On Sat, Oct 27, 2018 at 6:14 AM Anastasiya Ruzhanskaya < [email protected]> wrote:
> I just need to make an overlay on this system as in our organization it > will be more problematic to certify the whole ovirt than our tool for calls > filtering. Just the organizational reason. Also we want to use an attribute > based model. > I still fail to understand why do you need network level filtering. Structure of your organization should be model using permissions. Which calls/functionality is problematic? > > чт, 25 окт. 2018 г. в 23:02, Piotr Kliczewski <[email protected]>: > >> >> >> On Thu, Oct 25, 2018 at 10:10 AM Anastasiya Ruzhanskaya < >> [email protected]> wrote: >> >>> Ok, I understood. Thank you for the information. And could you please >>> somehow comment the approach with error sending which I described in a >>> previous email? >>> >> >> I am not sure what would be correct error to return here since every >> error has a meaning for engine. For some we fail the action but for others >> we attempt to retry fix, fix the issue by >> soft fencing the host. >> >> Can you share with me what are you missing from current authorization >> model so you need to filter the calls? >> >> >>> >>> четверг, 25 октября 2018 г. пользователь Piotr Kliczewski написал: >>> >>>> >>>> >>>> czw., 25 paź 2018, 06:32 użytkownik Anastasiya Ruzhanskaya < >>>> [email protected]> napisał: >>>> >>>>> Also in official docs of oVirt it is written that xml rpc is used. For >>>>> example here : >>>>> https://ovirt.org/documentation/architecture/architecture/ >>>>> So, this is an incorrect info, right? >>>>> >>>> >>>> This doc seems not to up to date for quite some time. Now we use >>>> jsonrpc over stomp. >>>> >>>> >>>>> чт, 25 окт. 2018 г. в 7:28, Anastasiya Ruzhanskaya < >>>>> [email protected]>: >>>>> >>>>>> In virt-manager for the same purpose there was an option to send >>>>>> error messages with help of mitmproxy. I modified a little bit this >>>>>> proxy >>>>>> to be able to use it with any tcp connection. >>>>>> And this error message was correctly processed. But the amount of >>>>>> source code for analysis in that case was rather small and I found rather >>>>>> quickly how error messages should be sent and encoded in rpc. >>>>>> >>>>>> Is there any possibility like this here? >>>>>> >>>>>> чт, 25 окт. 2018 г. в 0:47, Piotr Kliczewski <[email protected]>: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Oct 24, 2018 at 9:34 PM Anastasiya Ruzhanskaya < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> My proxy is based on mitmproxy, so I want to analyze messages >>>>>>>> coming from client to ovirt-engine or from engine to node and based on >>>>>>>> the >>>>>>>> content permit the actions or not. I know that there is access control >>>>>>>> inside oVirt, but I need to implement the similar thing by myself using >>>>>>>> proxy. From ovirt-engine to vdsm it is trickier as there I have no >>>>>>>> users >>>>>>>> and session ids to identify the actor, I can determine only actions. >>>>>>>> >>>>>>> >>>>>>> By using engine or vdsm certs you could decrypt the traffic. How >>>>>>> would you prevent command from being executed. If you drop packet(s) the >>>>>>> engine would attempt to retry or consider vdsm to be down/dead. In >>>>>>> either >>>>>>> case engine would be confused. >>>>>>> I would not recommend such approach because it may prevent you from >>>>>>> using oVirt or break it. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> But anyway, I can decipher normal rpc ( for virt-manager), got >>>>>>>> familiar with gwt -rpc ( client-engine) and now trying to understand >>>>>>>> what >>>>>>>> is happening with xml rpc. >>>>>>>> >>>>>>> >>>>>>> As Nir mentioned we estabilish tcp connection and send jsonrpc over >>>>>>> stomp. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> ср, 24 окт. 2018 г. в 21:41, Nir Soffer <[email protected]>: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, 24 Oct 2018, 18:51 Anastasiya Ruzhanskaya, < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> I need this for my proxy, >>>>>>>>>> >>>>>>>>> >>>>>>>>> What is your proxy? >>>>>>>>> >>>>>>>>> I need to do this analysis "online", not just by analyzing the >>>>>>>>>> logs after the action happened. >>>>>>>>>> >>>>>>>>>> ср, 24 окт. 2018 г. в 19:00, Nir Soffer <[email protected]>: >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Wed, 24 Oct 2018, 13:16 Anastasiya Ruzhanskaya, < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hello! >>>>>>>>>>>> I was successful in deciphering the traffic between the client >>>>>>>>>>>> and ovirt-engine, >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Why do you need to do this? it is easier to add logging to vdsm >>>>>>>>>>> of you want to see more info about the messages. >>>>>>>>>>> >>>>>>>>>>> Anyway Piotr may help. >>>>>>>>>>> >>>>>>>>>>> Nir >>>>>>>>>>> >>>>>>>>>>> actually, only by dumping the premaster key from the browser, >>>>>>>>>>>> which was generated during the session and providing it to >>>>>>>>>>>> wireshark. >>>>>>>>>>>> >>>>>>>>>>>> How it can be done for ovirt-engine and vdsm communication? >>>>>>>>>>>> Should the engine private key be provided? Actually to my surprise >>>>>>>>>>>> I don't >>>>>>>>>>>> see any ssl communication between engine and node when for example >>>>>>>>>>>> turn on >>>>>>>>>>>> the virtual machine, only tcp packets. But this page >>>>>>>>>>>> https://ovirt.org/develop/release-management/features/infra/pki/ >>>>>>>>>>>> states that there should be one. And also should I look for any >>>>>>>>>>>> xml rpc >>>>>>>>>>>> dissector? I know that for example virt-manager uses rpc protocol, >>>>>>>>>>>> I found >>>>>>>>>>>> a dissector for that case, but seems I need another one here. >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Devel mailing list -- [email protected] >>>>>>>>>>>> To unsubscribe send an email to [email protected] >>>>>>>>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>>>>>>>>> oVirt Code of Conduct: >>>>>>>>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>>>>>>>> List Archives: >>>>>>>>>>>> https://lists.ovirt.org/archives/list/[email protected]/message/HJOBKO5MOF56NFEXX6Z2T7RBTFX6OACP/ >>>>>>>>>>>> >>>>>>>>>>>
_______________________________________________ Devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/NNSCTOLXBTK4SQI2BWAYAEJYM7JFG6QX/
