[Kimchi-devel] [PATCH 2/4] ticket in backend: add a set ticket action for VM resource
Sheldon
shaohef at linux.vnet.ibm.com
Wed May 21 09:12:15 UTC 2014
On 05/21/2014 02:59 PM, Royce Lv wrote:
> On 05/20/2014 11:27 PM, shaohef at linux.vnet.ibm.com wrote:
>> From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>>
>> Only the user who get the ticket can access the VM console.
>>
>> the ticket will be invalid when its expire.
>>
>> We just manange the VM create by kimchi.
>> We do not set the ticket for other VMs that created by other
>> managerment tool.
>>
>> Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>> Signed-off-by: Zhou Zheng Sheng <zhshzhou at linux.vnet.ibm.com>
>> ---
>> src/kimchi/control/vms.py | 1 +
>> src/kimchi/model/vms.py | 28 ++++++++++++++++++++++++++++
>> 2 files changed, 29 insertions(+)
>>
>> diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py
>> index 508f478..e3c72d1 100644
>> --- a/src/kimchi/control/vms.py
>> +++ b/src/kimchi/control/vms.py
>> @@ -37,6 +37,7 @@ class VM(Resource):
>> self.uri_fmt = '/vms/%s'
>> for ident, node in sub_nodes.items():
>> setattr(self, ident, node(model, self.ident))
>> + self.setticket = self.generate_action_handler('setticket')
>> self.start = self.generate_action_handler('start')
>> self.poweroff = self.generate_action_handler('poweroff')
>> self.shutdown = self.generate_action_handler('shutdown')
>> diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
>> index 17bda04..0daaea0 100644
>> --- a/src/kimchi/model/vms.py
>> +++ b/src/kimchi/model/vms.py
>> @@ -19,7 +19,10 @@
>>
>> from lxml.builder import E
>> import lxml.etree as ET
>> +from lxml import etree, objectify
>> import os
>> +import random
>> +import string
>> import time
>> import uuid
>> from xml.etree import ElementTree
>> @@ -353,9 +356,14 @@ class VMModel(object):
>> graphics = self._vm_get_graphics(name)
>> graphics_type, graphics_listen, graphics_port = graphics
>> graphics_port = graphics_port if state == 'running' else None
>> + passwd = None
>> try:
>> if state == 'running' and self._has_video(dom):
>> screenshot = self.vmscreenshot.lookup(name)
>> + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
>> + root = objectify.fromstring(xml)
>> + graphic = root.devices.find("graphics")
>> + passwd = graphic.attrib.get('passwd')
>> elif state == 'shutoff':
>> # reset vm stats when it is powered off to avoid sending
>> # incorrect (old) data
>> @@ -394,6 +402,7 @@ class VMModel(object):
>> 'graphics': {"type": graphics_type,
>> "listen": graphics_listen,
>> "port": graphics_port},
>> + 'ticket': passwd,
> After talk with Zhengsheng, I got to know the reason we want ticket
> for all login user and do not distinguish any group,
> I think it can be used here to prevent vnc connection be stolen by
> user outside kimchi,
> but this is not what ticket used for, right? We can't set ticket and
> pass it in the vnc/spice client.
yes.
> Or export the passwd to specific group user.
> But I agree that we can make it as a future extension.
ACK
>> 'users': users,
>> 'groups': groups
>> }
>> @@ -513,6 +522,25 @@ class VMModel(object):
>> else:
>> raise OperationFailed("KCHVM0010E", {'name': name})
>>
>> + def setticket(self, name, password=None, expire=10):
>> + dom = self.get_vm(name, self.conn)
>> + version, distro = self.vm_get_os_metadata(dom)
>> + if distro is None:
>> + # this VM is not created by kimchi
>> + return
>> +
>> + xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
>> + root = objectify.fromstring(xml)
>> + graphic = root.devices.find("graphics")
>> + password = password if password is not None else "".join(
>> + random.sample(string.ascii_letters + string.digits, 8))
>> + graphic.attrib['passwd'] = password
>> + valid_to = time.strftime('%Y-%m-%dT%H:%M:%S',
>> + time.gmtime(time.time() + float(expire)))
>> + graphic.attrib['passwdValidTo'] = valid_to
>> + graphic_xml = etree.tostring(graphic)
>> + dom.updateDeviceFlags(graphic_xml, 0)
>> +
>> def _vmscreenshot_delete(self, vm_uuid):
>> screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore,
>> self.conn)
>
>
>
--
Thanks and best regards!
Sheldon Feng(冯少合)<shaohef at linux.vnet.ibm.com>
IBM Linux Technology Center
More information about the Kimchi-devel
mailing list