[Engine-patches] Change in ovirt-engine[master]: core, engine: servlet to support the console proxy

Mon, 11 May 2015 23:54:02 -0700 

Francesco Romani has posted comments on this change.

Change subject: core, engine: servlet to support the console proxy
......................................................................


Patch Set 27:

(1 comment)

https://gerrit.ovirt.org/#/c/35887/27/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetAllVmsForAnotherUserQuery.java
File 
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetAllVmsForAnotherUserQuery.java:

Line 19:     protected void executeQueryCommand() {
Line 20:         List<VM> vmsList = 
getDbFacade().getVmDao().getAllForUser(getParameters().getId());
Line 21: 
Line 22:         getQueryReturnValue().setReturnValue(vmsList);
Line 23:     }
> Yes, I realized this is wrong for this exact reason you outlined.
I reviewed the flow, and indeed this query should run only if an user 
succesfully authenticated, using the keys stored in Engine and retrieved with 
the other query.

Now, the question (hopefully? :)) narrows down to:
- how to make sure that this query is run _only_ in this case?

The process(es) which do(es) these queries has uid/gid=ovirt-vmconsole; The 
queries are sent inside a ticket which is issued with a special-purpose key 
setup with the followup patch; perhaps it is sufficient to make sure that the 
owner/permissions of these keys are set in a way that only ovirt-vmconsole user 
can access them.


-- 
To view, visit https://gerrit.ovirt.org/35887
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I53c721da21cefcf4069d14c7016b6f7d97f9eac9
Gerrit-PatchSet: 27
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Vitor de Lima <vdel...@redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Arik Hadas <aha...@redhat.com>
Gerrit-Reviewer: Eli Mesika <emes...@redhat.com>
Gerrit-Reviewer: Francesco Romani <from...@redhat.com>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Omer Frenkel <ofren...@redhat.com>
Gerrit-Reviewer: Ravi Nori <rn...@redhat.com>
Gerrit-Reviewer: Roy Golan <rgo...@redhat.com>
Gerrit-Reviewer: Shahar Havivi <shav...@redhat.com>
Gerrit-Reviewer: Yair Zaslavsky <wallaroo1...@gmail.com>
Gerrit-Reviewer: automat...@ovirt.org
Gerrit-HasComments: Yes
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to