10:27 a.m.
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
ticket support for guest
ShaoHe Feng (4):
update API.md
ticket in backend: add a set ticket action for VM resource
support ticket in UI.
set the password for spice and VNC page.
docs/API.md | 4 ++++
src/kimchi/control/vms.py | 1 +
src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++-
ui/pages/spice.html.tmpl | 3 ++-
ui/pages/websockify/console.html | 5 +++++
6 files changed, 72 insertions(+), 2 deletions(-)
--
1.9.0
10:27 a.m.
New subject: [PATCH 1/4] update API.md
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
---
docs/API.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/docs/API.md b/docs/API.md
index 9217a37..d4b7291 100644
--- a/docs/API.md
+++ b/docs/API.md
@@ -111,6 +111,10 @@ the following general conventions:
**Actions (POST):**
+* setticket: set a ticket for VM, only the one get the ticket can access this VM.
+ * password *(optional)*: the password of ticket.
+ * expire *(optional)*: the ticket is invalid when expire, default is 30
+ seconds.
* start: Power on a VM
* poweroff: Power off a VM forcefully. Note this action may produce undesirable
results, for example unflushed disk cache in the guest.
--
1.9.0
3:17 p.m.
New subject: [PATCH 1/4] update API.md
Minor grammar changes...
On Tue, 2014-05-20 at 23:27 +0800, shaohef(a)linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
---
docs/API.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/docs/API.md b/docs/API.md
index 9217a37..d4b7291 100644
--- a/docs/API.md
+++ b/docs/API.md
@@ -111,6 +111,10 @@ the following general conventions:
**Actions (POST):**
+* setticket: set a ticket for VM, only the one get the ticket can access this VM.
set a ticket for a VM. Only the one with the ticket can access this VM.
+ * password *(optional)*: the password of ticket.
+ * expire *(optional)*: the ticket is invalid when expire, default is 30
+ seconds.
Either change "expire" to
"expired" or here's a more concise suggestion:
: lifetime of a ticket. Default is 30s.
* start: Power on a VM
* poweroff: Power off a VM forcefully. Note this action may produce undesirable
results, for example unflushed disk cache in the guest.
Regards,
- Christy
9:52 p.m.
New subject: [PATCH 1/4] update API.md
On 05/21/2014 04:17 AM, Christy Perez wrote:
Minor grammar changes...
On Tue, 2014-05-20 at 23:27 +0800, shaohef(a)linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>
> Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
> ---
> docs/API.md | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/docs/API.md b/docs/API.md
> index 9217a37..d4b7291 100644
> --- a/docs/API.md
> +++ b/docs/API.md
> @@ -111,6 +111,10 @@ the following general conventions:
>
> **Actions (POST):**
>
> +* setticket: set a ticket for VM, only the one get the ticket can access this VM.
set a ticket for a VM. Only the one with the ticket can access this VM.
> + * password *(optional)*: the password of ticket.
> + * expire *(optional)*: the ticket is invalid when expire, default is
30
> + seconds.
Either change "expire" to "expired" or here's a more concise
suggestion:
: lifetime of a ticket. Default is 30s.
ACK.
thanks for comment.
> * start: Power on a VM
> * poweroff: Power off a VM forcefully. Note this action may produce undesirable
> results, for example unflushed disk cache in the guest.
Regards,
- Christy
_______________________________________________
Kimchi-devel mailing list
Kimchi-devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/kimchi-devel
--
Thanks and best regards!
Sheldon Feng(冯少合)<shaohef(a)linux.vnet.ibm.com>
IBM Linux Technology Center
10:27 a.m.
New subject: [PATCH 2/4] ticket in backend: add a set ticket action for VM resource
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Only the user who get the ticket can access the VM console.
the ticket will be invalid when its expire.
We just manange the VM create by kimchi.
We do not set the ticket for other VMs that created by other managerment tool.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Signed-off-by: Zhou Zheng Sheng <zhshzhou(a)linux.vnet.ibm.com>
---
src/kimchi/control/vms.py | 1 +
src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py
index 508f478..e3c72d1 100644
--- a/src/kimchi/control/vms.py
+++ b/src/kimchi/control/vms.py
@@ -37,6 +37,7 @@ class VM(Resource):
self.uri_fmt = '/vms/%s'
for ident, node in sub_nodes.items():
setattr(self, ident, node(model, self.ident))
+ self.setticket = self.generate_action_handler('setticket')
self.start = self.generate_action_handler('start')
self.poweroff = self.generate_action_handler('poweroff')
self.shutdown = self.generate_action_handler('shutdown')
diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
index 17bda04..0daaea0 100644
--- a/src/kimchi/model/vms.py
+++ b/src/kimchi/model/vms.py
@@ -19,7 +19,10 @@
from lxml.builder import E
import lxml.etree as ET
+from lxml import etree, objectify
import os
+import random
+import string
import time
import uuid
from xml.etree import ElementTree
@@ -353,9 +356,14 @@ class VMModel(object):
graphics = self._vm_get_graphics(name)
graphics_type, graphics_listen, graphics_port = graphics
graphics_port = graphics_port if state == 'running' else None
+ passwd = None
try:
if state == 'running' and self._has_video(dom):
screenshot = self.vmscreenshot.lookup(name)
+ xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
+ root = objectify.fromstring(xml)
+ graphic = root.devices.find("graphics")
+ passwd = graphic.attrib.get('passwd')
elif state == 'shutoff':
# reset vm stats when it is powered off to avoid sending
# incorrect (old) data
@@ -394,6 +402,7 @@ class VMModel(object):
'graphics': {"type": graphics_type,
"listen": graphics_listen,
"port": graphics_port},
+ 'ticket': passwd,
'users': users,
'groups': groups
}
@@ -513,6 +522,25 @@ class VMModel(object):
else:
raise OperationFailed("KCHVM0010E", {'name': name})
+ def setticket(self, name, password=None, expire=10):
+ dom = self.get_vm(name, self.conn)
+ version, distro = self.vm_get_os_metadata(dom)
+ if distro is None:
+ # this VM is not created by kimchi
+ return
+
+ xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
+ root = objectify.fromstring(xml)
+ graphic = root.devices.find("graphics")
+ password = password if password is not None else "".join(
+ random.sample(string.ascii_letters + string.digits, 8))
+ graphic.attrib['passwd'] = password
+ valid_to = time.strftime('%Y-%m-%dT%H:%M:%S',
+ time.gmtime(time.time() + float(expire)))
+ graphic.attrib['passwdValidTo'] = valid_to
+ graphic_xml = etree.tostring(graphic)
+ dom.updateDeviceFlags(graphic_xml, 0)
+
def _vmscreenshot_delete(self, vm_uuid):
screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore,
self.conn)
--
1.9.0
3:17 p.m.
New subject: [PATCH 2/4] ticket in backend: add a set ticket action for VM resource
One comment inline...
On Tue, 2014-05-20 at 23:27 +0800, shaohef(a)linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Only the user who get the ticket can access the VM console.
the ticket will be invalid when its expire.
We just manange the VM create by kimchi.
We do not set the ticket for other VMs that created by other managerment tool.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Signed-off-by: Zhou Zheng Sheng <zhshzhou(a)linux.vnet.ibm.com>
---
src/kimchi/control/vms.py | 1 +
src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py
index 508f478..e3c72d1 100644
--- a/src/kimchi/control/vms.py
+++ b/src/kimchi/control/vms.py
@@ -37,6 +37,7 @@ class VM(Resource):
self.uri_fmt = '/vms/%s'
for ident, node in sub_nodes.items():
setattr(self, ident, node(model, self.ident))
+ self.setticket = self.generate_action_handler('setticket')
self.start = self.generate_action_handler('start')
self.poweroff = self.generate_action_handler('poweroff')
self.shutdown = self.generate_action_handler('shutdown')
diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
index 17bda04..0daaea0 100644
--- a/src/kimchi/model/vms.py
+++ b/src/kimchi/model/vms.py
@@ -19,7 +19,10 @@
from lxml.builder import E
import lxml.etree as ET
+from lxml import etree, objectify
import os
+import random
+import string
import time
import uuid
from xml.etree import ElementTree
@@ -353,9 +356,14 @@ class VMModel(object):
graphics = self._vm_get_graphics(name)
graphics_type, graphics_listen, graphics_port = graphics
graphics_port = graphics_port if state == 'running' else None
+ passwd = None
try:
if state == 'running' and self._has_video(dom):
screenshot = self.vmscreenshot.lookup(name)
+ xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
+ root = objectify.fromstring(xml)
+ graphic = root.devices.find("graphics")
+ passwd = graphic.attrib.get('passwd')
elif state == 'shutoff':
# reset vm stats when it is powered off to avoid sending
# incorrect (old) data
@@ -394,6 +402,7 @@ class VMModel(object):
'graphics': {"type": graphics_type,
"listen": graphics_listen,
"port": graphics_port},
+ 'ticket': passwd,
'users': users,
'groups': groups
}
@@ -513,6 +522,25 @@ class VMModel(object):
else:
raise OperationFailed("KCHVM0010E", {'name': name})
+ def setticket(self, name, password=None, expire=10):
The default is 10, not
30?
+ dom = self.get_vm(name, self.conn)
+ version, distro = self.vm_get_os_metadata(dom)
+ if distro is None:
+ # this VM is not created by kimchi
+ return
+
+ xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
+ root = objectify.fromstring(xml)
+ graphic = root.devices.find("graphics")
+ password = password if password is not None else "".join(
+ random.sample(string.ascii_letters + string.digits, 8))
+ graphic.attrib['passwd'] = password
+ valid_to = time.strftime('%Y-%m-%dT%H:%M:%S',
+ time.gmtime(time.time() + float(expire)))
+ graphic.attrib['passwdValidTo'] = valid_to
+ graphic_xml = etree.tostring(graphic)
+ dom.updateDeviceFlags(graphic_xml, 0)
+
def _vmscreenshot_delete(self, vm_uuid):
screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore,
self.conn)
Regards,
- Christy
10:06 p.m.
New subject: [PATCH 2/4] ticket in backend: add a set ticket action for VM resource
On 05/21/2014 04:17 AM, Christy Perez wrote:
One comment inline...
On Tue, 2014-05-20 at 23:27 +0800, shaohef(a)linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>
> Only the user who get the ticket can access the VM console.
>
> the ticket will be invalid when its expire.
>
> We just manange the VM create by kimchi.
> We do not set the ticket for other VMs that created by other managerment tool.
>
> Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
> Signed-off-by: Zhou Zheng Sheng <zhshzhou(a)linux.vnet.ibm.com>
> ---
> src/kimchi/control/vms.py | 1 +
> src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
> 2 files changed, 29 insertions(+)
>
> diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py
> index 508f478..e3c72d1 100644
> --- a/src/kimchi/control/vms.py
> +++ b/src/kimchi/control/vms.py
> @@ -37,6 +37,7 @@ class VM(Resource):
> self.uri_fmt = '/vms/%s'
> for ident, node in sub_nodes.items():
> setattr(self, ident, node(model, self.ident))
> + self.setticket = self.generate_action_handler('setticket')
> self.start = self.generate_action_handler('start')
> self.poweroff = self.generate_action_handler('poweroff')
> self.shutdown = self.generate_action_handler('shutdown')
> diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
> index 17bda04..0daaea0 100644
> --- a/src/kimchi/model/vms.py
> +++ b/src/kimchi/model/vms.py
> @@ -19,7 +19,10 @@
>
> from lxml.builder import E
> import lxml.etree as ET
> +from lxml import etree, objectify
> import os
> +import random
> +import string
> import time
> import uuid
> from xml.etree import ElementTree
> @@ -353,9 +356,14 @@ class VMModel(object):
> graphics = self._vm_get_graphics(name)
> graphics_type, graphics_listen, graphics_port = graphics
> graphics_port = graphics_port if state == 'running' else None
> + passwd = None
> try:
> if state == 'running' and self._has_video(dom):
> screenshot = self.vmscreenshot.lookup(name)
> + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
> + root = objectify.fromstring(xml)
> + graphic = root.devices.find("graphics")
> + passwd = graphic.attrib.get('passwd')
> elif state == 'shutoff':
> # reset vm stats when it is powered off to avoid sending
> # incorrect (old) data
> @@ -394,6 +402,7 @@ class VMModel(object):
> 'graphics': {"type": graphics_type,
> "listen": graphics_listen,
> "port": graphics_port},
> + 'ticket': passwd,
> 'users': users,
> 'groups': groups
> }
> @@ -513,6 +522,25 @@ class VMModel(object):
> else:
> raise OperationFailed("KCHVM0010E", {'name': name})
>
> + def setticket(self, name, password=None, expire=10):
The default is 10, not 30?
still need to discuss about the default value.
now we can distinguish the guest are created by kimchi or other tools.
Now there's my proposal:
1. if the guest are created by other tools, such as virt-manager.
if he does not set a password, we will not let kimchi to add a password
for it.
if he sets a password for guest, we will not let kimchi to change the
password.
and we will not return this password to UI, we let user type in the
password by himself.
2. if the guest are created by kimchi.
kimchi set ticket. and UI get the ticket automatically to access guest.
so 10s maybe OK.
but we should consider:
do we allow other tools such as virt-manager to access the guest created
by kimchi?
Then 10s is not enough. and also how does the user get the ticket?
He use the virt-manager re-set the password?
or kimchi support a way to show them the password?
> + dom = self.get_vm(name, self.conn)
> + version, distro = self.vm_get_os_metadata(dom)
> + if distro is None:
> + # this VM is not created by kimchi
> + return
> +
> + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
> + root = objectify.fromstring(xml)
> + graphic = root.devices.find("graphics")
> + password = password if password is not None else "".join(
> + random.sample(string.ascii_letters + string.digits, 8))
> + graphic.attrib['passwd'] = password
> + valid_to = time.strftime('%Y-%m-%dT%H:%M:%S',
> + time.gmtime(time.time() + float(expire)))
> + graphic.attrib['passwdValidTo'] = valid_to
> + graphic_xml = etree.tostring(graphic)
> + dom.updateDeviceFlags(graphic_xml, 0)
> +
> def _vmscreenshot_delete(self, vm_uuid):
> screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore,
> self.conn)
Regards,
- Christy
_______________________________________________
Kimchi-devel mailing list
Kimchi-devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/kimchi-devel
--
Thanks and best regards!
Sheldon Feng(冯少合)<shaohef(a)linux.vnet.ibm.com>
IBM Linux Technology Center
1:59 a.m.
New subject: [PATCH 2/4] ticket in backend: add a set ticket action for VM resource
On 05/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Only the user who get the ticket can access the VM console.
the ticket will be invalid when its expire.
We just manange the VM create by kimchi.
We do not set the ticket for other VMs that created by other managerment tool.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Signed-off-by: Zhou Zheng Sheng <zhshzhou(a)linux.vnet.ibm.com>
---
src/kimchi/control/vms.py | 1 +
src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py
index 508f478..e3c72d1 100644
--- a/src/kimchi/control/vms.py
+++ b/src/kimchi/control/vms.py
@@ -37,6 +37,7 @@ class VM(Resource):
self.uri_fmt = '/vms/%s'
for ident, node in sub_nodes.items():
setattr(self, ident, node(model, self.ident))
+ self.setticket = self.generate_action_handler('setticket')
self.start = self.generate_action_handler('start')
self.poweroff = self.generate_action_handler('poweroff')
self.shutdown = self.generate_action_handler('shutdown')
diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
index 17bda04..0daaea0 100644
--- a/src/kimchi/model/vms.py
+++ b/src/kimchi/model/vms.py
@@ -19,7 +19,10 @@
from lxml.builder import E
import lxml.etree as ET
+from lxml import etree, objectify
import os
+import random
+import string
import time
import uuid
from xml.etree import ElementTree
@@ -353,9 +356,14 @@ class VMModel(object):
graphics = self._vm_get_graphics(name)
graphics_type, graphics_listen, graphics_port = graphics
graphics_port = graphics_port if state == 'running' else None
+ passwd = None
try:
if state == 'running' and self._has_video(dom):
screenshot = self.vmscreenshot.lookup(name)
+ xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
+ root = objectify.fromstring(xml)
+ graphic = root.devices.find("graphics")
+ passwd = graphic.attrib.get('passwd')
elif state == 'shutoff':
# reset vm stats when it is powered off to avoid sending
# incorrect (old) data
@@ -394,6 +402,7 @@ class VMModel(object):
'graphics': {"type": graphics_type,
"listen": graphics_listen,
"port": graphics_port},
+ 'ticket': passwd,
After talk with Zhengsheng, I got to
know the reason we want ticket for
all login user and do not distinguish any group,
I think it can be used here to prevent vnc connection be stolen by user
outside kimchi,
but this is not what ticket used for, right? We can't set ticket and
pass it in the vnc/spice client.
Or export the passwd to specific group user.
But I agree that we can make it as a future extension.
'users': users,
'groups': groups
}
@@ -513,6 +522,25 @@ class VMModel(object):
else:
raise OperationFailed("KCHVM0010E", {'name': name})
+ def setticket(self, name, password=None, expire=10):
+ dom = self.get_vm(name, self.conn)
+ version, distro = self.vm_get_os_metadata(dom)
+ if distro is None:
+ # this VM is not created by kimchi
+ return
+
+ xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
+ root = objectify.fromstring(xml)
+ graphic = root.devices.find("graphics")
+ password = password if password is not None else "".join(
+ random.sample(string.ascii_letters + string.digits, 8))
+ graphic.attrib['passwd'] = password
+ valid_to = time.strftime('%Y-%m-%dT%H:%M:%S',
+ time.gmtime(time.time() + float(expire)))
+ graphic.attrib['passwdValidTo'] = valid_to
+ graphic_xml = etree.tostring(graphic)
+ dom.updateDeviceFlags(graphic_xml, 0)
+
def _vmscreenshot_delete(self, vm_uuid):
screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore,
self.conn)
4:12 a.m.
New subject: [PATCH 2/4] ticket in backend: add a set ticket action for VM resource
On 05/21/2014 02:59 PM, Royce Lv wrote:
On 05/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>
> Only the user who get the ticket can access the VM console.
>
> the ticket will be invalid when its expire.
>
> We just manange the VM create by kimchi.
> We do not set the ticket for other VMs that created by other
> managerment tool.
>
> Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
> Signed-off-by: Zhou Zheng Sheng <zhshzhou(a)linux.vnet.ibm.com>
> ---
> src/kimchi/control/vms.py | 1 +
> src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
> 2 files changed, 29 insertions(+)
>
> diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py
> index 508f478..e3c72d1 100644
> --- a/src/kimchi/control/vms.py
> +++ b/src/kimchi/control/vms.py
> @@ -37,6 +37,7 @@ class VM(Resource):
> self.uri_fmt = '/vms/%s'
> for ident, node in sub_nodes.items():
> setattr(self, ident, node(model, self.ident))
> + self.setticket = self.generate_action_handler('setticket')
> self.start = self.generate_action_handler('start')
> self.poweroff = self.generate_action_handler('poweroff')
> self.shutdown = self.generate_action_handler('shutdown')
> diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
> index 17bda04..0daaea0 100644
> --- a/src/kimchi/model/vms.py
> +++ b/src/kimchi/model/vms.py
> @@ -19,7 +19,10 @@
>
> from lxml.builder import E
> import lxml.etree as ET
> +from lxml import etree, objectify
> import os
> +import random
> +import string
> import time
> import uuid
> from xml.etree import ElementTree
> @@ -353,9 +356,14 @@ class VMModel(object):
> graphics = self._vm_get_graphics(name)
> graphics_type, graphics_listen, graphics_port = graphics
> graphics_port = graphics_port if state == 'running' else None
> + passwd = None
> try:
> if state == 'running' and self._has_video(dom):
> screenshot = self.vmscreenshot.lookup(name)
> + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
> + root = objectify.fromstring(xml)
> + graphic = root.devices.find("graphics")
> + passwd = graphic.attrib.get('passwd')
> elif state == 'shutoff':
> # reset vm stats when it is powered off to avoid sending
> # incorrect (old) data
> @@ -394,6 +402,7 @@ class VMModel(object):
> 'graphics': {"type": graphics_type,
> "listen": graphics_listen,
> "port": graphics_port},
> + 'ticket': passwd,
After talk with Zhengsheng, I got to know the reason we want ticket
for all login user and do not distinguish any group,
I think it can be used here to prevent vnc connection be stolen by
user outside kimchi,
but this is not what ticket used for, right? We can't set ticket and
pass it in the vnc/spice client.
yes.
Or export the passwd to specific group user.
But I agree that we can make it as a future extension.
ACK
> 'users': users,
> 'groups': groups
> }
> @@ -513,6 +522,25 @@ class VMModel(object):
> else:
> raise OperationFailed("KCHVM0010E", {'name': name})
>
> + def setticket(self, name, password=None, expire=10):
> + dom = self.get_vm(name, self.conn)
> + version, distro = self.vm_get_os_metadata(dom)
> + if distro is None:
> + # this VM is not created by kimchi
> + return
> +
> + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
> + root = objectify.fromstring(xml)
> + graphic = root.devices.find("graphics")
> + password = password if password is not None else "".join(
> + random.sample(string.ascii_letters + string.digits, 8))
> + graphic.attrib['passwd'] = password
> + valid_to = time.strftime('%Y-%m-%dT%H:%M:%S',
> + time.gmtime(time.time() + float(expire)))
> + graphic.attrib['passwdValidTo'] = valid_to
> + graphic_xml = etree.tostring(graphic)
> + dom.updateDeviceFlags(graphic_xml, 0)
> +
> def _vmscreenshot_delete(self, vm_uuid):
> screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore,
> self.conn)
--
Thanks and best regards!
Sheldon Feng(冯少合)<shaohef(a)linux.vnet.ibm.com>
IBM Linux Technology Center
10:48 a.m.
New subject: [PATCH 2/4] ticket in backend: add a set ticket action for VM resource
于 2014年05月20日 23:27, shaohef(a)linux.vnet.ibm.com 写道:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Only the user who get the ticket can access the VM console.
the ticket will be invalid when its expire.
We just manange the VM create by kimchi.
We do not set the ticket for other VMs that created by other managerment tool.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Signed-off-by: Zhou Zheng Sheng <zhshzhou(a)linux.vnet.ibm.com>
---
src/kimchi/control/vms.py | 1 +
src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py
index 508f478..e3c72d1 100644
--- a/src/kimchi/control/vms.py
+++ b/src/kimchi/control/vms.py
@@ -37,6 +37,7 @@ class VM(Resource):
self.uri_fmt = '/vms/%s'
for ident, node in sub_nodes.items():
setattr(self, ident, node(model, self.ident))
+ self.setticket = self.generate_action_handler('setticket')
self.start = self.generate_action_handler('start')
self.poweroff = self.generate_action_handler('poweroff')
self.shutdown = self.generate_action_handler('shutdown')
diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
index 17bda04..0daaea0 100644
--- a/src/kimchi/model/vms.py
+++ b/src/kimchi/model/vms.py
@@ -19,7 +19,10 @@
from lxml.builder import E
import lxml.etree as ET
+from lxml import etree, objectify
import os
+import random
+import string
import time
import uuid
from xml.etree import ElementTree
@@ -353,9 +356,14 @@ class VMModel(object):
graphics = self._vm_get_graphics(name)
graphics_type, graphics_listen, graphics_port = graphics
graphics_port = graphics_port if state == 'running' else None
+ passwd = None
try:
if state == 'running' and self._has_video(dom):
screenshot = self.vmscreenshot.lookup(name)
+ xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
+ root = objectify.fromstring(xml)
+ graphic = root.devices.find("graphics")
+ passwd = graphic.attrib.get('passwd')
elif state == 'shutoff':
# reset vm stats when it is powered off to avoid sending
# incorrect (old) data
@@ -394,6 +402,7 @@ class VMModel(object):
'graphics': {"type": graphics_type,
"listen": graphics_listen,
"port": graphics_port},
+ 'ticket': passwd,
'users': users,
'groups': groups
}
@@ -513,6 +522,25 @@ class VMModel(object):
else:
raise OperationFailed("KCHVM0010E", {'name': name})
+ def setticket(self, name, password=None, expire=10):
+ dom = self.get_vm(name, self.conn)
+ version, distro = self.vm_get_os_metadata(dom)
+ if distro is None:
+ # this VM is not created by kimchi
+ return
+
+ xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
+ root = objectify.fromstring(xml)
+ graphic = root.devices.find("graphics")
It seems the code for getting password can be extracted into a new
function then we can reuse it.
+ password = password if password is not None else
"".join(
+ random.sample(string.ascii_letters + string.digits, 8))
+ graphic.attrib['passwd'] = password
+ valid_to = time.strftime('%Y-%m-%dT%H:%M:%S',
+ time.gmtime(time.time() + float(expire)))
+ graphic.attrib['passwdValidTo'] = valid_to
+ graphic_xml = etree.tostring(graphic)
+ dom.updateDeviceFlags(graphic_xml, 0)
+
def _vmscreenshot_delete(self, vm_uuid):
screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore,
self.conn)
--
Zhou Zheng Sheng / 周征晟
E-mail: zhshzhou(a)linux.vnet.ibm.com
Telephone: 86-10-82454397
10:27 a.m.
New subject: [PATCH 3/4] support ticket in UI.
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Add a set ticket API in UI.
set a ticket for a VM before connect it.
also set a cookie to store this ticket.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Signed-off-by: Zhou Zheng Sheng <zhshzhou(a)linux.vnet.ibm.com>
---
ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++-
1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index 7d85fdf..1a34b3b 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -311,6 +311,19 @@ var kimchi = {
});
},
+ setTicketVM: function(vm, data, suc, err, sync) {
+ kimchi.requestJSON({
+ url : kimchi.url + 'vms/' + encodeURIComponent(vm) +
'/setticket',
+ type : 'POST',
+ contentType : 'application/json',
+ dataType : 'json',
+ async : !sync,
+ data : JSON.stringify(data || {}),
+ success : suc,
+ error : err
+ });
+ },
+
vncToVM : function(vm) {
kimchi.requestJSON({
url : '/config',
@@ -318,16 +331,25 @@ var kimchi = {
dataType : 'json'
}).done(function(data, textStatus, xhr) {
proxy_port = data['display_proxy_port'];
+ var ticket;
+ kimchi.setTicketVM(vm, function(data) {
+ }, function(){
+ kimchi.message.error.code('KCHAPI6002E');
+ }, true);
kimchi.requestJSON({
url : "/vms/" + encodeURIComponent(vm) + "/connect",
type : "POST",
dataType : "json"
- }).done(function() {
+ }).done(function(data, textStatus, xhr) {
+ ticket = data['ticket'];
+ alert(ticket)
url = 'https://' + location.hostname + ':' + proxy_port;
url += "/console.html?url=vnc_auto.html&port=" +
proxy_port;
url += "&path=?token=" + encodeURIComponent(vm);
url += "&kimchi=" + location.port;
url += '&encrypt=1';
+ kimchi.cookie.remove("ticketVM");
+ ticket != null && kimchi.cookie.set("ticketVM", ticket,
100);
window.open(url);
});
}).error(function() {
@@ -342,17 +364,26 @@ var kimchi = {
dataType : 'json'
}).done(function(data, textStatus, xhr) {
proxy_port = data['display_proxy_port'];
+ var ticket;
+ kimchi.setTicketVM(vm, function(data) {
+ }, function(){
+ kimchi.message.error.code('KCHAPI6002E');
+ }, true);
kimchi.requestJSON({
url : "/vms/" + encodeURIComponent(vm) + "/connect",
type : "POST",
dataType : "json"
}).done(function(data, textStatus, xhr) {
+ ticket = data['ticket'];
+ alert(ticket)
url = 'https://' + location.hostname + ':' + proxy_port;
url += "/console.html?url=spice.html&port=" + proxy_port;
url += "&listen=" + location.hostname;
url += "&token=" + encodeURIComponent(vm);
url += "&kimchi=" + location.port;
url += '&encrypt=1';
+ kimchi.cookie.remove("ticketVM");
+ ticket != null && kimchi.cookie.set("ticketVM", ticket,
100);
window.open(url);
});
}).error(function() {
--
1.9.0
3:19 p.m.
New subject: [PATCH 3/4] support ticket in UI.
On Tue, 2014-05-20 at 23:27 +0800, shaohef(a)linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Add a set ticket API in UI.
set a ticket for a VM before connect it.
also set a cookie to store this ticket.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Signed-off-by: Zhou Zheng Sheng <zhshzhou(a)linux.vnet.ibm.com>
---
ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++-
1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index 7d85fdf..1a34b3b 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -311,6 +311,19 @@ var kimchi = {
});
},
+ setTicketVM: function(vm, data, suc, err, sync) {
+ kimchi.requestJSON({
+ url : kimchi.url + 'vms/' + encodeURIComponent(vm) +
'/setticket',
+ type : 'POST',
+ contentType : 'application/json',
+ dataType : 'json',
+ async : !sync,
+ data : JSON.stringify(data || {}),
+ success : suc,
+ error : err
+ });
+ },
+
vncToVM : function(vm) {
kimchi.requestJSON({
url : '/config',
@@ -318,16 +331,25 @@ var kimchi = {
dataType : 'json'
}).done(function(data, textStatus, xhr) {
proxy_port = data['display_proxy_port'];
+ var ticket;
+ kimchi.setTicketVM(vm, function(data) {
+ }, function(){
+ kimchi.message.error.code('KCHAPI6002E');
+ }, true);
kimchi.requestJSON({
url : "/vms/" + encodeURIComponent(vm) +
"/connect",
type : "POST",
dataType : "json"
- }).done(function() {
+ }).done(function(data, textStatus, xhr) {
+ ticket = data['ticket'];
+ alert(ticket)
url = 'https://' + location.hostname + ':' +
proxy_port;
url += "/console.html?url=vnc_auto.html&port=" +
proxy_port;
url += "&path=?token=" + encodeURIComponent(vm);
url += "&kimchi=" + location.port;
url += '&encrypt=1';
+ kimchi.cookie.remove("ticketVM");
+ ticket != null && kimchi.cookie.set("ticketVM",
ticket, 100);
window.open(url);
});
}).error(function() {
@@ -342,17 +364,26 @@ var kimchi = {
dataType : 'json'
}).done(function(data, textStatus, xhr) {
proxy_port = data['display_proxy_port'];
+ var ticket;
+ kimchi.setTicketVM(vm, function(data) {
+ }, function(){
+ kimchi.message.error.code('KCHAPI6002E');
+ }, true);
kimchi.requestJSON({
url : "/vms/" + encodeURIComponent(vm) +
"/connect",
type : "POST",
dataType : "json"
}).done(function(data, textStatus, xhr) {
+ ticket = data['ticket'];
+ alert(ticket)
url = 'https://' + location.hostname + ':' +
proxy_port;
url += "/console.html?url=spice.html&port=" + proxy_port;
url += "&listen=" + location.hostname;
url += "&token=" + encodeURIComponent(vm);
url += "&kimchi=" + location.port;
url += '&encrypt=1';
+ kimchi.cookie.remove("ticketVM");
+ ticket != null && kimchi.cookie.set("ticketVM",
ticket, 100);
I had to change this a bit to get it to work for me:
+ if (ticket != null) kimchi.cookie.set("ticketVM",
ticket, 100);
After that, though, I could easily copy/paste in the password and the
VNC console came up. Very cool!
window.open(url);
});
}).error(function() {
Regards,
- Christy
2:01 a.m.
New subject: [PATCH 3/4] support ticket in UI.
On 05/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Add a set ticket API in UI.
set a ticket for a VM before connect it.
also set a cookie to store this ticket.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Signed-off-by: Zhou Zheng Sheng <zhshzhou(a)linux.vnet.ibm.com>
---
ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++-
1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index 7d85fdf..1a34b3b 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -311,6 +311,19 @@ var kimchi = {
});
},
+ setTicketVM: function(vm, data, suc, err, sync) {
+ kimchi.requestJSON({
+ url : kimchi.url + 'vms/' + encodeURIComponent(vm) +
'/setticket',
+ type : 'POST',
+ contentType : 'application/json',
+ dataType : 'json',
+ async : !sync,
+ data : JSON.stringify(data || {}),
+ success : suc,
+ error : err
+ });
+ },
+
vncToVM : function(vm) {
kimchi.requestJSON({
url : '/config',
@@ -318,16 +331,25 @@ var kimchi = {
dataType : 'json'
}).done(function(data, textStatus, xhr) {
proxy_port = data['display_proxy_port'];
+ var ticket;
+ kimchi.setTicketVM(vm, function(data) {
+ }, function(){
+ kimchi.message.error.code('KCHAPI6002E');
+ }, true);
kimchi.requestJSON({
url : "/vms/" + encodeURIComponent(vm) +
"/connect",
type : "POST",
dataType : "json"
- }).done(function() {
+ }).done(function(data, textStatus, xhr) {
+ ticket = data['ticket'];
+ alert(ticket)
Intended or debug?
url = 'https://' + location.hostname +
':' + proxy_port;
url += "/console.html?url=vnc_auto.html&port=" +
proxy_port;
url += "&path=?token=" + encodeURIComponent(vm);
url += "&kimchi=" + location.port;
url += '&encrypt=1';
+ kimchi.cookie.remove("ticketVM");
+ ticket != null && kimchi.cookie.set("ticketVM",
ticket, 100);
window.open(url);
});
}).error(function() {
@@ -342,17 +364,26 @@ var kimchi = {
dataType : 'json'
}).done(function(data, textStatus, xhr) {
proxy_port = data['display_proxy_port'];
+ var ticket;
+ kimchi.setTicketVM(vm, function(data) {
+ }, function(){
+ kimchi.message.error.code('KCHAPI6002E');
+ }, true);
kimchi.requestJSON({
url : "/vms/" + encodeURIComponent(vm) +
"/connect",
type : "POST",
dataType : "json"
}).done(function(data, textStatus, xhr) {
+ ticket = data['ticket'];
+ alert(ticket)
url = 'https://' + location.hostname + ':' +
proxy_port;
url += "/console.html?url=spice.html&port=" +
proxy_port;
url += "&listen=" + location.hostname;
url += "&token=" + encodeURIComponent(vm);
url += "&kimchi=" + location.port;
url += '&encrypt=1';
+ kimchi.cookie.remove("ticketVM");
+ ticket != null && kimchi.cookie.set("ticketVM",
ticket, 100);
window.open(url);
});
}).error(function() {
2:49 a.m.
New subject: [PATCH 3/4] support ticket in UI.
On 05/21/2014 03:01 PM, Royce Lv wrote:
On 05/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>
> Add a set ticket API in UI.
> set a ticket for a VM before connect it.
>
> also set a cookie to store this ticket.
>
> Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
> Signed-off-by: Zhou Zheng Sheng <zhshzhou(a)linux.vnet.ibm.com>
> ---
> ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++-
> 1 file changed, 32 insertions(+), 1 deletion(-)
>
> diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
> index 7d85fdf..1a34b3b 100644
> --- a/ui/js/src/kimchi.api.js
> +++ b/ui/js/src/kimchi.api.js
> @@ -311,6 +311,19 @@ var kimchi = {
> });
> },
>
> + setTicketVM: function(vm, data, suc, err, sync) {
> + kimchi.requestJSON({
> + url : kimchi.url + 'vms/' + encodeURIComponent(vm) + '/setticket',
> + type : 'POST',
> + contentType : 'application/json',
> + dataType : 'json',
> + async : !sync,
> + data : JSON.stringify(data || {}),
> + success : suc,
> + error : err
> + });
> + },
> +
> vncToVM : function(vm) {
> kimchi.requestJSON({
> url : '/config',
> @@ -318,16 +331,25 @@ var kimchi = {
> dataType : 'json'
> }).done(function(data, textStatus, xhr) {
> proxy_port = data['display_proxy_port'];
> + var ticket;
> + kimchi.setTicketVM(vm, function(data) {
> + }, function(){
> + kimchi.message.error.code('KCHAPI6002E');
> + }, true);
> kimchi.requestJSON({
> url : "/vms/" + encodeURIComponent(vm) + "/connect",
> type : "POST",
> dataType : "json"
> - }).done(function() {
> + }).done(function(data, textStatus, xhr) {
> + ticket = data['ticket'];
> + alert(ticket)
Intended or debug?
good catch.
debug.
> url = 'https://' + location.hostname + ':' +
proxy_port;
> url += "/console.html?url=vnc_auto.html&port=" + proxy_port;
> url += "&path=?token=" + encodeURIComponent(vm);
> url += "&kimchi=" + location.port;
> url += '&encrypt=1';
> + kimchi.cookie.remove("ticketVM");
> + ticket != null && kimchi.cookie.set("ticketVM", ticket, 100);
> window.open(url);
> });
> }).error(function() {
> @@ -342,17 +364,26 @@ var kimchi = {
> dataType : 'json'
> }).done(function(data, textStatus, xhr) {
> proxy_port = data['display_proxy_port'];
> + var ticket;
> + kimchi.setTicketVM(vm, function(data) {
> + }, function(){
> + kimchi.message.error.code('KCHAPI6002E');
> + }, true);
> kimchi.requestJSON({
> url : "/vms/" + encodeURIComponent(vm) + "/connect",
> type : "POST",
> dataType : "json"
> }).done(function(data, textStatus, xhr) {
> + ticket = data['ticket'];
> + alert(ticket)
> url = 'https://' + location.hostname + ':' + proxy_port;
> url += "/console.html?url=spice.html&port=" + proxy_port;
> url += "&listen=" + location.hostname;
> url += "&token=" + encodeURIComponent(vm);
> url += "&kimchi=" + location.port;
> url += '&encrypt=1';
> + kimchi.cookie.remove("ticketVM");
> + ticket != null && kimchi.cookie.set("ticketVM", ticket, 100);
> window.open(url);
> });
> }).error(function() {
--
Thanks and best regards!
Sheldon Feng(冯少合)<shaohef(a)linux.vnet.ibm.com>
IBM Linux Technology Center
10:27 a.m.
New subject: [PATCH 4/4] set the password for spice and VNC page.
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
get the password from cookie and pass them in url to spice and VNC page.
For spice we need to get the password from this url and pass it to
websocket connection.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
---
ui/pages/spice.html.tmpl | 3 ++-
ui/pages/websockify/console.html | 5 +++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ui/pages/spice.html.tmpl b/ui/pages/spice.html.tmpl
index 213d216..c2bdffe 100644
--- a/ui/pages/spice.html.tmpl
+++ b/ui/pages/spice.html.tmpl
@@ -64,6 +64,7 @@
host = getParameter("listen");
port = getParameter("port");
token = getParameter("token");
+ password = getParameter("password")
document.getElementById("host").value = host;
document.getElementById("port").value = port;
if ((!host) || (!port)) {
@@ -82,7 +83,7 @@
screen_id : "spice-screen",
dump_id : "debug-div",
message_id : "message-div",
- password : "",
+ password : password,
onerror : spice_error
});
} catch (e) {
diff --git a/ui/pages/websockify/console.html b/ui/pages/websockify/console.html
index a536e38..7706074 100644
--- a/ui/pages/websockify/console.html
+++ b/ui/pages/websockify/console.html
@@ -16,6 +16,11 @@
var url = "https://" + location.hostname + ":" + kimchi_port
+ "/";
url += path + query
+ var cookieRe = new RegExp(';?\\\s*(ticketVM)=(\s*[^;]*);?',
'g');
+ var match = cookieRe.exec(document.cookie);
+ var ticket = match ? decodeURIComponent(match[2]) : undefined;
+ url += ticket ? "&password=" + ticket : '';
+
window.location.replace(url)
}
</script>
--
1.9.0
3:43 a.m.
New subject: [PATCH 4/4] set the password for spice and VNC page.
From my personal perspective, I don't think changing password that
often is that good a solution.
Security is definitely our first priority for Kimchi whereas playing
with the password might not seem to be that professional. Our intention
is to make Kimchi a robust and secured tool for managing the VMs, due to
which, I have a thought might be of some help to this issue:
Since we want to prevent the connection from users who are not the maker
of certain VMs, Why not set a tag that indicate which user is authorized
to use certain VMs? It functions like this:
1) If the authentication by tags failed, we can disable any action from
that user.
2) VNC password is required and can be set either by Kimchi password or
user himself/herself, once set, users can use the SSO method to connect
VM using Kimchi and VNC has a password that user know.
3) For the issue of other users may connect to VMs by copying the url, I
think we can set a token that expire once logged in. Without the token,
User need to log in Kimchi again for safety concern.
Best Regards
Wang Wen
On 05/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
get the password from cookie and pass them in url to spice and VNC page.
For spice we need to get the password from this url and pass it to
websocket connection.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
---
ui/pages/spice.html.tmpl | 3 ++-
ui/pages/websockify/console.html | 5 +++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ui/pages/spice.html.tmpl b/ui/pages/spice.html.tmpl
index 213d216..c2bdffe 100644
--- a/ui/pages/spice.html.tmpl
+++ b/ui/pages/spice.html.tmpl
@@ -64,6 +64,7 @@
host = getParameter("listen");
port = getParameter("port");
token = getParameter("token");
+ password = getParameter("password")
document.getElementById("host").value = host;
document.getElementById("port").value = port;
if ((!host) || (!port)) {
@@ -82,7 +83,7 @@
screen_id : "spice-screen",
dump_id : "debug-div",
message_id : "message-div",
- password : "",
+ password : password,
onerror : spice_error
});
} catch (e) {
diff --git a/ui/pages/websockify/console.html b/ui/pages/websockify/console.html
index a536e38..7706074 100644
--- a/ui/pages/websockify/console.html
+++ b/ui/pages/websockify/console.html
@@ -16,6 +16,11 @@
var url = "https://" + location.hostname + ":" +
kimchi_port + "/";
url += path + query
+ var cookieRe = new RegExp(';?\\\s*(ticketVM)=(\s*[^;]*);?',
'g');
+ var match = cookieRe.exec(document.cookie);
+ var ticket = match ? decodeURIComponent(match[2]) : undefined;
+ url += ticket ? "&password=" + ticket : '';
+
window.location.replace(url)
}
</script>
9:14 a.m.
New subject: [PATCH 4/4] set the password for spice and VNC page.
On 05/26/2014 04:43 PM, wenwang wrote:
From my personal perspective, I don't think changing password
that
often is that good a solution.
Security is definitely our first priority for Kimchi whereas playing
with the password might not seem to be that professional. Our
intention is to make Kimchi a robust and secured tool for managing the
VMs, due to which, I have a thought might be of some help to this issue:
Since we want to prevent the connection from users who are not the
maker of certain VMs, Why not set a tag that indicate which user is
authorized to use certain VMs? It functions like this:
1) If the authentication by tags failed, we can disable any action
from that user.
do you means role on every action?
2) VNC password is required and can be set either by Kimchi password
or user himself/herself, once set, users can use the SSO method to
connect VM using Kimchi and VNC has a password that user know.
3) For the issue of other users may connect to VMs by copying the url,
I think we can set a token that expire once logged in. Without the
token, User need to log in Kimchi again for safety concern.
who will check the
token?
the http(s) server or ws(s) server?
Best Regards
Wang Wen
On 05/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>
> get the password from cookie and pass them in url to spice and VNC page.
> For spice we need to get the password from this url and pass it to
> websocket connection.
>
> Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
> ---
> ui/pages/spice.html.tmpl | 3 ++-
> ui/pages/websockify/console.html | 5 +++++
> 2 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/ui/pages/spice.html.tmpl b/ui/pages/spice.html.tmpl
> index 213d216..c2bdffe 100644
> --- a/ui/pages/spice.html.tmpl
> +++ b/ui/pages/spice.html.tmpl
> @@ -64,6 +64,7 @@
> host = getParameter("listen");
> port = getParameter("port");
> token = getParameter("token");
> + password = getParameter("password")
> document.getElementById("host").value = host;
> document.getElementById("port").value = port;
> if ((!host) || (!port)) {
> @@ -82,7 +83,7 @@
> screen_id : "spice-screen",
> dump_id : "debug-div",
> message_id : "message-div",
> - password : "",
> + password : password,
> onerror : spice_error
> });
> } catch (e) {
> diff --git a/ui/pages/websockify/console.html
> b/ui/pages/websockify/console.html
> index a536e38..7706074 100644
> --- a/ui/pages/websockify/console.html
> +++ b/ui/pages/websockify/console.html
> @@ -16,6 +16,11 @@
> var url = "https://" + location.hostname + ":" + kimchi_port +
"/";
> url += path + query
>
> + var cookieRe = new RegExp(';?\\\s*(ticketVM)=(\s*[^;]*);?', 'g');
> + var match = cookieRe.exec(document.cookie);
> + var ticket = match ? decodeURIComponent(match[2]) : undefined;
> + url += ticket ? "&password=" + ticket : '';
> +
> window.location.replace(url)
> }
> </script>
_______________________________________________
Kimchi-devel mailing list
Kimchi-devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/kimchi-devel
--
Thanks and best regards!
Sheldon Feng(冯少合)<shaohef(a)linux.vnet.ibm.com>
IBM Linux Technology Center
8:54 p.m.
New subject: [PATCH 4/4] set the password for spice and VNC page.
On 05/26/2014 10:14 PM, Sheldon wrote:
On 05/26/2014 04:43 PM, wenwang wrote:
> From my personal perspective, I don't think changing password that
> often is that good a solution.
>
> Security is definitely our first priority for Kimchi whereas playing
> with the password might not seem to be that professional. Our
> intention is to make Kimchi a robust and secured tool for managing
> the VMs, due to which, I have a thought might be of some help to this
> issue:
>
> Since we want to prevent the connection from users who are not the
> maker of certain VMs, Why not set a tag that indicate which user is
> authorized to use certain VMs? It functions like this:
>
> 1) If the authentication by tags failed, we can disable any action
> from that user.
do you means role on every action?
What if we just break the connection from
unauthenticated users like if
one user doesn't have the right to connect certain VMs, just don't let
him connect to those VMs, He can do nothing that violet the security, right?
> 2) VNC password is required and can be set either by Kimchi password
> or user himself/herself, once set, users can use the SSO method to
> connect VM using Kimchi and VNC has a password that user know.
> 3) For the issue of other users may connect to VMs by copying the
> url, I think we can set a token that expire once logged in. Without
> the token, User need to log in Kimchi again for safety concern.
who will check the token?
the http(s) server or ws(s) server?
This token is for authentication check. so it
should be sent by the
server from VNC side and checked by them.
>
> Best Regards
>
> Wang Wen
>
>
> On 05/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
>> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>>
>> get the password from cookie and pass them in url to spice and VNC
>> page.
>> For spice we need to get the password from this url and pass it to
>> websocket connection.
>>
>> Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>> ---
>> ui/pages/spice.html.tmpl | 3 ++-
>> ui/pages/websockify/console.html | 5 +++++
>> 2 files changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/ui/pages/spice.html.tmpl b/ui/pages/spice.html.tmpl
>> index 213d216..c2bdffe 100644
>> --- a/ui/pages/spice.html.tmpl
>> +++ b/ui/pages/spice.html.tmpl
>> @@ -64,6 +64,7 @@
>> host = getParameter("listen");
>> port = getParameter("port");
>> token = getParameter("token");
>> + password = getParameter("password")
>> document.getElementById("host").value = host;
>> document.getElementById("port").value = port;
>> if ((!host) || (!port)) {
>> @@ -82,7 +83,7 @@
>> screen_id : "spice-screen",
>> dump_id : "debug-div",
>> message_id : "message-div",
>> - password : "",
>> + password : password,
>> onerror : spice_error
>> });
>> } catch (e) {
>> diff --git a/ui/pages/websockify/console.html
>> b/ui/pages/websockify/console.html
>> index a536e38..7706074 100644
>> --- a/ui/pages/websockify/console.html
>> +++ b/ui/pages/websockify/console.html
>> @@ -16,6 +16,11 @@
>> var url = "https://" + location.hostname + ":" + kimchi_port
+ "/";
>> url += path + query
>>
>> + var cookieRe = new RegExp(';?\\\s*(ticketVM)=(\s*[^;]*);?',
'g');
>> + var match = cookieRe.exec(document.cookie);
>> + var ticket = match ? decodeURIComponent(match[2]) : undefined;
>> + url += ticket ? "&password=" + ticket : '';
>> +
>> window.location.replace(url)
>> }
>> </script>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>
>
>
12:32 a.m.
I strongly dislike the way to change password frequently.
Password is designed for user to recognize himself for authentication.
Frequently changing password make password itself meaningless to user.
As it is VNC password, this will almost make vnc unaccessible to user.
Personally, I dislike to use browser to console the VM at all.
I suspect whether there is *a justification reasonable enough* to take
the way that "changing password".
So please exactly clarify what *threat* this "change password" strategy
is protecting against?
On 5/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
ticket support for guest
ShaoHe Feng (4):
update API.md
ticket in backend: add a set ticket action for VM resource
support ticket in UI.
set the password for spice and VNC page.
docs/API.md | 4 ++++
src/kimchi/control/vms.py | 1 +
src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++-
ui/pages/spice.html.tmpl | 3 ++-
ui/pages/websockify/console.html | 5 +++++
6 files changed, 72 insertions(+), 2 deletions(-)
1:27 a.m.
on 2014/05/26 13:32, Yu Xin Huo wrote:
I strongly dislike the way to change password frequently.
Password is designed for user to recognize himself for authentication.
Frequently changing password make password itself meaningless to user.
As it is VNC password, this will almost make vnc unaccessible to user.
Personally, I dislike to use browser to console the VM at all.
I suspect whether there is *a justification reasonable enough* to take
the way that "changing password".
So please exactly clarify what *threat* this "change password" strategy
is protecting against?
Some back-end background.
The problem is that noVNC and HTML5 Spice traffic is carried on
websocket outside of Kimchi server. It operates as following.
noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor.
Since Kimchi is out of this route, we don't have means to authenticate
user. The user can copy the noVNC page URL to another machine without
loggin to Kimchi, and he can still access VNC.
The most practical method to prevent unauthenticated user from accessing
VNC is to set VNC password on the hypervisor side. We thought of other
means, but they either requires too much work or involves too much
transport redirection.
The current approach is that, for VM created outside of Kimchi, we don't
set password and everyone can visit it. For VM created outside of Kimchi
but with VNC password, when the user connects it from noVNC, Kimchi
reads the password and passes it to noVNC. For VM created by Kimchi, it
generates a random password.
So far so good. A new problem is that currently noVNC client reads
password from URL, and we don't want the password get leaked from the
URL. We can make the password expire in short time and change it every
time we connect. The whole process is transparent to the user, the
password is generated every time, and passed to noVNC. Password
generation does not affect established VNC session, it only affects new
sessions.
Last time I mentioned this problem, most people thought that if the user
has noVNC for Kimchi's VM, he/she would not need other VNC client. I
think this may be true in most cases, but it surprises you when you
actually want to use TigerVNC/UltraVNC/RealVNC/Virt-Viewer.
A method to mitigate the pain is that back-end only generates the
password once, and have the front-end stores the generated password in
cookie. Then we can change noVNC to read password from cookie to avoid
exposing password in URL.
On 5/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>
> ticket support for guest
>
> ShaoHe Feng (4):
> update API.md
> ticket in backend: add a set ticket action for VM resource
> support ticket in UI.
> set the password for spice and VNC page.
>
> docs/API.md | 4 ++++
> src/kimchi/control/vms.py | 1 +
> src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
> ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++-
> ui/pages/spice.html.tmpl | 3 ++-
> ui/pages/websockify/console.html | 5 +++++
> 6 files changed, 72 insertions(+), 2 deletions(-)
>
_______________________________________________
Kimchi-devel mailing list
Kimchi-devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/kimchi-devel
--
Zhou Zheng Sheng / 周征晟
E-mail: zhshzhou(a)linux.vnet.ibm.com
Telephone: 86-10-82454397
1:38 a.m.
On 05/26/2014 02:27 PM, Zhou Zheng Sheng wrote:
on 2014/05/26 13:32, Yu Xin Huo wrote:
> I strongly dislike the way to change password frequently.
>
> Password is designed for user to recognize himself for authentication.
> Frequently changing password make password itself meaningless to user.
>
> As it is VNC password, this will almost make vnc unaccessible to user.
> Personally, I dislike to use browser to console the VM at all.
>
> I suspect whether there is *a justification reasonable enough* to take
> the way that "changing password".
>
> So please exactly clarify what *threat* this "change password" strategy
> is protecting against?
>
Some back-end background.
The problem is that noVNC and HTML5 Spice traffic is carried on
websocket outside of Kimchi server. It operates as following.
noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor.
Since Kimchi is out of this route, we don't have means to authenticate
user. The user can copy the noVNC page URL to another machine without
loggin to Kimchi, and he can still access VNC.
For this part, I'd prefer access
VNC through any VNC viewer after I
created a VM, instead of only access it through Kimchi.
The most practical method to prevent unauthenticated user from accessing
VNC is to set VNC password on the hypervisor side. We thought of other
means, but they either requires too much work or involves too much
transport redirection.
The current approach is that, for VM created outside of Kimchi, we don't
set password and everyone can visit it. For VM created outside of Kimchi
but with VNC password, when the user connects it from noVNC, Kimchi
reads the password and passes it to noVNC. For VM created by Kimchi, it
generates a random password.
So far so good. A new problem is that currently noVNC client reads
password from URL, and we don't want the password get leaked from the
URL. We can make the password expire in short time and change it every
time we connect. The whole process is transparent to the user, the
password is generated every time, and passed to noVNC. Password
generation does not affect established VNC session, it only affects new
sessions.
Last time I mentioned this problem, most people thought that if the user
has noVNC for Kimchi's VM, he/she would not need other VNC client. I
think this may be true in most cases, but it surprises you when you
actually want to use TigerVNC/UltraVNC/RealVNC/Virt-Viewer.
A method to mitigate the pain is that back-end only generates the
password once, and have the front-end stores the generated password in
cookie. Then we can change noVNC to read password from cookie to avoid
exposing password in URL.
> On 5/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
>> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>>
>> ticket support for guest
>>
>> ShaoHe Feng (4):
>> update API.md
>> ticket in backend: add a set ticket action for VM resource
>> support ticket in UI.
>> set the password for spice and VNC page.
>>
>> docs/API.md | 4 ++++
>> src/kimchi/control/vms.py | 1 +
>> src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
>> ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++-
>> ui/pages/spice.html.tmpl | 3 ++-
>> ui/pages/websockify/console.html | 5 +++++
>> 6 files changed, 72 insertions(+), 2 deletions(-)
>>
>
>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>
2:01 a.m.
On 05/26/2014 02:38 PM, Hongliang Wang wrote:
On 05/26/2014 02:27 PM, Zhou Zheng Sheng wrote:
> on 2014/05/26 13:32, Yu Xin Huo wrote:
>> I strongly dislike the way to change password frequently.
>>
>> Password is designed for user to recognize himself for authentication.
>> Frequently changing password make password itself meaningless to user.
>>
>> As it is VNC password, this will almost make vnc unaccessible to user.
>> Personally, I dislike to use browser to console the VM at all.
>>
>> I suspect whether there is *a justification reasonable enough* to take
>> the way that "changing password".
>>
>> So please exactly clarify what *threat* this "change password"
strategy
>> is protecting against?
>>
> Some back-end background.
>
> The problem is that noVNC and HTML5 Spice traffic is carried on
> websocket outside of Kimchi server. It operates as following.
>
> noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor.
>
> Since Kimchi is out of this route, we don't have means to authenticate
> user. The user can copy the noVNC page URL to another machine without
> loggin to Kimchi, and he can still access VNC.
For this part, I'd prefer access VNC through any VNC viewer after I
created a VM, instead of only access it through Kimchi.
I checked Virt Manager just
now and it works the similar as your design
for Kimchi. So is it possible if I want to access Kimchi VM through VNC
clients (e.g., my browser is relatively too old to use noVNC) ? In this
case, I think a possible solution is:
1. Create a VM with bridged network that I can access it from other machines
2. Install VNC server in it
3. Configuration the VNC server
4. Access it through VNC clients
Does it make sense? So it will be a complete solution.
>
> The most practical method to prevent unauthenticated user from accessing
> VNC is to set VNC password on the hypervisor side. We thought of other
> means, but they either requires too much work or involves too much
> transport redirection.
>
> The current approach is that, for VM created outside of Kimchi, we don't
> set password and everyone can visit it. For VM created outside of Kimchi
> but with VNC password, when the user connects it from noVNC, Kimchi
> reads the password and passes it to noVNC. For VM created by Kimchi, it
> generates a random password.
>
> So far so good. A new problem is that currently noVNC client reads
> password from URL, and we don't want the password get leaked from the
> URL. We can make the password expire in short time and change it every
> time we connect. The whole process is transparent to the user, the
> password is generated every time, and passed to noVNC. Password
> generation does not affect established VNC session, it only affects new
> sessions.
>
> Last time I mentioned this problem, most people thought that if the user
> has noVNC for Kimchi's VM, he/she would not need other VNC client. I
> think this may be true in most cases, but it surprises you when you
> actually want to use TigerVNC/UltraVNC/RealVNC/Virt-Viewer.
>
> A method to mitigate the pain is that back-end only generates the
> password once, and have the front-end stores the generated password in
> cookie. Then we can change noVNC to read password from cookie to avoid
> exposing password in URL.
>
>> On 5/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
>>> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>>>
>>> ticket support for guest
>>>
>>> ShaoHe Feng (4):
>>> update API.md
>>> ticket in backend: add a set ticket action for VM resource
>>> support ticket in UI.
>>> set the password for spice and VNC page.
>>>
>>> docs/API.md | 4 ++++
>>> src/kimchi/control/vms.py | 1 +
>>> src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
>>> ui/js/src/kimchi.api.js | 33
>>> ++++++++++++++++++++++++++++++++-
>>> ui/pages/spice.html.tmpl | 3 ++-
>>> ui/pages/websockify/console.html | 5 +++++
>>> 6 files changed, 72 insertions(+), 2 deletions(-)
>>>
>>
>>
>>
>> _______________________________________________
>> Kimchi-devel mailing list
>> Kimchi-devel(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>>
>
_______________________________________________
Kimchi-devel mailing list
Kimchi-devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/kimchi-devel
2:09 a.m.
于 2014年05月26日 15:01, Hongliang Wang 写道:
On 05/26/2014 02:38 PM, Hongliang Wang wrote:
>
> On 05/26/2014 02:27 PM, Zhou Zheng Sheng wrote:
>> on 2014/05/26 13:32, Yu Xin Huo wrote:
>>> I strongly dislike the way to change password frequently.
>>>
>>> Password is designed for user to recognize himself for authentication.
>>> Frequently changing password make password itself meaningless to user.
>>>
>>> As it is VNC password, this will almost make vnc unaccessible to user.
>>> Personally, I dislike to use browser to console the VM at all.
>>>
>>> I suspect whether there is *a justification reasonable enough* to take
>>> the way that "changing password".
>>>
>>> So please exactly clarify what *threat* this "change password"
strategy
>>> is protecting against?
>>>
>> Some back-end background.
>>
>> The problem is that noVNC and HTML5 Spice traffic is carried on
>> websocket outside of Kimchi server. It operates as following.
>>
>> noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor.
>>
>> Since Kimchi is out of this route, we don't have means to authenticate
>> user. The user can copy the noVNC page URL to another machine without
>> loggin to Kimchi, and he can still access VNC.
> For this part, I'd prefer access VNC through any VNC viewer after I
> created a VM, instead of only access it through Kimchi.
I checked Virt Manager just now and it works the similar as your design
for Kimchi. So is it possible if I want to access Kimchi VM through VNC
clients (e.g., my browser is relatively too old to use noVNC) ? In this
case, I think a possible solution is:
1. Create a VM with bridged network that I can access it from other
machines
2. Install VNC server in it
3. Configuration the VNC server
4. Access it through VNC clients
Does it make sense? So it will be a complete solution.
Feasible. A small problem is that it uses guest network. If the user
wrongly configures the guest network, he/she would lose remote video
connection. Before installing guest OS and VNC, there is no remote video.
--
Zhou Zheng Sheng / 周征晟
E-mail: zhshzhou(a)linux.vnet.ibm.com
Telephone: 86-10-82454397
3 a.m.
On 5/26/2014 3:09 PM, Zhou Zheng Sheng wrote:
于 2014年05月26日 15:01, Hongliang Wang 写道:
> On 05/26/2014 02:38 PM, Hongliang Wang wrote:
>> On 05/26/2014 02:27 PM, Zhou Zheng Sheng wrote:
>>> on 2014/05/26 13:32, Yu Xin Huo wrote:
>>>> I strongly dislike the way to change password frequently.
>>>>
>>>> Password is designed for user to recognize himself for authentication.
>>>> Frequently changing password make password itself meaningless to user.
>>>>
>>>> As it is VNC password, this will almost make vnc unaccessible to user.
>>>> Personally, I dislike to use browser to console the VM at all.
>>>>
>>>> I suspect whether there is *a justification reasonable enough* to take
>>>> the way that "changing password".
>>>>
>>>> So please exactly clarify what *threat* this "change password"
strategy
>>>> is protecting against?
>>>>
>>> Some back-end background.
>>>
>>> The problem is that noVNC and HTML5 Spice traffic is carried on
>>> websocket outside of Kimchi server. It operates as following.
>>>
>>> noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor.
>>>
>>> Since Kimchi is out of this route, we don't have means to authenticate
>>> user. The user can copy the noVNC page URL to another machine without
>>> loggin to Kimchi, and he can still access VNC.
>> For this part, I'd prefer access VNC through any VNC viewer after I
>> created a VM, instead of only access it through Kimchi.
> I checked Virt Manager just now and it works the similar as your design
> for Kimchi. So is it possible if I want to access Kimchi VM through VNC
> clients (e.g., my browser is relatively too old to use noVNC) ? In this
> case, I think a possible solution is:
> 1. Create a VM with bridged network that I can access it from other
> machines
> 2. Install VNC server in it
> 3. Configuration the VNC server
> 4. Access it through VNC clients
>
> Does it make sense? So it will be a complete solution.
Feasible. A small problem is that it uses guest network. If the user
wrongly configures the guest network, he/she would lose remote video
connection. Before installing guest OS and VNC, there is no remote video.
Kimchi support 3 types of network, user will base on their real needs to
configure VM's network. Not wrongly configured.
For all these 3 types of network, the VM need VNC access.
3:17 a.m.
on 2014/05/26 16:00, Yu Xin Huo wrote:
On 5/26/2014 3:09 PM, Zhou Zheng Sheng wrote:
> 于 2014年05月26日 15:01, Hongliang Wang 写道:
>> On 05/26/2014 02:38 PM, Hongliang Wang wrote:
>>> On 05/26/2014 02:27 PM, Zhou Zheng Sheng wrote:
>>>> on 2014/05/26 13:32, Yu Xin Huo wrote:
>>>>> I strongly dislike the way to change password frequently.
>>>>>
>>>>> Password is designed for user to recognize himself for
>>>>> authentication.
>>>>> Frequently changing password make password itself meaningless to
>>>>> user.
>>>>>
>>>>> As it is VNC password, this will almost make vnc unaccessible to
>>>>> user.
>>>>> Personally, I dislike to use browser to console the VM at all.
>>>>>
>>>>> I suspect whether there is *a justification reasonable enough* to
>>>>> take
>>>>> the way that "changing password".
>>>>>
>>>>> So please exactly clarify what *threat* this "change
password"
>>>>> strategy
>>>>> is protecting against?
>>>>>
>>>> Some back-end background.
>>>>
>>>> The problem is that noVNC and HTML5 Spice traffic is carried on
>>>> websocket outside of Kimchi server. It operates as following.
>>>>
>>>> noVNC --websocket--> websockify --tcp-> VNC server of the
hypervisor.
>>>>
>>>> Since Kimchi is out of this route, we don't have means to
authenticate
>>>> user. The user can copy the noVNC page URL to another machine without
>>>> loggin to Kimchi, and he can still access VNC.
>>> For this part, I'd prefer access VNC through any VNC viewer after I
>>> created a VM, instead of only access it through Kimchi.
>> I checked Virt Manager just now and it works the similar as your design
>> for Kimchi. So is it possible if I want to access Kimchi VM through VNC
>> clients (e.g., my browser is relatively too old to use noVNC) ? In this
>> case, I think a possible solution is:
>> 1. Create a VM with bridged network that I can access it from other
>> machines
>> 2. Install VNC server in it
>> 3. Configuration the VNC server
>> 4. Access it through VNC clients
>>
>> Does it make sense? So it will be a complete solution.
> Feasible. A small problem is that it uses guest network. If the user
> wrongly configures the guest network, he/she would lose remote video
> connection. Before installing guest OS and VNC, there is no remote video.
>
Kimchi support 3 types of network, user will base on their real needs to
configure VM's network. Not wrongly configured.
For all these 3 types of network, the VM need VNC access.
Though I am not for this solution, it is always feasible to create an
extra bridge guest network for management purpose. Even for the
"isolated" type of network, it's possible to create a "isolated
bridged
management network" using VXLAN or something like that. Another thing
you misunderstood me is that I meant wrongly configure the network
settings in the guest OS. So in all, my previous message is to say
though it's feasible to use guest network, it's not reliable for
management purpose.
--
Zhou Zheng Sheng / 周征晟
E-mail: zhshzhou(a)linux.vnet.ibm.com
Telephone: 86-10-82454397
2:55 a.m.
On 5/26/2014 3:01 PM, Hongliang Wang wrote:
On 05/26/2014 02:38 PM, Hongliang Wang wrote:
>
> On 05/26/2014 02:27 PM, Zhou Zheng Sheng wrote:
>> on 2014/05/26 13:32, Yu Xin Huo wrote:
>>> I strongly dislike the way to change password frequently.
>>>
>>> Password is designed for user to recognize himself for authentication.
>>> Frequently changing password make password itself meaningless to user.
>>>
>>> As it is VNC password, this will almost make vnc unaccessible to user.
>>> Personally, I dislike to use browser to console the VM at all.
>>>
>>> I suspect whether there is *a justification reasonable enough* to take
>>> the way that "changing password".
>>>
>>> So please exactly clarify what *threat* this "change password"
>>> strategy
>>> is protecting against?
>>>
>> Some back-end background.
>>
>> The problem is that noVNC and HTML5 Spice traffic is carried on
>> websocket outside of Kimchi server. It operates as following.
>>
>> noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor.
>>
>> Since Kimchi is out of this route, we don't have means to authenticate
>> user. The user can copy the noVNC page URL to another machine without
>> loggin to Kimchi, and he can still access VNC.
> For this part, I'd prefer access VNC through any VNC viewer after I
> created a VM, instead of only access it through Kimchi.
I checked Virt Manager just now and it works the similar as your
design for Kimchi. So is it possible if I want to access Kimchi VM
through VNC clients (e.g., my browser is relatively too old to use
noVNC) ? In this case, I think a possible solution is:
1. Create a VM with bridged network that I can access it from other
machines
2. Install VNC server in it
3. Configuration the VNC server
4. Access it through VNC clients
Does it make sense? So it will be a complete solution.
For a VM configured with any
type of network, 'isolated', 'NAT',
'bridged', it must be able to be accessed through VNC console.
As VM with 'isolated' and 'NAT' network can not be accessed from
outside, so can not depend on VNC on guest.
>>
>> The most practical method to prevent unauthenticated user from
>> accessing
>> VNC is to set VNC password on the hypervisor side. We thought of other
>> means, but they either requires too much work or involves too much
>> transport redirection.
>>
>> The current approach is that, for VM created outside of Kimchi, we
>> don't
>> set password and everyone can visit it. For VM created outside of
>> Kimchi
>> but with VNC password, when the user connects it from noVNC, Kimchi
>> reads the password and passes it to noVNC. For VM created by Kimchi, it
>> generates a random password.
>>
>> So far so good. A new problem is that currently noVNC client reads
>> password from URL, and we don't want the password get leaked from the
>> URL. We can make the password expire in short time and change it every
>> time we connect. The whole process is transparent to the user, the
>> password is generated every time, and passed to noVNC. Password
>> generation does not affect established VNC session, it only affects new
>> sessions.
>>
>> Last time I mentioned this problem, most people thought that if the
>> user
>> has noVNC for Kimchi's VM, he/she would not need other VNC client. I
>> think this may be true in most cases, but it surprises you when you
>> actually want to use TigerVNC/UltraVNC/RealVNC/Virt-Viewer.
>>
>> A method to mitigate the pain is that back-end only generates the
>> password once, and have the front-end stores the generated password in
>> cookie. Then we can change noVNC to read password from cookie to avoid
>> exposing password in URL.
>>
>>> On 5/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
>>>> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>>>>
>>>> ticket support for guest
>>>>
>>>> ShaoHe Feng (4):
>>>> update API.md
>>>> ticket in backend: add a set ticket action for VM resource
>>>> support ticket in UI.
>>>> set the password for spice and VNC page.
>>>>
>>>> docs/API.md | 4 ++++
>>>> src/kimchi/control/vms.py | 1 +
>>>> src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
>>>> ui/js/src/kimchi.api.js | 33
>>>> ++++++++++++++++++++++++++++++++-
>>>> ui/pages/spice.html.tmpl | 3 ++-
>>>> ui/pages/websockify/console.html | 5 +++++
>>>> 6 files changed, 72 insertions(+), 2 deletions(-)
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Kimchi-devel mailing list
>>> Kimchi-devel(a)ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>>>
>>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>
2:39 a.m.
On 5/26/2014 2:27 PM, Zhou Zheng Sheng wrote:
on 2014/05/26 13:32, Yu Xin Huo wrote:
> I strongly dislike the way to change password frequently.
>
> Password is designed for user to recognize himself for authentication.
> Frequently changing password make password itself meaningless to user.
>
> As it is VNC password, this will almost make vnc unaccessible to user.
> Personally, I dislike to use browser to console the VM at all.
>
> I suspect whether there is *a justification reasonable enough* to take
> the way that "changing password".
>
> So please exactly clarify what *threat* this "change password" strategy
> is protecting against?
>
Some back-end background.
The problem is that noVNC and HTML5 Spice traffic is carried on
websocket outside of Kimchi server. It operates as following.
noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor.
Since Kimchi is out of this route, we don't have means to authenticate
user. The user can copy the noVNC page URL to another machine without
loggin to Kimchi, and he can still access VNC.
The most practical method to prevent unauthenticated user from accessing
VNC is to set VNC password on the hypervisor side. We thought of other
means, but they either requires too much work or involves too much
transport redirection.
The current approach is that, for VM created outside of Kimchi, we don't
set password and everyone can visit it. For VM created outside of Kimchi
but with VNC password, when the user connects it from noVNC, Kimchi
reads the password and passes it to noVNC. For VM created by Kimchi, it
generates a random password.
The only *security hole* is that *VNC password is not
set* when an VM is
created.
A random VNC password need to be generated once a VM is created to
prevent any access to a VM.
So far so good. A new problem is that currently noVNC client reads
password from URL, and we don't want the password get leaked from the
URL. We can make the password expire in short time and change it every
time we connect. The whole process is transparent to the user, the
password is generated every time, and passed to noVNC. Password
generation does not affect established VNC session, it only affects new
sessions.
Password should never be exposed as clear text(unencoded or unencripted)
no matter whether it is VNC password of "kimchi created VM" or "3rd
party tool created".
It is predictable that kimchi need to manage a big number of VMs created
by other tool.
Again, password is privacy, it should be never be exposed.
Last time I mentioned this problem, most people thought that if the user
has noVNC for Kimchi's VM, he/she would not need other VNC client. I
think this may be true in most cases, but it surprises you when you
actually want to use TigerVNC/UltraVNC/RealVNC/Virt-Viewer.
We can not afford to
such an assumption with a risk to make kimchi
totally fail in marketplace.
If most users prefer to use other tool like
"TigerVNC/UltraVNC/RealVNC/Virt-Viewer" and kimchi has a limitation that
only noVNC in kimchi can be used.
Such a disaster consumability issue will make kimchi totally fail.
A method to mitigate the pain is that back-end only generates the
password once, and have the front-end stores the generated password in
cookie. Then we can change noVNC to read password from cookie to avoid
exposing password in URL.
The backend should generate a random VNC password once a
VM is created.
We will need to add UI for kimchi user to change the default VNC
password to get access to VNC.
As we use https to pass the VNC password back and forth, it is safe, no
need to change the password frequently.
Password stored in cookie will not be exposed in URL, password should be
removed from cookie once it is used.
For this solution, just remove "change password".
> On 5/20/2014 11:27 PM, shaohef(a)linux.vnet.ibm.com wrote:
>> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>>
>> ticket support for guest
>>
>> ShaoHe Feng (4):
>> update API.md
>> ticket in backend: add a set ticket action for VM resource
>> support ticket in UI.
>> set the password for spice and VNC page.
>>
>> docs/API.md | 4 ++++
>> src/kimchi/control/vms.py | 1 +
>> src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
>> ui/js/src/kimchi.api.js | 33 ++++++++++++++++++++++++++++++++-
>> ui/pages/spice.html.tmpl | 3 ++-
>> ui/pages/websockify/console.html | 5 +++++
>> 6 files changed, 72 insertions(+), 2 deletions(-)
>>
>
>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>
3621
days inactive
3628
days old
26 comments
9 participants
participants (9)
-
Christy Perez -
Hongliang Wang -
Royce Lv -
shaohef@linux.vnet.ibm.com -
Sheldon
-
Wang Wen -
wenwang
-
Yu Xin Huo -
Zhou Zheng Sheng