[ovirt-devel] [ovirt-users] [OVIRT-3.5-TEST-DAY-3] Optaplanner

Vojtech Szocs vszocs at redhat.com
Thu Sep 25 10:50:53 UTC 2014



----- Original Message -----
> From: "Martin Sivak" <msivak at redhat.com>
> To: "Vojtech Szocs" <vszocs at redhat.com>
> Cc: "Piotr Kliczewski" <piotr.kliczewski at gmail.com>, devel at ovirt.org
> Sent: Monday, September 22, 2014 2:04:32 PM
> Subject: Re: [ovirt-devel] [ovirt-users] [OVIRT-3.5-TEST-DAY-3] Optaplanner
> 
> > Disabling mixed "active" content in browser is not a proper solution.
> > UI plugin should load its content in a way that is compatible with
> > protocol (i.e. HTTPS) used for enclosing page.
> 
> It is the only solution when the remote service does not support SSL. We
> might include SSL in some later version, but not for 3.5.

If you're requesting remote service directly from within HTTPS context,
and this remote service doesn't support HTTPS access, you are correct,
the only option is to disable mixed active content in the browser.

However, you could also work around this problem via proxy, for example.

> 
> > Loading HTTP content in HTTPS page is considered security vulnerability
> > and should be avoided. By default, Firefox blocks mixed "active" content.
> 
> I noticed and there is nothing I can do about that, but I never saw the
> rationale for that. Although I can see how M-i-M could compromise https page
> if handled poorly.

I think that [1] explains the rationale behind mixed content, which is
divided into two separate categories (active content & display content).

[1] https://developer.mozilla.org/en-US/docs/Security/MixedContent

Sniffers can steal sensitive data sent over HTTP. Man-in-Middle attacker
can rewrite HTTP response to gain access to parts of web page (DOM) and
ultimately compromise security of whole (HTTPS) page. This is why browsers
typically block mixed active content (XMLHttpRequest, <iframe>, <script>,
etc.)

> 
> > This happens when WebAdmin page is loaded as HTTPS and UI plugin uses
> > "active" content (XHR object, <script> etc.) that loads data as HTTP.
> 
> JSON is hardly active. But again.. I can't change the browser.

Maliciously rewritten JSON can become active, containing functions. When
interpreted via eval(), it becomes security issue. This is one of reasons
why JSON.parse() was added to ES5 spec, to safely evaluate JSON strings.

> 
> --
> Martin Sivák
> msivak at redhat.com
> Red Hat Czech
> RHEV-M SLA / Brno, CZ
> 
> ----- Original Message -----
> > 
> > 
> > ----- Original Message -----
> > > From: "Piotr Kliczewski" <piotr.kliczewski at gmail.com>
> > > To: devel at ovirt.org
> > > Sent: Wednesday, September 17, 2014 5:25:23 PM
> > > Subject: [ovirt-devel] [ovirt-users] [OVIRT-3.5-TEST-DAY-3] Optaplanner
> > > 
> > > Hi,
> > > 
> > > I followed deployment manual from [1] and configured two DCs with
> > > single cluster each.
> > > During configuration of the UI I noticed that in optimizer result tab
> > > there
> > > was:
> > > 
> > > Status: Data refresh failed: undefined
> > > 
> > > with Martin's help we found that when setting
> > > 
> > > security.mixed_content.block_active_content
> > 
> > This happens when WebAdmin page is loaded as HTTPS and UI plugin uses
> > "active" content (XHR object, <script> etc.) that loads data as HTTP.
> > 
> > Loading HTTP content in HTTPS page is considered security vulnerability
> > and should be avoided. By default, Firefox blocks mixed "active" content.
> > 
> > More details here: https://support.mozilla.org/en-US/questions/967115
> > 
> > Disabling mixed "active" content in browser is not a proper solution.
> > UI plugin should load its content in a way that is compatible with
> > protocol (i.e. HTTPS) used for enclosing page.
> > 
> > > 
> > > to false in FF configuration it works and I can see:
> > > 
> > > Status: Solution received
> > > 
> > > During the installation of second host network configuration failed
> > > and I opened BZ [2].
> > > When I restored network configuration to the host I wanted to
> > > provision vms to see optaplanner
> > > suggestions but my rhel6 failed to start any vms due to:
> > > 
> > > Thread-8102::DEBUG::2014-09-17
> > > 16:36:16,216::libvirtconnection::143::root::(wrapper) Unknown
> > > libvirterror: ecode: 38 edom: 0 level: 2 message: Child quit during
> > > startup handshake: Input/output error
> > > Thread-8102::DEBUG::2014-09-17
> > > 16:36:16,217::vm::2289::vm.Vm::(_startUnderlyingVm)
> > > vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::_ongoingCreations
> > > released
> > > Thread-8102::ERROR::2014-09-17
> > > 16:36:16,217::vm::2326::vm.Vm::(_startUnderlyingVm)
> > > vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::The vm start process
> > > failed
> > > Traceback (most recent call last):
> > >   File "/usr/share/vdsm/virt/vm.py", line 2266, in _startUnderlyingVm
> > >     self._run()
> > >   File "/usr/share/vdsm/virt/vm.py", line 3368, in _run
> > >     self._connection.createXML(domxml, flags),
> > >   File "/usr/lib64/python2.6/site-packages/vdsm/libvirtconnection.py",
> > > line 111, in wrapper
> > >     ret = f(*args, **kwargs)
> > >   File "/usr/lib64/python2.6/site-packages/libvirt.py", line 2665, in
> > >   createXML
> > >     if ret is None:raise libvirtError('virDomainCreateXML() failed',
> > >     conn=self)
> > > libvirtError: Child quit during startup handshake: Input/output error
> > > Thread-8102::DEBUG::2014-09-17
> > > 16:36:16,218::vm::2838::vm.Vm::(setDownStatus)
> > > vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::Changed state to Down:
> > > Child quit during startup handshake: Input/output error (code=1)
> > > 
> > > Vdsm is not able to start any vms but engine still thinks that host is
> > > 'UP'.
> > > 
> > > Thanks,
> > > Piotr
> > > 
> > > [1] http://www.ovirt.org/Features/Optaplanner
> > > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1142909
> > > _______________________________________________
> > > Devel mailing list
> > > Devel at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/devel
> > > 
> > _______________________________________________
> > Devel mailing list
> > Devel at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/devel
> > 
> 



More information about the Devel mailing list