[Kimchi-devel] [PATCH 4/4] set the password for spice and VNC page.

Sheldon shaohef at linux.vnet.ibm.com
Mon May 26 14:14:35 UTC 2014


On 05/26/2014 04:43 PM, wenwang wrote:
> From my personal perspective, I don't think changing password that 
> often is that good a solution.
>
> Security is definitely our first priority for Kimchi whereas playing 
> with the password might not seem to be that professional. Our 
> intention is to make Kimchi a robust and secured tool for managing the 
> VMs, due to which, I have a thought might be of some help to this issue:
>
> Since we want to prevent the connection from users who are not the 
> maker of certain VMs, Why not set a tag that indicate which user is 
> authorized to use certain VMs? It functions like this:
>
> 1) If the authentication by tags failed, we can disable any action 
> from that user.
do you means role on every action?
> 2) VNC password is required and can be set either by Kimchi password 
> or user himself/herself, once set, users can use the SSO method to 
> connect VM using Kimchi and VNC has a password that user know.
> 3) For the issue of other users may connect to VMs by copying the url, 
> I think we can set a token that expire once logged in. Without the 
> token, User need to log in Kimchi again for safety concern.
who will check the token?
the http(s) server or ws(s) server?
>
> Best Regards
>
> Wang Wen
>
>
> On 05/20/2014 11:27 PM, shaohef at linux.vnet.ibm.com wrote:
>> From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>>
>> get the password from cookie and pass them in url to spice and VNC page.
>> For spice we need to get the password from this url and pass it to
>> websocket connection.
>>
>> Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>> ---
>> ui/pages/spice.html.tmpl | 3 ++-
>> ui/pages/websockify/console.html | 5 +++++
>> 2 files changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/ui/pages/spice.html.tmpl b/ui/pages/spice.html.tmpl
>> index 213d216..c2bdffe 100644
>> --- a/ui/pages/spice.html.tmpl
>> +++ b/ui/pages/spice.html.tmpl
>> @@ -64,6 +64,7 @@
>> host = getParameter("listen");
>> port = getParameter("port");
>> token = getParameter("token");
>> + password = getParameter("password")
>> document.getElementById("host").value = host;
>> document.getElementById("port").value = port;
>> if ((!host) || (!port)) {
>> @@ -82,7 +83,7 @@
>> screen_id : "spice-screen",
>> dump_id : "debug-div",
>> message_id : "message-div",
>> - password : "",
>> + password : password,
>> onerror : spice_error
>> });
>> } catch (e) {
>> diff --git a/ui/pages/websockify/console.html 
>> b/ui/pages/websockify/console.html
>> index a536e38..7706074 100644
>> --- a/ui/pages/websockify/console.html
>> +++ b/ui/pages/websockify/console.html
>> @@ -16,6 +16,11 @@
>> var url = "https://" + location.hostname + ":" + kimchi_port + "/";
>> url += path + query
>>
>> + var cookieRe = new RegExp(';?\\\s*(ticketVM)=(\s*[^;]*);?', 'g');
>> + var match = cookieRe.exec(document.cookie);
>> + var ticket = match ? decodeURIComponent(match[2]) : undefined;
>> + url += ticket ? "&password=" + ticket : '';
>> +
>> window.location.replace(url)
>> }
>> </script>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>
>
>


-- 
Thanks and best regards!

Sheldon Feng(冯少合)<shaohef at linux.vnet.ibm.com>
IBM Linux Technology Center




More information about the Kimchi-devel mailing list