.
docs/API.md | 4 ++++ src/kimchi/control/vms.py | 1 + src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++ ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++- ui/pages/spice.html.tmpl | 3 ++- ui/pages/websockify/console.html | 5 +++++ 6 files changed, 72 insertions(+), 2 deletions(-)
on 2014/05/26 13:32, Yu Xin Huo wrote:
I strongly dislike the way to change password frequently.
Password is designed for user to recognize himself for authentication. Frequently changing password make password itself meaningless to user.
As it is VNC password, this will almost make vnc unaccessible to user. Personally, I dislike to use browser to console the VM at all.
I suspect whether there is *a justification reasonable enough* to take the way that "changing password".
So please exactly clarify what *threat* this "change password" strategy is protecting against?
Some back-end background. The problem is that noVNC and HTML5 Spice traffic is carried on websocket outside of Kimchi server. It operates as following. noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor. Since Kimchi is out of this route, we don't have means to authenticate user. The user can copy the noVNC page URL to another machine without loggin to Kimchi, and he can still access VNC. The most practical method to prevent unauthenticated user from accessing VNC is to set VNC password on the hypervisor side. We thought of other means, but they either requires too much work or involves too much transport redirection. The current approach is that, for VM created outside of Kimchi, we don't set password and everyone can visit it. For VM created outside of Kimchi but with VNC password, when the user connects it from noVNC, Kimchi reads the password and passes it to noVNC. For VM created by Kimchi, it generates a random password. So far so good. A new problem is that currently noVNC client reads password from URL, and we don't want the password get leaked from the URL. We can make the password expire in short time and change it every time we connect. The whole process is transparent to the user, the password is generated every time, and passed to noVNC. Password generation does not affect established VNC session, it only affects new sessions. Last time I mentioned this problem, most people thought that if the user has noVNC for Kimchi's VM, he/she would not need other VNC client. I think this may be true in most cases, but it surprises you when you actually want to use TigerVNC/UltraVNC/RealVNC/Virt-Viewer. A method to mitigate the pain is that back-end only generates the password once, and have the front-end stores the generated password in cookie. Then we can change noVNC to read password from cookie to avoid exposing password in URL.
On 5/20/2014 11:27 PM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
ticket support for guest
ShaoHe Feng (4): update API.md ticket in backend: add a set ticket action for VM resource support ticket in UI. set the password for spice and VNC page.
docs/API.md | 4 ++++ src/kimchi/control/vms.py | 1 + src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++ ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++- ui/pages/spice.html.tmpl | 3 ++- ui/pages/websockify/console.html | 5 +++++ 6 files changed, 72 insertions(+), 2 deletions(-)
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
-- Zhou Zheng Sheng / 周征晟 E-mail: zhshzhou@linux.vnet.ibm.com Telephone: 86-10-82454397
On 05/26/2014 02:27 PM, Zhou Zheng Sheng wrote:
on 2014/05/26 13:32, Yu Xin Huo wrote:
I strongly dislike the way to change password frequently.
Password is designed for user to recognize himself for authentication. Frequently changing password make password itself meaningless to user.
As it is VNC password, this will almost make vnc unaccessible to user. Personally, I dislike to use browser to console the VM at all.
I suspect whether there is *a justification reasonable enough* to take the way that "changing password".
So please exactly clarify what *threat* this "change password" strategy is protecting against?
Some back-end background.
The problem is that noVNC and HTML5 Spice traffic is carried on websocket outside of Kimchi server. It operates as following.
noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor.
Since Kimchi is out of this route, we don't have means to authenticate user. The user can copy the noVNC page URL to another machine without loggin to Kimchi, and he can still access VNC. For this part, I'd prefer access VNC through any VNC viewer after I created a VM, instead of only access it through Kimchi.
The most practical method to prevent unauthenticated user from accessing VNC is to set VNC password on the hypervisor side. We thought of other means, but they either requires too much work or involves too much transport redirection.
The current approach is that, for VM created outside of Kimchi, we don't set password and everyone can visit it. For VM created outside of Kimchi but with VNC password, when the user connects it from noVNC, Kimchi reads the password and passes it to noVNC. For VM created by Kimchi, it generates a random password.
So far so good. A new problem is that currently noVNC client reads password from URL, and we don't want the password get leaked from the URL. We can make the password expire in short time and change it every time we connect. The whole process is transparent to the user, the password is generated every time, and passed to noVNC. Password generation does not affect established VNC session, it only affects new sessions.
Last time I mentioned this problem, most people thought that if the user has noVNC for Kimchi's VM, he/she would not need other VNC client. I think this may be true in most cases, but it surprises you when you actually want to use TigerVNC/UltraVNC/RealVNC/Virt-Viewer.
A method to mitigate the pain is that back-end only generates the password once, and have the front-end stores the generated password in cookie. Then we can change noVNC to read password from cookie to avoid exposing password in URL.
On 5/20/2014 11:27 PM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
ticket support for guest
ShaoHe Feng (4): update API.md ticket in backend: add a set ticket action for VM resource support ticket in UI. set the password for spice and VNC page.
docs/API.md | 4 ++++ src/kimchi/control/vms.py | 1 + src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++ ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++- ui/pages/spice.html.tmpl | 3 ++- ui/pages/websockify/console.html | 5 +++++ 6 files changed, 72 insertions(+), 2 deletions(-)
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
On 05/26/2014 02:38 PM, Hongliang Wang wrote:
On 05/26/2014 02:27 PM, Zhou Zheng Sheng wrote:
on 2014/05/26 13:32, Yu Xin Huo wrote:
I strongly dislike the way to change password frequently.
Password is designed for user to recognize himself for authentication. Frequently changing password make password itself meaningless to user.
As it is VNC password, this will almost make vnc unaccessible to user. Personally, I dislike to use browser to console the VM at all.
I suspect whether there is *a justification reasonable enough* to take the way that "changing password".
So please exactly clarify what *threat* this "change password" strategy is protecting against?
Some back-end background.
The problem is that noVNC and HTML5 Spice traffic is carried on websocket outside of Kimchi server. It operates as following.
noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor.
Since Kimchi is out of this route, we don't have means to authenticate user. The user can copy the noVNC page URL to another machine without loggin to Kimchi, and he can still access VNC. For this part, I'd prefer access VNC through any VNC viewer after I created a VM, instead of only access it through Kimchi.
I checked Virt Manager just now and it works the similar as your design for Kimchi. So is it possible if I want to access Kimchi VM through VNC clients (e.g., my browser is relatively too old to use noVNC) ? In this case, I think a possible solution is: 1. Create a VM with bridged network that I can access it from other machines 2. Install VNC server in it 3. Configuration the VNC server 4. Access it through VNC clients Does it make sense? So it will be a complete solution.
The most practical method to prevent unauthenticated user from accessing VNC is to set VNC password on the hypervisor side. We thought of other means, but they either requires too much work or involves too much transport redirection.
The current approach is that, for VM created outside of Kimchi, we don't set password and everyone can visit it. For VM created outside of Kimchi but with VNC password, when the user connects it from noVNC, Kimchi reads the password and passes it to noVNC. For VM created by Kimchi, it generates a random password.
So far so good. A new problem is that currently noVNC client reads password from URL, and we don't want the password get leaked from the URL. We can make the password expire in short time and change it every time we connect. The whole process is transparent to the user, the password is generated every time, and passed to noVNC. Password generation does not affect established VNC session, it only affects new sessions.
Last time I mentioned this problem, most people thought that if the user has noVNC for Kimchi's VM, he/she would not need other VNC client. I think this may be true in most cases, but it surprises you when you actually want to use TigerVNC/UltraVNC/RealVNC/Virt-Viewer.
A method to mitigate the pain is that back-end only generates the password once, and have the front-end stores the generated password in cookie. Then we can change noVNC to read password from cookie to avoid exposing password in URL.
On 5/20/2014 11:27 PM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
ticket support for guest
ShaoHe Feng (4): update API.md ticket in backend: add a set ticket action for VM resource support ticket in UI. set the password for spice and VNC page.
docs/API.md | 4 ++++ src/kimchi/control/vms.py | 1 + src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++ ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++- ui/pages/spice.html.tmpl | 3 ++- ui/pages/websockify/console.html | 5 +++++ 6 files changed, 72 insertions(+), 2 deletions(-)
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
于 2014年05月26日 15:01, Hongliang Wang 写道:
On 05/26/2014 02:38 PM, Hongliang Wang wrote:
On 05/26/2014 02:27 PM, Zhou Zheng Sheng wrote:
on 2014/05/26 13:32, Yu Xin Huo wrote:
I strongly dislike the way to change password frequently.
Password is designed for user to recognize himself for authentication. Frequently changing password make password itself meaningless to user.
As it is VNC password, this will almost make vnc unaccessible to user. Personally, I dislike to use browser to console the VM at all.
I suspect whether there is *a justification reasonable enough* to take the way that "changing password".
So please exactly clarify what *threat* this "change password" strategy is protecting against?
Some back-end background.
The problem is that noVNC and HTML5 Spice traffic is carried on websocket outside of Kimchi server. It operates as following.
noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor.
Since Kimchi is out of this route, we don't have means to authenticate user. The user can copy the noVNC page URL to another machine without loggin to Kimchi, and he can still access VNC. For this part, I'd prefer access VNC through any VNC viewer after I created a VM, instead of only access it through Kimchi.
I checked Virt Manager just now and it works the similar as your design for Kimchi. So is it possible if I want to access Kimchi VM through VNC clients (e.g., my browser is relatively too old to use noVNC) ? In this case, I think a possible solution is: 1. Create a VM with bridged network that I can access it from other machines 2. Install VNC server in it 3. Configuration the VNC server 4. Access it through VNC clients
Does it make sense? So it will be a complete solution.
Feasible. A small problem is that it uses guest network. If the user wrongly configures the guest network, he/she would lose remote video connection. Before installing guest OS and VNC, there is no remote video. -- Zhou Zheng Sheng / 周征晟 E-mail: zhshzhou@linux.vnet.ibm.com Telephone: 86-10-82454397
On 5/26/2014 3:09 PM, Zhou Zheng Sheng wrote: > 于 2014年05月26日 15:01, Hongliang Wang 写道: >> On 05/26/2014 02:38 PM, Hongliang Wang wrote: >>> On 05/26/2014 02:27 PM, Zhou Zheng Sheng wrote: >>>> on 2014/05/26 13:32, Yu Xin Huo wrote: >>>>> I strongly dislike the way to change password frequently. >>>>> >>>>> Password is designed for user to recognize himself for authentication. >>>>> Frequently changing password make password itself meaningless to user. >>>>> >>>>> As it is VNC password, this will almost make vnc unaccessible to user. >>>>> Personally, I dislike to use browser to console the VM at all. >>>>> >>>>> I suspect whether there is *a justification reasonable enough* to take >>>>> the way that "changing password". >>>>> >>>>> So please exactly clarify what *threat* this "change password" strategy >>>>> is protecting against? >>>>> >>>> Some back-end background. >>>> >>>> The problem is that noVNC and HTML5 Spice traffic is carried on >>>> websocket outside of Kimchi server. It operates as following. >>>> >>>> noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor. >>>> >>>> Since Kimchi is out of this route, we don't have means to authenticate >>>> user. The user can copy the noVNC page URL to another machine without >>>> loggin to Kimchi, and he can still access VNC. >>> For this part, I'd prefer access VNC through any VNC viewer after I >>> created a VM, instead of only access it through Kimchi. >> I checked Virt Manager just now and it works the similar as your design >> for Kimchi. So is it possible if I want to access Kimchi VM through VNC >> clients (e.g., my browser is relatively too old to use noVNC) ? In this >> case, I think a possible solution is: >> 1. Create a VM with bridged network that I can access it from other >> machines >> 2. Install VNC server in it >> 3. Configuration the VNC server >> 4. Access it through VNC clients >> >> Does it make sense? So it will be a complete solution. > Feasible. A small problem is that it uses guest network. If the user > wrongly configures the guest network, he/she would lose remote video > connection. Before installing guest OS and VNC, there is no remote video. > Kimchi support 3 types of network, user will base on their real needs to configure VM's network. Not wrongly configured. For all these 3 types of network, the VM need VNC access.
on 2014/05/26 16:00, Yu Xin Huo wrote: > On 5/26/2014 3:09 PM, Zhou Zheng Sheng wrote: >> 于 2014年05月26日 15:01, Hongliang Wang 写道: >>> On 05/26/2014 02:38 PM, Hongliang Wang wrote: >>>> On 05/26/2014 02:27 PM, Zhou Zheng Sheng wrote: >>>>> on 2014/05/26 13:32, Yu Xin Huo wrote: >>>>>> I strongly dislike the way to change password frequently. >>>>>> >>>>>> Password is designed for user to recognize himself for >>>>>> authentication. >>>>>> Frequently changing password make password itself meaningless to >>>>>> user. >>>>>> >>>>>> As it is VNC password, this will almost make vnc unaccessible to >>>>>> user. >>>>>> Personally, I dislike to use browser to console the VM at all. >>>>>> >>>>>> I suspect whether there is *a justification reasonable enough* to >>>>>> take >>>>>> the way that "changing password". >>>>>> >>>>>> So please exactly clarify what *threat* this "change password" >>>>>> strategy >>>>>> is protecting against? >>>>>> >>>>> Some back-end background. >>>>> >>>>> The problem is that noVNC and HTML5 Spice traffic is carried on >>>>> websocket outside of Kimchi server. It operates as following. >>>>> >>>>> noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor. >>>>> >>>>> Since Kimchi is out of this route, we don't have means to authenticate >>>>> user. The user can copy the noVNC page URL to another machine without >>>>> loggin to Kimchi, and he can still access VNC. >>>> For this part, I'd prefer access VNC through any VNC viewer after I >>>> created a VM, instead of only access it through Kimchi. >>> I checked Virt Manager just now and it works the similar as your design >>> for Kimchi. So is it possible if I want to access Kimchi VM through VNC >>> clients (e.g., my browser is relatively too old to use noVNC) ? In this >>> case, I think a possible solution is: >>> 1. Create a VM with bridged network that I can access it from other >>> machines >>> 2. Install VNC server in it >>> 3. Configuration the VNC server >>> 4. Access it through VNC clients >>> >>> Does it make sense? So it will be a complete solution. >> Feasible. A small problem is that it uses guest network. If the user >> wrongly configures the guest network, he/she would lose remote video >> connection. Before installing guest OS and VNC, there is no remote video. >> > Kimchi support 3 types of network, user will base on their real needs to > configure VM's network. Not wrongly configured. > For all these 3 types of network, the VM need VNC access. Though I am not for this solution, it is always feasible to create an extra bridge guest network for management purpose. Even for the "isolated" type of network, it's possible to create a "isolated bridged management network" using VXLAN or something like that. Another thing you misunderstood me is that I meant wrongly configure the network settings in the guest OS. So in all, my previous message is to say though it's feasible to use guest network, it's not reliable for management purpose. -- Zhou Zheng Sheng / 周征晟 E-mail: zhshzhou@linux.vnet.ibm.com Telephone: 86-10-82454397
On 5/26/2014 3:01 PM, Hongliang Wang wrote:
On 05/26/2014 02:38 PM, Hongliang Wang wrote:
On 05/26/2014 02:27 PM, Zhou Zheng Sheng wrote:
on 2014/05/26 13:32, Yu Xin Huo wrote:
I strongly dislike the way to change password frequently.
Password is designed for user to recognize himself for authentication. Frequently changing password make password itself meaningless to user.
As it is VNC password, this will almost make vnc unaccessible to user. Personally, I dislike to use browser to console the VM at all.
I suspect whether there is *a justification reasonable enough* to take the way that "changing password".
So please exactly clarify what *threat* this "change password" strategy is protecting against?
Some back-end background.
The problem is that noVNC and HTML5 Spice traffic is carried on websocket outside of Kimchi server. It operates as following.
noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor.
Since Kimchi is out of this route, we don't have means to authenticate user. The user can copy the noVNC page URL to another machine without loggin to Kimchi, and he can still access VNC. For this part, I'd prefer access VNC through any VNC viewer after I created a VM, instead of only access it through Kimchi.
I checked Virt Manager just now and it works the similar as your design for Kimchi. So is it possible if I want to access Kimchi VM through VNC clients (e.g., my browser is relatively too old to use noVNC) ? In this case, I think a possible solution is: 1. Create a VM with bridged network that I can access it from other machines 2. Install VNC server in it 3. Configuration the VNC server 4. Access it through VNC clients
Does it make sense? So it will be a complete solution.
For a VM configured with any type of network, 'isolated', 'NAT', 'bridged', it must be able to be accessed through VNC console. As VM with 'isolated' and 'NAT' network can not be accessed from outside, so can not depend on VNC on guest.
The most practical method to prevent unauthenticated user from accessing VNC is to set VNC password on the hypervisor side. We thought of other means, but they either requires too much work or involves too much transport redirection.
The current approach is that, for VM created outside of Kimchi, we don't set password and everyone can visit it. For VM created outside of Kimchi but with VNC password, when the user connects it from noVNC, Kimchi reads the password and passes it to noVNC. For VM created by Kimchi, it generates a random password.
So far so good. A new problem is that currently noVNC client reads password from URL, and we don't want the password get leaked from the URL. We can make the password expire in short time and change it every time we connect. The whole process is transparent to the user, the password is generated every time, and passed to noVNC. Password generation does not affect established VNC session, it only affects new sessions.
Last time I mentioned this problem, most people thought that if the user has noVNC for Kimchi's VM, he/she would not need other VNC client. I think this may be true in most cases, but it surprises you when you actually want to use TigerVNC/UltraVNC/RealVNC/Virt-Viewer.
A method to mitigate the pain is that back-end only generates the password once, and have the front-end stores the generated password in cookie. Then we can change noVNC to read password from cookie to avoid exposing password in URL.
On 5/20/2014 11:27 PM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
ticket support for guest
ShaoHe Feng (4): update API.md ticket in backend: add a set ticket action for VM resource support ticket in UI. set the password for spice and VNC page.
docs/API.md | 4 ++++ src/kimchi/control/vms.py | 1 + src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++ ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++- ui/pages/spice.html.tmpl | 3 ++- ui/pages/websockify/console.html | 5 +++++ 6 files changed, 72 insertions(+), 2 deletions(-)
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
on 2014/05/26 13:32, Yu Xin Huo wrote:
I strongly dislike the way to change password frequently.
Password is designed for user to recognize himself for authentication. Frequently changing password make password itself meaningless to user.
As it is VNC password, this will almost make vnc unaccessible to user. Personally, I dislike to use browser to console the VM at all.
I suspect whether there is *a justification reasonable enough* to take the way that "changing password".
So please exactly clarify what *threat* this "change password" strategy is protecting against?
Some back-end background.
The problem is that noVNC and HTML5 Spice traffic is carried on websocket outside of Kimchi server. It operates as following.
noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor.
Since Kimchi is out of this route, we don't have means to authenticate user. The user can copy the noVNC page URL to another machine without loggin to Kimchi, and he can still access VNC.
The most practical method to prevent unauthenticated user from accessing VNC is to set VNC password on the hypervisor side. We thought of other means, but they either requires too much work or involves too much transport redirection.
The current approach is that, for VM created outside of Kimchi, we don't set password and everyone can visit it. For VM created outside of Kimchi but with VNC password, when the user connects it from noVNC, Kimchi reads the password and passes it to noVNC. For VM created by Kimchi, it generates a random password. The only *security hole* is that *VNC password is not set* when an VM is created. A random VNC password need to be generated once a VM is created to
On 5/26/2014 2:27 PM, Zhou Zheng Sheng wrote: prevent any access to a VM.
So far so good. A new problem is that currently noVNC client reads password from URL, and we don't want the password get leaked from the URL. We can make the password expire in short time and change it every time we connect. The whole process is transparent to the user, the password is generated every time, and passed to noVNC. Password generation does not affect established VNC session, it only affects new sessions.
Password should never be exposed as clear text(unencoded or unencripted) no matter whether it is VNC password of "kimchi created VM" or "3rd party tool created". It is predictable that kimchi need to manage a big number of VMs created by other tool. Again, password is privacy, it should be never be exposed.
Last time I mentioned this problem, most people thought that if the user has noVNC for Kimchi's VM, he/she would not need other VNC client. I think this may be true in most cases, but it surprises you when you actually want to use TigerVNC/UltraVNC/RealVNC/Virt-Viewer.
We can not afford to such an assumption with a risk to make kimchi totally fail in marketplace. If most users prefer to use other tool like "TigerVNC/UltraVNC/RealVNC/Virt-Viewer" and kimchi has a limitation that only noVNC in kimchi can be used. Such a disaster consumability issue will make kimchi totally fail.
A method to mitigate the pain is that back-end only generates the password once, and have the front-end stores the generated password in cookie. Then we can change noVNC to read password from cookie to avoid exposing password in URL.
The backend should generate a random VNC password once a VM is created. We will need to add UI for kimchi user to change the default VNC password to get access to VNC. As we use https to pass the VNC password back and forth, it is safe, no need to change the password frequently. Password stored in cookie will not be exposed in URL, password should be removed from cookie once it is used. For this solution, just remove "change password".
On 5/20/2014 11:27 PM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
ticket support for guest
ShaoHe Feng (4): update API.md ticket in backend: add a set ticket action for VM resource support ticket in UI. set the password for spice and VNC page.
docs/API.md | 4 ++++ src/kimchi/control/vms.py | 1 + src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++ ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++- ui/pages/spice.html.tmpl | 3 ++- ui/pages/websockify/console.html | 5 +++++ 6 files changed, 72 insertions(+), 2 deletions(-)
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
participants (9)
-
Christy Perez -
Hongliang Wang -
Royce Lv -
shaohef@linux.vnet.ibm.com -
Sheldon
-
Wang Wen -
wenwang
-
Yu Xin Huo -
Zhou Zheng Sheng