)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"d0562a26e116ed40afb0ba81ad729514ad929fe3","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     zhangbailin \u003czhangbailin@inspur.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2020-02-14 23:56:54 +0800"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Proposal for a safer noVNC console with password authentication"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"The feature aims at providing a safer remote console with password"},{"line_number":10,"context_line":"authentication. End users can set console password for their instances."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":27,"id":"3fa7e38b_d2b68e26","line":7,"range":{"start_line":7,"start_character":1,"end_line":7,"end_character":63},"updated":"2020-02-14 15:59:16.000000000","message":"you need to change this title","commit_id":"48d5a1cdc3ad223024bfe2bd3d9d69128c4195f3"}],"specs/stein/approved/nova-support-webvnc-with-password-anthentication.rst":[{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"7a2ef73ac95ede6ad38617f7693cf13f8c5bbf2c","unresolved":false,"context_lines":[{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Problem description"},{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Implement a safer noVNC console with password authentication."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Use Cases"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_0dcac245","line":24,"updated":"2018-12-11 01:39:03.000000000","message":"I think here you need to describe in more detail the shortcomings of the current \"noVNC\", so that the reviewer can understand the current phenomenon of \u0027noVNC\u0027 more clearly.","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bd5eaea0fc32b65a046407da8fed2b3440ce4e80","unresolved":false,"context_lines":[{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Problem description"},{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Implement a safer noVNC console with password authentication."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Use Cases"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_c1fa6d73","line":24,"in_reply_to":"3f79a3b5_0dcac245","updated":"2019-04-09 22:56:37.000000000","message":"+1. I assume the current situation is that anyone who uses the VNC console link will be connected to the instance, no password required. It would be helpful to explain the current behavior in this spec.","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bd5eaea0fc32b65a046407da8fed2b3440ce4e80","unresolved":false,"context_lines":[{"line_number":28,"context_line":"---------"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"A safer noVNC console will benefit End User. And impacts on Developer"},{"line_number":31,"context_line":"/Deployer are as follows in #Documentation Impact# section."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Proposed change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_a14081a3","line":31,"updated":"2019-04-09 22:56:37.000000000","message":"Here you should elaborate a bit about what is the current behavior and safety of the noVNC console and what the new behavior would be and how it benefits the user.","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"7a2ef73ac95ede6ad38617f7693cf13f8c5bbf2c","unresolved":false,"context_lines":[{"line_number":33,"context_line":"Proposed change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"* Changes will be patched to python-novaclient `nova boot` subcommand"},{"line_number":37,"context_line":"  to support `--vnc-password` option. Note that, considering not to"},{"line_number":38,"context_line":"  affect present nova api and data models, the value will be passed to"},{"line_number":39,"context_line":"  nova api via metadata of instance(as an expedient measure and will be"},{"line_number":40,"context_line":"  poped later)"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"* Changes will be patched to nova-api to: (1) pop possible `vnc"},{"line_number":43,"context_line":"  password` from metadata (2) reject the request if nova-api detects"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_cd87eab3","line":40,"range":{"start_line":36,"start_character":0,"end_line":40,"end_character":14},"updated":"2018-12-11 01:39:03.000000000","message":"The change of the novaclient should be after ``nova-api``, ``nova-compute``, I think you can move this to line:53.","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bd5eaea0fc32b65a046407da8fed2b3440ce4e80","unresolved":false,"context_lines":[{"line_number":59,"context_line":"Data model impact"},{"line_number":60,"context_line":"-----------------"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"None"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"REST API impact"},{"line_number":65,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_c1890dca","line":62,"range":{"start_line":62,"start_character":0,"end_line":62,"end_character":4},"updated":"2019-04-09 22:56:37.000000000","message":"If you are proposing to add vnc password to the request_spec, that would be data model impact that you would need to describe here.","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bd5eaea0fc32b65a046407da8fed2b3440ce4e80","unresolved":false,"context_lines":[{"line_number":64,"context_line":"REST API impact"},{"line_number":65,"context_line":"---------------"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"None"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"Security impact"},{"line_number":70,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_e1ff6931","line":67,"range":{"start_line":67,"start_character":0,"end_line":67,"end_character":4},"updated":"2019-04-09 22:56:37.000000000","message":"If you a proposing a new vnc password request parameter to the create server API, you will have REST API impact that you need to describe here. Adding the parameter would require a new API microversion:\n\nhttps://docs.openstack.org/nova/latest/contributor/microversions.html","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bd5eaea0fc32b65a046407da8fed2b3440ce4e80","unresolved":false,"context_lines":[{"line_number":69,"context_line":"Security impact"},{"line_number":70,"context_line":"---------------"},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"None"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Notifications impact"},{"line_number":75,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_a1a3a142","line":72,"range":{"start_line":72,"start_character":0,"end_line":72,"end_character":4},"updated":"2019-04-09 22:56:37.000000000","message":"If this change improves vnc console security, it should be described here.","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"7a2ef73ac95ede6ad38617f7693cf13f8c5bbf2c","unresolved":false,"context_lines":[{"line_number":82,"context_line":"It does have impacts on end users:"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"* When booting instance with web GUI, extra `vnc password`"},{"line_number":85,"context_line":"  option will be prompted for input(it\u0027s optional)."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"* Cloud operators will be provided with extra `--vnc-password`"},{"line_number":88,"context_line":"  option (it\u0027s optional) when booting instance with nova/open"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_6db0168d","line":85,"range":{"start_line":85,"start_character":35,"end_line":85,"end_character":36},"updated":"2018-12-11 01:39:03.000000000","message":"Add a space.","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"7a2ef73ac95ede6ad38617f7693cf13f8c5bbf2c","unresolved":false,"context_lines":[{"line_number":82,"context_line":"It does have impacts on end users:"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"* When booting instance with web GUI, extra `vnc password`"},{"line_number":85,"context_line":"  option will be prompted for input(it\u0027s optional)."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"* Cloud operators will be provided with extra `--vnc-password`"},{"line_number":88,"context_line":"  option (it\u0027s optional) when booting instance with nova/open"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_2da69e56","line":85,"range":{"start_line":85,"start_character":36,"end_line":85,"end_character":37},"updated":"2018-12-11 01:39:03.000000000","message":"It\u0027s","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"7a2ef73ac95ede6ad38617f7693cf13f8c5bbf2c","unresolved":false,"context_lines":[{"line_number":85,"context_line":"  option will be prompted for input(it\u0027s optional)."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"* Cloud operators will be provided with extra `--vnc-password`"},{"line_number":88,"context_line":"  option (it\u0027s optional) when booting instance with nova/open"},{"line_number":89,"context_line":"  stack CLI."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"Performance Impact"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_8d5c9258","line":88,"range":{"start_line":88,"start_character":10,"end_line":88,"end_character":14},"updated":"2018-12-11 01:39:03.000000000","message":"It\u0027s","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"7a2ef73ac95ede6ad38617f7693cf13f8c5bbf2c","unresolved":false,"context_lines":[{"line_number":102,"context_line":"instance creation requests with `vnc_password` in body, it"},{"line_number":103,"context_line":"also knows whether to reject or not."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"  .. code-block:: ini"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"     [vnc]"},{"line_number":108,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_5017ed42","line":105,"range":{"start_line":105,"start_character":4,"end_line":105,"end_character":5},"updated":"2018-12-11 01:39:03.000000000","message":"Please remove the redundant space, otherwise an exception will occur after the document is output.","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bd5eaea0fc32b65a046407da8fed2b3440ce4e80","unresolved":false,"context_lines":[{"line_number":152,"context_line":"  mediator between client and vnc server, though noVNC client"},{"line_number":153,"context_line":"  provides native support for `vnc.AuthType.VNC` with password"},{"line_number":154,"context_line":"  security handshake handle) and `security handshake` (no-ops,"},{"line_number":155,"context_line":"  leave noVNC/websockify to do the stuff)."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"Dependencies"},{"line_number":158,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_a1516132","line":155,"updated":"2019-04-09 22:56:37.000000000","message":"Is there some documentation about the vnc auth type that you can include in the references section? And why is it needed in addition to the vencrypt scheme?","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"7a2ef73ac95ede6ad38617f7693cf13f8c5bbf2c","unresolved":false,"context_lines":[{"line_number":170,"context_line":"* `Operation Guide` needs some updates, in #User-Facing Operations#"},{"line_number":171,"context_line":"  section.The feature requires openstack CLI to specify an extra"},{"line_number":172,"context_line":"  property `vnc password` when booting new instance. `vnc_password`"},{"line_number":173,"context_line":"  can serve as a reserved property,new CLI may look like this:"},{"line_number":174,"context_line":"  .. code-block::"},{"line_number":175,"context_line":"     $ openstack server create --image\u003dtest-image --flavor\u003d1 \\"},{"line_number":176,"context_line":"                               --property vnc_password\u003d\u0027inspur@123\u0027"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_103ad5c3","line":173,"updated":"2018-12-11 01:39:03.000000000","message":"You should add a blank line after this line.","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"7a2ef73ac95ede6ad38617f7693cf13f8c5bbf2c","unresolved":false,"context_lines":[{"line_number":171,"context_line":"  section.The feature requires openstack CLI to specify an extra"},{"line_number":172,"context_line":"  property `vnc password` when booting new instance. `vnc_password`"},{"line_number":173,"context_line":"  can serve as a reserved property,new CLI may look like this:"},{"line_number":174,"context_line":"  .. code-block::"},{"line_number":175,"context_line":"     $ openstack server create --image\u003dtest-image --flavor\u003d1 \\"},{"line_number":176,"context_line":"                               --property vnc_password\u003d\u0027inspur@123\u0027"},{"line_number":177,"context_line":"                               ... demo"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_d02a1d77","line":174,"range":{"start_line":174,"start_character":4,"end_line":174,"end_character":5},"updated":"2018-12-11 01:39:03.000000000","message":"Please remove the redundant space, otherwise an exception will occur after the document is output.","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"7a2ef73ac95ede6ad38617f7693cf13f8c5bbf2c","unresolved":false,"context_lines":[{"line_number":184,"context_line":"* `API Guides` needs no updates. However, some texts should be posted"},{"line_number":185,"context_line":"  to notify developers about how to benefit from this feature when"},{"line_number":186,"context_line":"  booting new instance:"},{"line_number":187,"context_line":"  .. code-block::"},{"line_number":188,"context_line":"     Request:"},{"line_number":189,"context_line":"     {"},{"line_number":190,"context_line":"       \"server\": {"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_906fc5c5","line":187,"range":{"start_line":187,"start_character":4,"end_line":187,"end_character":5},"updated":"2018-12-11 01:39:03.000000000","message":"ditto.","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"7a2ef73ac95ede6ad38617f7693cf13f8c5bbf2c","unresolved":false,"context_lines":[{"line_number":201,"context_line":"* `Configuration Reference`\u0026`Deployment Guides` need some updates."},{"line_number":202,"context_line":"  A change in nova.conf to enable rfb.VNC auth scheme is added (nova"},{"line_number":203,"context_line":"  -novncproxy cares)."},{"line_number":204,"context_line":"  .. code-block::"},{"line_number":205,"context_line":"     [vnc]"},{"line_number":206,"context_line":"     ..."},{"line_number":207,"context_line":"     auth_schemes \u003d none,vnc,vencrypt"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_1063b5df","line":204,"range":{"start_line":204,"start_character":4,"end_line":204,"end_character":5},"updated":"2018-12-11 01:39:03.000000000","message":"ditto.","commit_id":"6602df7a5779333501cda377b5101e3fd13a93e4"}],"specs/train/approved/nova-support-webvnc-with-password-anthentication.rst":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"fd7a25c73b6cc26530e73a46070930da288abec5","unresolved":false,"context_lines":[{"line_number":16,"context_line":"trying to access the console of instance with `vnc password` will get a"},{"line_number":17,"context_line":"locked window prompting for `vnc password`, and this provides almost the"},{"line_number":18,"context_line":"same experience as using VNC clients (e.g vncviewer) to access vnc servers"},{"line_number":19,"context_line":"that require password authentication ."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_d2caa06c","line":19,"updated":"2019-07-26 23:54:24.000000000","message":"Note to reviewers: without this kind of proposed password behavior, if the user of a vnc console forgets to logout of the OS before closing their vnc console, any person with the console access url will be able to access the already-logged-in OS without any additional auth.","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"07366ca0c19c269178a6b4934eb29ef9ff82d212","unresolved":false,"context_lines":[{"line_number":16,"context_line":"trying to access the console of instance with `vnc password` will get a"},{"line_number":17,"context_line":"locked window prompting for `vnc password`, and this provides almost the"},{"line_number":18,"context_line":"same experience as using VNC clients (e.g vncviewer) to access vnc servers"},{"line_number":19,"context_line":"that require password authentication ."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_7d4c9f75","line":19,"in_reply_to":"7faddb67_d2caa06c","updated":"2019-08-16 07:53:20.000000000","message":"yes, and issue https://bugs.launchpad.net/nova/+bug/1447679 \nshows the same concern.","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"fd7a25c73b6cc26530e73a46070930da288abec5","unresolved":false,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"* Changes will be patched to nova-api to: (1) pop possible `vnc"},{"line_number":43,"context_line":"  password` from metadata (2) reject the request if nova-api detects"},{"line_number":44,"context_line":"  that `vnc password` feature not enabled after checking nova.conf ,but"},{"line_number":45,"context_line":"  `vnc_password` parameter provided. (3) get `vnc password` populated in"},{"line_number":46,"context_line":"  some persistent object that\u0027s accessible to nova-compute later."},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_72488ccb","line":44,"range":{"start_line":44,"start_character":42,"end_line":44,"end_character":66},"updated":"2019-07-26 23:54:24.000000000","message":"To be clear, what config option are you thinking about here? The auth_schemes option? Noting that nova-api does not itself use the auth_schemes option, it is used by the nova-novncproxy service only.","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"07366ca0c19c269178a6b4934eb29ef9ff82d212","unresolved":false,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"* Changes will be patched to nova-api to: (1) pop possible `vnc"},{"line_number":43,"context_line":"  password` from metadata (2) reject the request if nova-api detects"},{"line_number":44,"context_line":"  that `vnc password` feature not enabled after checking nova.conf ,but"},{"line_number":45,"context_line":"  `vnc_password` parameter provided. (3) get `vnc password` populated in"},{"line_number":46,"context_line":"  some persistent object that\u0027s accessible to nova-compute later."},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_5df3e309","line":44,"range":{"start_line":44,"start_character":42,"end_line":44,"end_character":66},"in_reply_to":"7faddb67_72488ccb","updated":"2019-08-16 07:53:20.000000000","message":"It\u0027s switch-option stuff, e.g: support_vnc_password \u003d [true/false]; \nOf course, this option will be documented in Configuration Guide, and the option help message will tell cloud administrators that novncproxy\u0027s `auth_schemes` is `releated option`: to make the feature function well, the options should work together.","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"fd7a25c73b6cc26530e73a46070930da288abec5","unresolved":false,"context_lines":[{"line_number":43,"context_line":"  password` from metadata (2) reject the request if nova-api detects"},{"line_number":44,"context_line":"  that `vnc password` feature not enabled after checking nova.conf ,but"},{"line_number":45,"context_line":"  `vnc_password` parameter provided. (3) get `vnc password` populated in"},{"line_number":46,"context_line":"  some persistent object that\u0027s accessible to nova-compute later."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"* Changes will be patched to nova-compute to recongnize `vnc password`"},{"line_number":49,"context_line":"  and use it for libvirt XML (graphic defination) assembling."}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_9272e848","line":46,"updated":"2019-07-26 23:54:24.000000000","message":"I think we will not want to make the \u0027vnc password\u0027 feature configurable via config option because that is not good for interoperability and consistency among openstack clouds. Instead, the way we encourage to do this is to create a policy rule that will control whether the \u0027vnc password\u0027 is supported.\n\nBut, I want to ask, what determine\u0027s whether \u0027vnc password\u0027 is available? Does it require a minimum Libvirt and/or QEMU version? Is it something that can be checked from the libvirt driver? If so, we might have possibility to check whether the driver supports it when we call nova-compute synchronously during the get_vnc_console compute API call. That would be a dynamic way to find out support vs no support.\n\nIf it is not purely a matter of driver support and is also something an operator would like to configure, then we would want to go with the policy rule in addition.","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"93e54a1ca1758a7e557cdbbeab1f2b708bc66cfa","unresolved":false,"context_lines":[{"line_number":43,"context_line":"  password` from metadata (2) reject the request if nova-api detects"},{"line_number":44,"context_line":"  that `vnc password` feature not enabled after checking nova.conf ,but"},{"line_number":45,"context_line":"  `vnc_password` parameter provided. (3) get `vnc password` populated in"},{"line_number":46,"context_line":"  some persistent object that\u0027s accessible to nova-compute later."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"* Changes will be patched to nova-compute to recongnize `vnc password`"},{"line_number":49,"context_line":"  and use it for libvirt XML (graphic defination) assembling."}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_3dd86750","line":46,"in_reply_to":"7faddb67_9272e848","updated":"2019-08-16 09:04:12.000000000","message":"1. As far as i know `policy rule`, it\u0027s about RBAC (nova.policy). Is there any docs (or files, cases) about policy usage of enable/disable features ?\n\n2. Libvirt 0.9.3+ will be alright. See https://libvirt.org/formatdomain.html#elementsGraphics ; \n\n3. About libvirt/qemu version check, if this feature is enable by switch-option or policy rule as mentioned above,compute driver need to compare current libvirt version with required minimum version, something like this:\n\n\u0027\u0027\u0027\nrequired_min_version \u003d (0, 9, 3)\nif current_version \u003c required_min_version:\n    raise exception.UnsupportedVersion()\n\u0027\u0027\u0027\n\n4. Note, instances with vnc password can co-exist with ones without vnc password(I will explain the reason in following texts), and the get-vnc-console action is not affected by this feature. Hypervisor version validations only happend when compute-service boots new instances (in which case, grapnics releated libvirt XML will be generated).","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"fd7a25c73b6cc26530e73a46070930da288abec5","unresolved":false,"context_lines":[{"line_number":49,"context_line":"  and use it for libvirt XML (graphic defination) assembling."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"* Changes will be patched to nova-novncproxy to support rfb.VNC auth"},{"line_number":52,"context_line":"  scheme."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* Changes will be patched to python-novaclient `nova boot` subcommand"},{"line_number":55,"context_line":"  to support `--vnc-password` option. Note that, considering not to"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_75763609","line":52,"updated":"2019-07-26 23:54:24.000000000","message":"Can you please add some explanation to the spec about how the new auth scheme is related to adding the password support?\n\nI do not know very much about this, but my understanding is the already existing vencrypt scheme can encrypt the communications from the nova-novncproxy service to the guest vnc console. And the addition of password support should be only a matter of adding the relevant XML into the libvirt guest \u003cgraphics\u003e config. How is the rfb.VNC auth scheme related to this? An explanation about this will be helpful to the spec.","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"883373d9c59a5a2756f76284dc846b4610a3f339","unresolved":false,"context_lines":[{"line_number":49,"context_line":"  and use it for libvirt XML (graphic defination) assembling."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"* Changes will be patched to nova-novncproxy to support rfb.VNC auth"},{"line_number":52,"context_line":"  scheme."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* Changes will be patched to python-novaclient `nova boot` subcommand"},{"line_number":55,"context_line":"  to support `--vnc-password` option. Note that, considering not to"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_23d92482","line":52,"in_reply_to":"7faddb67_75763609","updated":"2019-08-16 10:56:53.000000000","message":"1. About RFB security handshake, see section 7.1 in doc https://tools.ietf.org/html/rfc6143\n\n2. I will explain how novncproxy works in two steps: \n\na. components of nova-novncproxy:\n(1) websockify: See https://github.com/novnc/websockify\n(2) novnc: Html5 vnc client with websocket support.\n(3) RFB version\u0026security handshake negotiation framework: As mediator between novnc client(browser) and vnc server(in compute nodes), It negotiates with novnc as `vnc server` to get RFB protocol version and security types(none, vnc, vencrypt and so on)suprorted by client, and negotiates with vnc server(of some instance) to get the same infomation, then make two sides reach a consensus on RFB version and Security Type.\n\nWhen endpoint user visits guest desktop via console url, novncproxy will check if this security type is in support list(i.e: CONF.vnc.auth_scemes) and if there exists corresponding SecurityHandshake handler. \n\nIf the requirements above are all satisfied,novncproxy loads corresponding RFB SecurityHandShake handler by security type, then handler will takes over security handshake jobs. If handshake succeeds, endpoint user can access guest desktop. Otherwise, it drop requests.\n\nb. how it works:\nLet\u0027s take `vencrypt` as an example, the loaded security handshake handler will check security type subversion, SSL items, and wrap a SSLSocket. See module `nova.console.rfb.authvencrypt` for details.\n\n3. If a instance is booted with vnc password, the compute service will launched a VNC service(listening \u003cnode ip\u003e:59XX) for the guest only supporting `vnc` security type. When endpoint user visit this guest, novncproxy knows that security type `vnc` will be OK for both sides.However, `vnc` is not in `CONF.vnc.auth_scemes` and security handshake handler not implemented for now.\n\nImplementing the handler, and adding `vnc` to auth_schemes list will be part of the work to implement the feature.\n\n4. Does novnc project supports VNC security type and can novncproxy work well ? Yes! \n\nSee https://github.com/novnc/noVNC/blob/master/vnc.html (keywords: `noVNC_password_input`). \n\nAnd this feature has been proven in our cloud products (Inspur Inc).","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"ae234f2b702c5c0abd934ff06bb0cda40be418c5","unresolved":false,"context_lines":[{"line_number":104,"context_line":"New `vnc` option is added to auth_schemes list in `vnc`"},{"line_number":105,"context_line":"segment in `nova.conf`. This allows nova-novncproxy to"},{"line_number":106,"context_line":"detect and load rfb.VNC auth scheme. When nova-api receives"},{"line_number":107,"context_line":"instance creation requests with `vnc_password` in body, it"},{"line_number":108,"context_line":"also knows whether to reject or not."},{"line_number":109,"context_line":".. code-block:: ini"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"  [vnc]"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_ae3bbb99","line":108,"range":{"start_line":107,"start_character":54,"end_line":108,"end_character":36},"updated":"2019-08-16 11:37:27.000000000","message":"As melanie witt advised, leave this option only used by novncproxy service. nova-api can dectect `vnc password` capability by new switch option or policy rule.","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"fd7a25c73b6cc26530e73a46070930da288abec5","unresolved":false,"context_lines":[{"line_number":109,"context_line":".. code-block:: ini"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"  [vnc]"},{"line_number":112,"context_line":"  auth_schemes \u003d none,vnc,vencrypt"},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Developer impact"},{"line_number":115,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_72dacc17","line":112,"updated":"2019-07-26 23:54:24.000000000","message":"++ thank you for the clear example.","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"fd7a25c73b6cc26530e73a46070930da288abec5","unresolved":false,"context_lines":[{"line_number":139,"context_line":"* nova-api: some codes to validate `vnc password` and get it"},{"line_number":140,"context_line":"  populated in some pesistent object(InstanceMetadata/ReqSpec,"},{"line_number":141,"context_line":"  or something like that). Eventually, nova-compute gets the"},{"line_number":142,"context_line":"  value."},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"* nova-compute: some codes to assemble libvirt XML (graphis"},{"line_number":145,"context_line":"  defination with `passwd` option) after checking `vnc password`"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_b5558e52","line":142,"updated":"2019-07-26 23:54:24.000000000","message":"Can you add some text here to clarify which API will get the \u0027vnc password\u0027 passed? Is it the POST /servers API (create server)?","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"ae234f2b702c5c0abd934ff06bb0cda40be418c5","unresolved":false,"context_lines":[{"line_number":139,"context_line":"* nova-api: some codes to validate `vnc password` and get it"},{"line_number":140,"context_line":"  populated in some pesistent object(InstanceMetadata/ReqSpec,"},{"line_number":141,"context_line":"  or something like that). Eventually, nova-compute gets the"},{"line_number":142,"context_line":"  value."},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"* nova-compute: some codes to assemble libvirt XML (graphis"},{"line_number":145,"context_line":"  defination with `passwd` option) after checking `vnc password`"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_ee6533b0","line":142,"in_reply_to":"7faddb67_b5558e52","updated":"2019-08-16 11:37:27.000000000","message":"Yes, as section `Documentation Impact` shows.","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"fd7a25c73b6cc26530e73a46070930da288abec5","unresolved":false,"context_lines":[{"line_number":151,"context_line":"  mediator between client and vnc server, though noVNC client"},{"line_number":152,"context_line":"  provides native support for `vnc.AuthType.VNC` with password"},{"line_number":153,"context_line":"  security handshake handle) and `security handshake` (no-ops,"},{"line_number":154,"context_line":"  leave noVNC/websockify to do the stuff)."},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"* python-novaclient: new `--vnc-password` option and some"},{"line_number":157,"context_line":"  codes processing this value shall be added. `vnc password`"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_35c75e15","line":154,"updated":"2019-07-26 23:54:24.000000000","message":"Sorry, can you please explain what is the difference between the \u0027vencrypt\u0027 and \u0027vnc\u0027 (vnc.AuthType.VNC) auth_schemes?","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"ae234f2b702c5c0abd934ff06bb0cda40be418c5","unresolved":false,"context_lines":[{"line_number":151,"context_line":"  mediator between client and vnc server, though noVNC client"},{"line_number":152,"context_line":"  provides native support for `vnc.AuthType.VNC` with password"},{"line_number":153,"context_line":"  security handshake handle) and `security handshake` (no-ops,"},{"line_number":154,"context_line":"  leave noVNC/websockify to do the stuff)."},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"* python-novaclient: new `--vnc-password` option and some"},{"line_number":157,"context_line":"  codes processing this value shall be added. `vnc password`"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_6e84e30b","line":154,"in_reply_to":"7faddb67_35c75e15","updated":"2019-08-16 11:37:27.000000000","message":"As to vencrypt, its handler module mainly provides SSL items check and wraps a secure socket between vncproxy server and vnc server(so channel can avoids being spied or illegal access by visiting {Host_IP}:59XX, but doesn\u0027t help solve the concern in https://bugs.launchpad.net/nova/+bug/1447679).\n\nAnd in my plan, the `vnc` handler module will do password authentication jobs.It can solve the concern in bug/1447679, though it\u0027s not as safe as vencrypt in securing channel(however, with the use of host firewalld service, this will not a big deal, and of course, this\u0027s another issue)","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"fd7a25c73b6cc26530e73a46070930da288abec5","unresolved":false,"context_lines":[{"line_number":215,"context_line":""},{"line_number":216,"context_line":"    [vnc]"},{"line_number":217,"context_line":"    auth_schemes \u003d none,vnc,vencrypt"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"References"},{"line_number":220,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":221,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_f5e6a6e8","line":218,"updated":"2019-07-26 23:54:24.000000000","message":"I think here is another place that would be good for adding documentation for the new feature:\n\nhttps://docs.openstack.org/nova/latest/admin/remote-console-access.html#novnc-based-vnc-console","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"ae234f2b702c5c0abd934ff06bb0cda40be418c5","unresolved":false,"context_lines":[{"line_number":215,"context_line":""},{"line_number":216,"context_line":"    [vnc]"},{"line_number":217,"context_line":"    auth_schemes \u003d none,vnc,vencrypt"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"References"},{"line_number":220,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":221,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_8e2a7fe4","line":218,"in_reply_to":"7faddb67_f5e6a6e8","updated":"2019-08-16 11:37:27.000000000","message":"OK, i will carry on.","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"fd7a25c73b6cc26530e73a46070930da288abec5","unresolved":false,"context_lines":[{"line_number":226,"context_line":"* https://tools.ietf.org/html/rfc6143"},{"line_number":227,"context_line":""},{"line_number":228,"context_line":"* https://en.wikipedia.org/wiki/Virtual_Network_Computing"},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"History"},{"line_number":231,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":232,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"7faddb67_1538223b","line":229,"updated":"2019-07-26 23:54:24.000000000","message":"++ thank you for helpful doc references","commit_id":"23abd5730d2e95e6b5a62590f3fdbda3e0b62a3a"}],"specs/ussuri/approved/nova-support-webvnc-with-password-anthentication.rst":[{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"ab6f2d182e1febbbb150d06d3eee5f7fe05ca5d9","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The feature aims at providing a safer noVNC with password authentication."},{"line_number":14,"context_line":"When end users boot instances, a `vnc password` option is provided to"},{"line_number":15,"context_line":"encrypt novnc console, and note that, this option is optional. Any user"},{"line_number":16,"context_line":"trying to access the console of instance with `vnc password` will get a"},{"line_number":17,"context_line":"locked window prompting for `vnc password`, and this provides almost the"},{"line_number":18,"context_line":"same experience as using VNC clients (e.g vncviewer) to access vnc servers"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3fa7e38b_28ae8a80","line":15,"range":{"start_line":15,"start_character":38,"end_line":15,"end_character":61},"updated":"2019-11-05 10:49:28.000000000","message":"Would it be worth making this configurable? Optional by default but operators could still make it mandatory and enforce the use of these additional VNC passwords?","commit_id":"545bbfd3beec55812fc2c70def0fd117200ef7d6"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"a309296f2f2cb47e7104ea07a2c790a20e296f81","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The feature aims at providing a safer noVNC with password authentication."},{"line_number":14,"context_line":"When end users boot instances, a `vnc password` option is provided to"},{"line_number":15,"context_line":"encrypt novnc console, and note that, this option is optional. Any user"},{"line_number":16,"context_line":"trying to access the console of instance with `vnc password` will get a"},{"line_number":17,"context_line":"locked window prompting for `vnc password`, and this provides almost the"},{"line_number":18,"context_line":"same experience as using VNC clients (e.g vncviewer) to access vnc servers"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3fa7e38b_caa0a394","line":15,"range":{"start_line":15,"start_character":38,"end_line":15,"end_character":61},"in_reply_to":"3fa7e38b_28ae8a80","updated":"2019-11-14 03:41:32.000000000","message":"Hi Yarwood, I think you are right. It\u0027s necessary to add extra option (e.g. CONF.api.force_vnc_password\u003d\u003cTrue|False\u003e ) to control whether or not to enforce the use of VNC password.","commit_id":"545bbfd3beec55812fc2c70def0fd117200ef7d6"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"ab6f2d182e1febbbb150d06d3eee5f7fe05ca5d9","unresolved":false,"context_lines":[{"line_number":24,"context_line":"There is only a token authentication against nova novncproxy, with the `token`"},{"line_number":25,"context_line":"parameter append to the request access_url. While this is convinient, anyone"},{"line_number":26,"context_line":"who gets the access_url info will have access to operating the instance by the"},{"line_number":27,"context_line":"vnc console directly, which is not that safe."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Now an implementation for noVNC console with vnc password authentication will"},{"line_number":30,"context_line":"prevent malicious users from using the instance when failing to pass vnc"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3fa7e38b_4883c603","line":27,"range":{"start_line":27,"start_character":22,"end_line":27,"end_character":44},"updated":"2019-11-05 10:49:28.000000000","message":"Potentially not safe depending on how the instance is configured.","commit_id":"545bbfd3beec55812fc2c70def0fd117200ef7d6"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"ab6f2d182e1febbbb150d06d3eee5f7fe05ca5d9","unresolved":false,"context_lines":[{"line_number":51,"context_line":"* Changes will be patched to nova-novncproxy to support rfb.VNC auth"},{"line_number":52,"context_line":"  scheme."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* Changes will be patched to python-novaclient `nova boot` subcommand"},{"line_number":55,"context_line":"  to support `--vnc-password` option. Note that, considering not to"},{"line_number":56,"context_line":"  affect present nova api and data models, the value will be passed to"},{"line_number":57,"context_line":"  nova api via metadata of instance(as an expedient measure and will be"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3fa7e38b_88921e4a","line":54,"range":{"start_line":54,"start_character":29,"end_line":54,"end_character":46},"updated":"2019-11-05 10:49:28.000000000","message":"python-openstackclient as well?","commit_id":"545bbfd3beec55812fc2c70def0fd117200ef7d6"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"a309296f2f2cb47e7104ea07a2c790a20e296f81","unresolved":false,"context_lines":[{"line_number":51,"context_line":"* Changes will be patched to nova-novncproxy to support rfb.VNC auth"},{"line_number":52,"context_line":"  scheme."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* Changes will be patched to python-novaclient `nova boot` subcommand"},{"line_number":55,"context_line":"  to support `--vnc-password` option. Note that, considering not to"},{"line_number":56,"context_line":"  affect present nova api and data models, the value will be passed to"},{"line_number":57,"context_line":"  nova api via metadata of instance(as an expedient measure and will be"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3fa7e38b_3f12d7b5","line":54,"range":{"start_line":54,"start_character":29,"end_line":54,"end_character":46},"in_reply_to":"3fa7e38b_88921e4a","updated":"2019-11-14 03:41:32.000000000","message":"Done","commit_id":"545bbfd3beec55812fc2c70def0fd117200ef7d6"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"ab6f2d182e1febbbb150d06d3eee5f7fe05ca5d9","unresolved":false,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"None"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"Data model impact"},{"line_number":66,"context_line":"-----------------"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"None"},{"line_number":69,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3fa7e38b_4898a667","line":66,"range":{"start_line":65,"start_character":0,"end_line":66,"end_character":17},"updated":"2019-11-05 10:49:28.000000000","message":"How and where are we going to securely store the password?","commit_id":"545bbfd3beec55812fc2c70def0fd117200ef7d6"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"cbc28a428df7015dd3ac60f1e9922cce185add56","unresolved":false,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"None"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"Data model impact"},{"line_number":66,"context_line":"-----------------"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"None"},{"line_number":69,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3fa7e38b_a515aa9d","line":66,"range":{"start_line":65,"start_character":0,"end_line":66,"end_character":17},"in_reply_to":"3fa7e38b_4898a667","updated":"2019-11-06 21:07:25.000000000","message":"If I understand correctly, the password simply gets passed down to the libvirt driver for inclusion in the domain XML (see the \u0027vnc\u0027 section here):\n\nhttps://libvirt.org/formatdomain.html#elementsGraphics\n\nAnd that is the only place it will be stored (in clear text).\n\nMy understanding is that the vnc password mechanism is meant to be an improvement over no password at all, and is not comprehensively secure.\n\nBut I realize I\u0027m making a lot of assumptions here, and it would be best if this spec were updated to explain the details explicitly.","commit_id":"545bbfd3beec55812fc2c70def0fd117200ef7d6"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"a309296f2f2cb47e7104ea07a2c790a20e296f81","unresolved":false,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"None"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"Data model impact"},{"line_number":66,"context_line":"-----------------"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"None"},{"line_number":69,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3fa7e38b_eadf9f35","line":66,"range":{"start_line":65,"start_character":0,"end_line":66,"end_character":17},"in_reply_to":"3fa7e38b_a515aa9d","updated":"2019-11-14 03:41:32.000000000","message":"Hi Mel, I need to point out that the `clear text` vnc password only appears once when assembling graphics XML to boot a instance. Then the password will be securely kept by libvirtd and won\u0027t be displayed in the result of `virsh dumpxml \u003cinstance UUID\u003e` or instance XMLs managed by libvirt/qemu in local filesystem any more.\n\nThanks for your review.  I\u0027ll provide more details to improve the spec.","commit_id":"545bbfd3beec55812fc2c70def0fd117200ef7d6"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"e6ce6fdd53bae518a6a86b0c185d16dad0eebaa6","unresolved":false,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"None"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"Data model impact"},{"line_number":66,"context_line":"-----------------"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"None"},{"line_number":69,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3fa7e38b_d6b977cb","line":66,"range":{"start_line":65,"start_character":0,"end_line":66,"end_character":17},"in_reply_to":"3fa7e38b_a515aa9d","updated":"2019-11-07 09:14:29.000000000","message":"Thanks Mel! Yeah we should really call that out the fact that the password isn\u0027t stored anywhere outside of the domain XML here. I find it odd that Libvirt doesn\u0027t accept secrets for the password but that\u0027s a limitation on their side and not with this spec.","commit_id":"545bbfd3beec55812fc2c70def0fd117200ef7d6"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"a309296f2f2cb47e7104ea07a2c790a20e296f81","unresolved":false,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"None"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"Data model impact"},{"line_number":66,"context_line":"-----------------"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"None"},{"line_number":69,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3fa7e38b_8ac70b65","line":66,"range":{"start_line":65,"start_character":0,"end_line":66,"end_character":17},"in_reply_to":"3fa7e38b_d6b977cb","updated":"2019-11-14 03:41:32.000000000","message":"Thanks for your review. I\u0027ll provide more information to improve the spec.","commit_id":"545bbfd3beec55812fc2c70def0fd117200ef7d6"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"9b450da50d2042d3dfb4478ac1a307e8967b2681","unresolved":false,"context_lines":[{"line_number":43,"context_line":"  and python-openstackclient (`opensatck create` subcommand) to support"},{"line_number":44,"context_line":"  `--vnc-password` option. Note that, considering not to affect present"},{"line_number":45,"context_line":"  nova api and data models, the key/value pair will be passed to nova api"},{"line_number":46,"context_line":"  via the metadata of instance(as an expedient measure) and will be poped"},{"line_number":47,"context_line":"  later)."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"* Changes will be patched to nova-api to: (1) pop possible `vnc_"}],"source_content_type":"text/x-rst","patch_set":17,"id":"3fa7e38b_ffca5845","line":46,"range":{"start_line":46,"start_character":2,"end_line":46,"end_character":30},"updated":"2019-12-16 06:46:07.000000000","message":"so do you store this metadata into the db? and can I get that metadata from the Nova API again? If we didn\u0027t store that into the db, that is a little strange, and we can update the metadata through the API. If we can show that from the metadata API again, then the clear text is problem also. So I\u0027m thinking we just add new field to the create server API.\n\nOr can we change the password on the fly? if yes, then we can use the existing remote console API.\nI checked the doc, there is API looks like for that https://libvirt.org/html/libvirt-libvirt-domain.html#virDomainUpdateDeviceFlags","commit_id":"53f165281b19100870e03041e69359076844cae4"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"3c7950a8c6049428c212a3df9e98eec5b50fb0dc","unresolved":false,"context_lines":[{"line_number":43,"context_line":"  and python-openstackclient (`opensatck create` subcommand) to support"},{"line_number":44,"context_line":"  `--vnc-password` option. Note that, considering not to affect present"},{"line_number":45,"context_line":"  nova api and data models, the key/value pair will be passed to nova api"},{"line_number":46,"context_line":"  via the metadata of instance(as an expedient measure) and will be poped"},{"line_number":47,"context_line":"  later)."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"* Changes will be patched to nova-api to: (1) pop possible `vnc_"}],"source_content_type":"text/x-rst","patch_set":17,"id":"3fa7e38b_66947142","line":46,"range":{"start_line":46,"start_character":2,"end_line":46,"end_character":30},"in_reply_to":"3fa7e38b_702427c4","updated":"2020-02-04 08:25:56.000000000","message":"Have great conversation with Jingyu and Brin. I just feel the metadata of instance may not the right place. So i\u0027m looking for whether there is better place to add this feature. The remote console API is what I\u0027m thinking. But yes, both way has pros/cons. Later Brin and Jingyu will bring up an email to look for more suggestion from others.","commit_id":"53f165281b19100870e03041e69359076844cae4"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"3014025a2750548bd99ca247af85577febb8dc1f","unresolved":false,"context_lines":[{"line_number":43,"context_line":"  and python-openstackclient (`opensatck create` subcommand) to support"},{"line_number":44,"context_line":"  `--vnc-password` option. Note that, considering not to affect present"},{"line_number":45,"context_line":"  nova api and data models, the key/value pair will be passed to nova api"},{"line_number":46,"context_line":"  via the metadata of instance(as an expedient measure) and will be poped"},{"line_number":47,"context_line":"  later)."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"* Changes will be patched to nova-api to: (1) pop possible `vnc_"}],"source_content_type":"text/x-rst","patch_set":17,"id":"3fa7e38b_702427c4","line":46,"range":{"start_line":46,"start_character":2,"end_line":46,"end_character":30},"in_reply_to":"3fa7e38b_ffca5845","updated":"2020-02-04 03:50:36.000000000","message":"Hi, Alex. I\u0027d like to take `admin_pass` as an example to implement this spec:\n(1) store the initial `vnc_passwd` just the same way.\n(2) Extra api (e.g: reset-vnc-passwd) will be provided later after the spec to change the password on the fly: libvirt API will be called to update `graphics` element of domain defination.","commit_id":"53f165281b19100870e03041e69359076844cae4"},{"author":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"change_message_id":"e10bcbf31225c9d8f64ce8d42f29634e6e3e161c","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The feature aims at providing a safer noVNC with password authentication."},{"line_number":14,"context_line":"When end users boot instances, a `vnc password` option is provided to"},{"line_number":15,"context_line":"encrypt novnc console, and note that, this option is optional. Any user"},{"line_number":16,"context_line":"trying to access the console of instance with `vnc password` will get a"},{"line_number":17,"context_line":"locked window prompting for `vnc password`, and this provides almost the"},{"line_number":18,"context_line":"same experience as using VNC clients (e.g vncviewer) to access vnc servers"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3fa7e38b_216dfc99","line":15,"range":{"start_line":15,"start_character":23,"end_line":15,"end_character":61},"updated":"2020-02-04 16:56:51.000000000","message":"\"and note that this is optional.\"","commit_id":"3a628476f4c33fa11bf8abb747c568a79c85196f"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"138ef72316571a2bfb563151d495f6022fcdead1","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The feature aims at providing a safer noVNC with password authentication."},{"line_number":14,"context_line":"When end users boot instances, a `vnc password` option is provided to"},{"line_number":15,"context_line":"encrypt novnc console, and note that, this option is optional. Any user"},{"line_number":16,"context_line":"trying to access the console of instance with `vnc password` will get a"},{"line_number":17,"context_line":"locked window prompting for `vnc password`, and this provides almost the"},{"line_number":18,"context_line":"same experience as using VNC clients (e.g vncviewer) to access vnc servers"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3fa7e38b_fa420a67","line":15,"range":{"start_line":15,"start_character":23,"end_line":15,"end_character":61},"in_reply_to":"3fa7e38b_216dfc99","updated":"2020-02-06 11:17:01.000000000","message":"Done","commit_id":"3a628476f4c33fa11bf8abb747c568a79c85196f"},{"author":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"change_message_id":"e10bcbf31225c9d8f64ce8d42f29634e6e3e161c","unresolved":false,"context_lines":[{"line_number":22,"context_line":"Problem description"},{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":24,"context_line":"There is only a token authentication against nova novncproxy, with the `token`"},{"line_number":25,"context_line":"parameter appended to the request access_url. While this is convinient, anyone"},{"line_number":26,"context_line":"who gets the access_url info will have access to operating the instance by the"},{"line_number":27,"context_line":"vnc console directly, which is not that safe."},{"line_number":28,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3fa7e38b_016240a8","line":25,"range":{"start_line":25,"start_character":60,"end_line":25,"end_character":70},"updated":"2020-02-04 16:56:51.000000000","message":"convenient","commit_id":"3a628476f4c33fa11bf8abb747c568a79c85196f"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"138ef72316571a2bfb563151d495f6022fcdead1","unresolved":false,"context_lines":[{"line_number":22,"context_line":"Problem description"},{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":24,"context_line":"There is only a token authentication against nova novncproxy, with the `token`"},{"line_number":25,"context_line":"parameter appended to the request access_url. While this is convinient, anyone"},{"line_number":26,"context_line":"who gets the access_url info will have access to operating the instance by the"},{"line_number":27,"context_line":"vnc console directly, which is not that safe."},{"line_number":28,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3fa7e38b_ba549224","line":25,"range":{"start_line":25,"start_character":60,"end_line":25,"end_character":70},"in_reply_to":"3fa7e38b_016240a8","updated":"2020-02-06 11:17:01.000000000","message":"Done","commit_id":"3a628476f4c33fa11bf8abb747c568a79c85196f"},{"author":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"change_message_id":"e10bcbf31225c9d8f64ce8d42f29634e6e3e161c","unresolved":false,"context_lines":[{"line_number":22,"context_line":"Problem description"},{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":24,"context_line":"There is only a token authentication against nova novncproxy, with the `token`"},{"line_number":25,"context_line":"parameter appended to the request access_url. While this is convinient, anyone"},{"line_number":26,"context_line":"who gets the access_url info will have access to operating the instance by the"},{"line_number":27,"context_line":"vnc console directly, which is not that safe."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Now an implementation for noVNC console with vnc password authentication will"},{"line_number":30,"context_line":"prevent malicious users from using the instance when failing to pass vnc"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3fa7e38b_01e56007","line":27,"range":{"start_line":25,"start_character":72,"end_line":27,"end_character":45},"updated":"2020-02-04 16:56:51.000000000","message":"How would they get the access_url? The token is time limited and noVNC can be configured to use HTTPS. How does a password enhance this security?","commit_id":"3a628476f4c33fa11bf8abb747c568a79c85196f"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"d52e96fccb6ffacaeb59ce1a2f7afb48b0f509bc","unresolved":false,"context_lines":[{"line_number":22,"context_line":"Problem description"},{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":24,"context_line":"There is only a token authentication against nova novncproxy, with the `token`"},{"line_number":25,"context_line":"parameter appended to the request access_url. While this is convinient, anyone"},{"line_number":26,"context_line":"who gets the access_url info will have access to operating the instance by the"},{"line_number":27,"context_line":"vnc console directly, which is not that safe."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Now an implementation for noVNC console with vnc password authentication will"},{"line_number":30,"context_line":"prevent malicious users from using the instance when failing to pass vnc"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3fa7e38b_672a1a98","line":27,"range":{"start_line":25,"start_character":72,"end_line":27,"end_character":45},"in_reply_to":"3fa7e38b_01e56007","updated":"2020-02-05 10:06:58.000000000","message":"Thanks Matthew for you review.\nJust image the cases/people:\na. A designing cloud administrator who is too curious about tenants\u0027 business.\nb. Cloud administrator\u0027s desktop is hacked, and console   \n urls of VMs are leaked.\n\nAnd i\u0027ll upload a new patch to fix spelling the mistake.","commit_id":"3a628476f4c33fa11bf8abb747c568a79c85196f"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"138ef72316571a2bfb563151d495f6022fcdead1","unresolved":false,"context_lines":[{"line_number":22,"context_line":"Problem description"},{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":24,"context_line":"There is only a token authentication against nova novncproxy, with the `token`"},{"line_number":25,"context_line":"parameter appended to the request access_url. While this is convinient, anyone"},{"line_number":26,"context_line":"who gets the access_url info will have access to operating the instance by the"},{"line_number":27,"context_line":"vnc console directly, which is not that safe."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Now an implementation for noVNC console with vnc password authentication will"},{"line_number":30,"context_line":"prevent malicious users from using the instance when failing to pass vnc"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3fa7e38b_2dfcee09","line":27,"range":{"start_line":25,"start_character":72,"end_line":27,"end_character":45},"in_reply_to":"3fa7e38b_01e56007","updated":"2020-02-06 11:17:01.000000000","message":"Thanks Matthew for you review.\nJust imagine the cases:\na. A designing cloud administrator who is too curious about tenants\u0027 business.\nb. Cloud administrator\u0027s desktop is hacked, and console urls of VMs are leaked.","commit_id":"3a628476f4c33fa11bf8abb747c568a79c85196f"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"138ef72316571a2bfb563151d495f6022fcdead1","unresolved":false,"context_lines":[{"line_number":22,"context_line":"Problem description"},{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":24,"context_line":"There is only a token authentication against nova novncproxy, with the `token`"},{"line_number":25,"context_line":"parameter appended to the request access_url. While this is convinient, anyone"},{"line_number":26,"context_line":"who gets the access_url info will have access to operating the instance by the"},{"line_number":27,"context_line":"vnc console directly, which is not that safe."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Now an implementation for noVNC console with vnc password authentication will"},{"line_number":30,"context_line":"prevent malicious users from using the instance when failing to pass vnc"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3fa7e38b_cd02fa08","line":27,"range":{"start_line":25,"start_character":72,"end_line":27,"end_character":45},"in_reply_to":"3fa7e38b_672a1a98","updated":"2020-02-06 11:17:01.000000000","message":"Done","commit_id":"3a628476f4c33fa11bf8abb747c568a79c85196f"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"c9d661ab1e725c9c51eb353011f13245c0e86655","unresolved":false,"context_lines":[{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":24,"context_line":"There is only a token authentication against nova novncproxy, with the `token`"},{"line_number":25,"context_line":"parameter appended to the request access_url. While this is convenient, anyone"},{"line_number":26,"context_line":"who (e.g: a cloud administrator with too much curiosity about tenants\u0027"},{"line_number":27,"context_line":"business) gets the access_url info will have access to operating the instance"},{"line_number":28,"context_line":"by the vnc console directly, which is not that safe."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"Now an implementation for noVNC console with vnc password authentication will"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fa7e38b_ed752f98","line":27,"range":{"start_line":26,"start_character":5,"end_line":27,"end_character":8},"updated":"2020-02-11 15:38:06.000000000","message":"I think the cloud administrator has the access right to change the libvirt domain definition for any instance so she can change the passwd in the graphic tag as well. So this does not protect from a curious admin. \n\nIt could protect against a case when the access_url + token is published. But it would be nice to describe how that is possible. E.g. the user uses a shared compute with other users and the browser history contains such url? (I\u0027m totally guessing here)","commit_id":"ce6ef3d0be950769f9bb4ed53f37898f1ae8234e"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"190c8b39ec6107c3433c119991a126508d257021","unresolved":false,"context_lines":[{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":24,"context_line":"There is only a token authentication against nova novncproxy, with the `token`"},{"line_number":25,"context_line":"parameter appended to the request access_url. While this is convenient, anyone"},{"line_number":26,"context_line":"who (e.g: a cloud administrator with too much curiosity about tenants\u0027"},{"line_number":27,"context_line":"business) gets the access_url info will have access to operating the instance"},{"line_number":28,"context_line":"by the vnc console directly, which is not that safe."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"Now an implementation for noVNC console with vnc password authentication will"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fa7e38b_db8d5029","line":27,"range":{"start_line":26,"start_character":5,"end_line":27,"end_character":8},"in_reply_to":"3fa7e38b_ed752f98","updated":"2020-02-14 12:43:13.000000000","message":"1. It\u0027s not easy for curious administrator to spy on tenants\u0027 business without alerting tenants.\nIn this case, a tenant can easily knows that vnc password was hacked by someone else. \n\n2. Sharing computer; Sharing message containing access url among incorrect contact/work groups.","commit_id":"ce6ef3d0be950769f9bb4ed53f37898f1ae8234e"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"dad7cd90bfa99dd42d37be4f243d82959381d064","unresolved":false,"context_lines":[{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":24,"context_line":"There is only a token authentication against nova novncproxy, with the `token`"},{"line_number":25,"context_line":"parameter appended to the request access_url. While this is convenient, anyone"},{"line_number":26,"context_line":"who (e.g: a cloud administrator with too much curiosity about tenants\u0027"},{"line_number":27,"context_line":"business) gets the access_url info will have access to operating the instance"},{"line_number":28,"context_line":"by the vnc console directly, which is not that safe."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"Now an implementation for noVNC console with vnc password authentication will"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fa7e38b_0daaee6b","line":27,"range":{"start_line":26,"start_character":5,"end_line":27,"end_character":8},"in_reply_to":"3fa7e38b_ed752f98","updated":"2020-02-12 22:22:27.000000000","message":"I agree that given default conditions with a token auth TTL of 10 minutes [1], the window of danger of leak of access_url + token is pretty small. That is, if the user accidentally exposes the password that exposure lasts for only 10 minutes maximum. But, if the cloud admin has configured a long TTL, any mistake of exposing the access_url + token is going to provide open access for as long as the TTL. And there isn\u0027t a way for a user to revoke it other than to delete the instance (or contact their support staff to manually remove the token auth record from the database).\n\nAll that said, I agree this problem description doesn\u0027t seem to be providing much detail about the use case and what scenario is desired to guard against.\n\n[1] https://docs.openstack.org/nova/latest/configuration/config.html#consoleauth.token_ttl","commit_id":"ce6ef3d0be950769f9bb4ed53f37898f1ae8234e"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"c9d661ab1e725c9c51eb353011f13245c0e86655","unresolved":false,"context_lines":[{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"* Changes will be patched to python-novaclient (`nova boot` subcommand)"},{"line_number":44,"context_line":"  and python-openstackclient (`opensatck create` subcommand) to support"},{"line_number":45,"context_line":"  `--vnc-password` option. Note that, considering not to affect present"},{"line_number":46,"context_line":"  nova api and data models, the key/value pair will be passed to nova api"},{"line_number":47,"context_line":"  via the metadata of instance(as an expedient measure) and will be poped"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fa7e38b_f34bcc82","line":44,"range":{"start_line":44,"start_character":31,"end_line":44,"end_character":40},"updated":"2020-02-11 15:38:06.000000000","message":"openstack","commit_id":"ce6ef3d0be950769f9bb4ed53f37898f1ae8234e"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"665b090b28f18165453ca5a2f78c54e136ce1cae","unresolved":false,"context_lines":[{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"* Changes will be patched to python-novaclient (`nova boot` subcommand)"},{"line_number":44,"context_line":"  and python-openstackclient (`opensatck create` subcommand) to support"},{"line_number":45,"context_line":"  `--vnc-password` option. Note that, considering not to affect present"},{"line_number":46,"context_line":"  nova api and data models, the key/value pair will be passed to nova api"},{"line_number":47,"context_line":"  via the metadata of instance(as an expedient measure) and will be poped"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fa7e38b_9fe28f01","line":44,"range":{"start_line":44,"start_character":31,"end_line":44,"end_character":40},"in_reply_to":"3fa7e38b_f34bcc82","updated":"2020-02-12 09:48:20.000000000","message":"Done","commit_id":"ce6ef3d0be950769f9bb4ed53f37898f1ae8234e"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"c9d661ab1e725c9c51eb353011f13245c0e86655","unresolved":false,"context_lines":[{"line_number":42,"context_line":""},{"line_number":43,"context_line":"* Changes will be patched to python-novaclient (`nova boot` subcommand)"},{"line_number":44,"context_line":"  and python-openstackclient (`opensatck create` subcommand) to support"},{"line_number":45,"context_line":"  `--vnc-password` option. Note that, considering not to affect present"},{"line_number":46,"context_line":"  nova api and data models, the key/value pair will be passed to nova api"},{"line_number":47,"context_line":"  via the metadata of instance(as an expedient measure) and will be poped"},{"line_number":48,"context_line":"  later)."},{"line_number":49,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fa7e38b_4d9243a2","line":46,"range":{"start_line":45,"start_character":27,"end_line":46,"end_character":27},"updated":"2020-02-11 15:38:06.000000000","message":"Why not? I understand that it is then a bigger change but that is the way how we add new boot time parameters to nova.","commit_id":"ce6ef3d0be950769f9bb4ed53f37898f1ae8234e"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"dad7cd90bfa99dd42d37be4f243d82959381d064","unresolved":false,"context_lines":[{"line_number":42,"context_line":""},{"line_number":43,"context_line":"* Changes will be patched to python-novaclient (`nova boot` subcommand)"},{"line_number":44,"context_line":"  and python-openstackclient (`opensatck create` subcommand) to support"},{"line_number":45,"context_line":"  `--vnc-password` option. Note that, considering not to affect present"},{"line_number":46,"context_line":"  nova api and data models, the key/value pair will be passed to nova api"},{"line_number":47,"context_line":"  via the metadata of instance(as an expedient measure) and will be poped"},{"line_number":48,"context_line":"  later)."},{"line_number":49,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fa7e38b_2d9a4a11","line":46,"range":{"start_line":45,"start_character":27,"end_line":46,"end_character":27},"in_reply_to":"3fa7e38b_4d9243a2","updated":"2020-02-12 22:22:27.000000000","message":"Yeah, I would at least like to treat this change similar to how we treat adminPassword [1] which seems like a very similar feature to me. adminPassword is a request parameter for the server create API.\n\nIt also has an API for showing and clearing the password [2] and change it [3]. I do recognize though that the ability to show/clear/change vnc password would not fit in easily with the existing APIs as they are all specifically about admin password.\n\nAll this said, I really prefer Alex\u0027s proposal from the ML thread [4] because it addresses the clarify of having an API request parameter and also provides a way for users to change the vnc password if they forget it.\n\n[1] https://docs.openstack.org/api-ref/compute/?expanded\u003dcreate-server-detail#id11\n[2] https://docs.openstack.org/api-ref/compute/?expanded\u003d#servers-password-servers-os-server-password\n[3] https://docs.openstack.org/api-ref/compute/?expanded\u003d#change-administrative-password-changepassword-action\n[4] http://lists.openstack.org/pipermail/openstack-discuss/2020-February/012352.html","commit_id":"ce6ef3d0be950769f9bb4ed53f37898f1ae8234e"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"c9d661ab1e725c9c51eb353011f13245c0e86655","unresolved":false,"context_lines":[{"line_number":55,"context_line":"  accessible to nova-compute later."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"* Changes will be patched to nova-compute and libvirt driver to recongnize"},{"line_number":58,"context_line":"  `vnc_password` and use it for libvirt XML (graphic defination) assembling."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"* Changes will be patched to nova-novncproxy: rfb.VNC auth scheme will be"},{"line_number":61,"context_line":"  added. For the fact that project `noVNC` has already provided native support"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fa7e38b_933cd8ea","line":58,"range":{"start_line":58,"start_character":53,"end_line":58,"end_character":63},"updated":"2020-02-11 15:38:06.000000000","message":"definition","commit_id":"ce6ef3d0be950769f9bb4ed53f37898f1ae8234e"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"665b090b28f18165453ca5a2f78c54e136ce1cae","unresolved":false,"context_lines":[{"line_number":55,"context_line":"  accessible to nova-compute later."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"* Changes will be patched to nova-compute and libvirt driver to recongnize"},{"line_number":58,"context_line":"  `vnc_password` and use it for libvirt XML (graphic defination) assembling."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"* Changes will be patched to nova-novncproxy: rfb.VNC auth scheme will be"},{"line_number":61,"context_line":"  added. For the fact that project `noVNC` has already provided native support"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fa7e38b_bfdd0b40","line":58,"range":{"start_line":58,"start_character":53,"end_line":58,"end_character":63},"in_reply_to":"3fa7e38b_933cd8ea","updated":"2020-02-12 09:48:20.000000000","message":"Done","commit_id":"ce6ef3d0be950769f9bb4ed53f37898f1ae8234e"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"c9d661ab1e725c9c51eb353011f13245c0e86655","unresolved":false,"context_lines":[{"line_number":61,"context_line":"  added. For the fact that project `noVNC` has already provided native support"},{"line_number":62,"context_line":"  for password authentication(RFB version negotiation, handshakes and password"},{"line_number":63,"context_line":"  authentication), so rfb.VNC can escape from these jobs."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"Alternatives"},{"line_number":66,"context_line":"------------"},{"line_number":67,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fa7e38b_137788d4","line":64,"updated":"2020-02-11 15:38:06.000000000","message":"So this is a password that can only be set at boot time, cannot be read back and cannot be changed later. What if the user forgets the password? \n\nAlso the password travels through the POST request from the client to the nova-api. So if that considered secure enough then why don\u0027t we allow reading back the password in GET /servers/{server-uuid} ? In that case the same password would travel in a very similar form in a very similar connection.","commit_id":"ce6ef3d0be950769f9bb4ed53f37898f1ae8234e"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"dad7cd90bfa99dd42d37be4f243d82959381d064","unresolved":false,"context_lines":[{"line_number":61,"context_line":"  added. For the fact that project `noVNC` has already provided native support"},{"line_number":62,"context_line":"  for password authentication(RFB version negotiation, handshakes and password"},{"line_number":63,"context_line":"  authentication), so rfb.VNC can escape from these jobs."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"Alternatives"},{"line_number":66,"context_line":"------------"},{"line_number":67,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fa7e38b_92511934","line":64,"in_reply_to":"3fa7e38b_137788d4","updated":"2020-02-12 22:22:27.000000000","message":"+1 to this, it would not be a very friendly user experience to not ever be able to retrieve the password or change it. I could imagine users (assuming a long TTL) opening tickets for support with \"I forgot my vnc password\" and creating extra work for support staff to get their password out of guest XML and tell them or change guest XML manually to \"reset password\".\n\nHere\u0027s links to how we handle server admin passwords GET (show password) [1] (returns encrypted and user uses their private key to decrypt, novaclient and osc does this) and POST (change password) [2].\n\n[1] https://docs.openstack.org/api-ref/compute/?expanded\u003dshow-server-password-detail#show-server-password\n[2] https://docs.openstack.org/api-ref/compute/?expanded\u003dchange-administrative-password-changepassword-action-detail#change-administrative-password-changepassword-action","commit_id":"ce6ef3d0be950769f9bb4ed53f37898f1ae8234e"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"c9d661ab1e725c9c51eb353011f13245c0e86655","unresolved":false,"context_lines":[{"line_number":65,"context_line":"Alternatives"},{"line_number":66,"context_line":"------------"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"None"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Data model impact"},{"line_number":71,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fa7e38b_6dd4df4b","line":68,"updated":"2020-02-11 15:38:06.000000000","message":"So one alternative is what Alex is suggesting [1]\n\n[1] http://lists.openstack.org/pipermail/openstack-discuss/2020-February/012352.html","commit_id":"ce6ef3d0be950769f9bb4ed53f37898f1ae8234e"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"dad7cd90bfa99dd42d37be4f243d82959381d064","unresolved":false,"context_lines":[{"line_number":65,"context_line":"Alternatives"},{"line_number":66,"context_line":"------------"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"None"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Data model impact"},{"line_number":71,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3fa7e38b_c80e0432","line":68,"in_reply_to":"3fa7e38b_6dd4df4b","updated":"2020-02-12 22:22:27.000000000","message":"I prefer Alex\u0027s suggested approach from this email, I think it would be the most clear, simple, and friendly way to provide the vnc password feature.","commit_id":"ce6ef3d0be950769f9bb4ed53f37898f1ae8234e"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"fcd48cf0d0bb1954ad60657da53b2fdaafd15a78","unresolved":false,"context_lines":[{"line_number":15,"context_line":"access the vnc-password-encrypted console of instance will get a locked"},{"line_number":16,"context_line":"window from noVNC prompting for `vnc password` input, and this provides"},{"line_number":17,"context_line":"almost the same experience as using VNC clients (e.g vncviewer) to access"},{"line_number":18,"context_line":"vnc servers that require password authentication ."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_00cdb759","line":18,"range":{"start_line":18,"start_character":48,"end_line":18,"end_character":49},"updated":"2020-02-14 11:09:41.000000000","message":"white space","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"04566cb6e0a974c10e58f21a31c8fefe491bafb7","unresolved":false,"context_lines":[{"line_number":22,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":23,"context_line":"There is only a token authentication against nova novncproxy, with the `token`"},{"line_number":24,"context_line":"parameter appended to the request access_url. While this is convenient, anyone"},{"line_number":25,"context_line":"who (e.g: a cloud administrator with too much curiosity about tenants\u0027"},{"line_number":26,"context_line":"business) gets the access_url info will have access to operating the instance"},{"line_number":27,"context_line":"by the vnc console directly, which is not that safe."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Now an implementation for noVNC console with vnc password authentication will"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_1dd680c5","line":26,"range":{"start_line":25,"start_character":5,"end_line":26,"end_character":8},"updated":"2020-02-14 10:32:41.000000000","message":"Comments from previous patch set was not answered https://review.opendev.org/#/c/623120/19/specs/ussuri/approved/nova-support-webvnc-with-password-anthentication.rst@27","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"414a995f386b2cea775dcdd8b59cade22ce84e5f","unresolved":false,"context_lines":[{"line_number":43,"context_line":"  subcommand) and equivalent in python-openstackclient to provide"},{"line_number":44,"context_line":"  `--vnc-password` for reseting password of VNC Console."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"* Changes will be patched to nova-api when handling `get-vnc-console`:"},{"line_number":47,"context_line":"  extra logic will be added to handle both cases(vnc password provided,"},{"line_number":48,"context_line":"  and not). If password is not provided, we see it as the existing `Open"},{"line_number":49,"context_line":"  VNC Console` operation, then it jumps to old logic. Or we know it\u0027s a"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_9d9030f5","line":46,"range":{"start_line":46,"start_character":53,"end_line":46,"end_character":68},"updated":"2020-02-14 10:26:02.000000000","message":"We don\u0027t have this API, or are you proposing adding that API?\n\nActually, my suggestion is this API https://docs.openstack.org/api-ref/compute/?expanded\u003dcreate-console-detail#create-console","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"414a995f386b2cea775dcdd8b59cade22ce84e5f","unresolved":false,"context_lines":[{"line_number":49,"context_line":"  VNC Console` operation, then it jumps to old logic. Or we know it\u0027s a"},{"line_number":50,"context_line":"  request to reset password for `VNC Console`, and RPC call will be sent"},{"line_number":51,"context_line":"  to compute service to reset VNC password. On success, this password"},{"line_number":52,"context_line":"  will be polulated in metadata of instance and will be exposed to user,"},{"line_number":53,"context_line":"  or for later rebuild/evacuate uses."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"* Changes will be patched to nova-compute and libvirt driver to handle"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_fd9da4fc","line":52,"range":{"start_line":52,"start_character":10,"end_line":52,"end_character":43},"updated":"2020-02-14 10:26:02.000000000","message":"I prefer to not persistent it into the DB.","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"414a995f386b2cea775dcdd8b59cade22ce84e5f","unresolved":false,"context_lines":[{"line_number":49,"context_line":"  VNC Console` operation, then it jumps to old logic. Or we know it\u0027s a"},{"line_number":50,"context_line":"  request to reset password for `VNC Console`, and RPC call will be sent"},{"line_number":51,"context_line":"  to compute service to reset VNC password. On success, this password"},{"line_number":52,"context_line":"  will be polulated in metadata of instance and will be exposed to user,"},{"line_number":53,"context_line":"  or for later rebuild/evacuate uses."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"* Changes will be patched to nova-compute and libvirt driver to handle"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_5d9638f0","line":52,"range":{"start_line":52,"start_character":48,"end_line":52,"end_character":71},"updated":"2020-02-14 10:26:02.000000000","message":"expose at where?","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"04566cb6e0a974c10e58f21a31c8fefe491bafb7","unresolved":false,"context_lines":[{"line_number":50,"context_line":"  request to reset password for `VNC Console`, and RPC call will be sent"},{"line_number":51,"context_line":"  to compute service to reset VNC password. On success, this password"},{"line_number":52,"context_line":"  will be polulated in metadata of instance and will be exposed to user,"},{"line_number":53,"context_line":"  or for later rebuild/evacuate uses."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"* Changes will be patched to nova-compute and libvirt driver to handle"},{"line_number":56,"context_line":"  `Reset VNC Console Password` request: vnc password will be parsed and"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_5de15896","line":53,"updated":"2020-02-14 10:32:41.000000000","message":"If I can reset the password the I\u0027m less in need to query it. But I\u0027m also OK if I can query it.","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"04566cb6e0a974c10e58f21a31c8fefe491bafb7","unresolved":false,"context_lines":[{"line_number":48,"context_line":"  and not). If password is not provided, we see it as the existing `Open"},{"line_number":49,"context_line":"  VNC Console` operation, then it jumps to old logic. Or we know it\u0027s a"},{"line_number":50,"context_line":"  request to reset password for `VNC Console`, and RPC call will be sent"},{"line_number":51,"context_line":"  to compute service to reset VNC password. On success, this password"},{"line_number":52,"context_line":"  will be polulated in metadata of instance and will be exposed to user,"},{"line_number":53,"context_line":"  or for later rebuild/evacuate uses."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"* Changes will be patched to nova-compute and libvirt driver to handle"},{"line_number":56,"context_line":"  `Reset VNC Console Password` request: vnc password will be parsed and"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_1dad2031","line":53,"range":{"start_line":51,"start_character":45,"end_line":53,"end_character":37},"updated":"2020-02-14 10:32:41.000000000","message":"So if this is in the instance metadata then it is by default changeable to the user via the PUT /servers/{server_id}/metadata \nWe have today a change_instance_metadata RPC call to the compute which can be used to let the compute and then the libvirt driver know that the password needs to be changed in the domain XML.\n\nLet\u0027s agree on the metadata key name.","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"04566cb6e0a974c10e58f21a31c8fefe491bafb7","unresolved":false,"context_lines":[{"line_number":61,"context_line":"  added. For the fact that project `noVNC` has already provided native support"},{"line_number":62,"context_line":"  for password authentication(RFB version negotiation, handshakes and password"},{"line_number":63,"context_line":"  authentication), so rfb.VNC can escape from these jobs."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"Alternatives"},{"line_number":66,"context_line":"------------"},{"line_number":67,"context_line":""}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_1d20c0b0","line":64,"updated":"2020-02-14 10:32:41.000000000","message":"OK it seems that if we add the password to the instance metadata then the password information will end up in the virt driver during the get_vnc_console RPC call.","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"fcd48cf0d0bb1954ad60657da53b2fdaafd15a78","unresolved":false,"context_lines":[{"line_number":65,"context_line":"Alternatives"},{"line_number":66,"context_line":"------------"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"None"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Data model impact"},{"line_number":71,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_c088ff21","line":68,"updated":"2020-02-14 11:09:41.000000000","message":"The alternative is add the vnc_passwd key in metadata as description in PS20, but from this way, the use cannot reset his vnc password, so add vnc_passwd to the POST /servers/{server_id}/remote-consoles request is better than that way.","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"190c8b39ec6107c3433c119991a126508d257021","unresolved":false,"context_lines":[{"line_number":65,"context_line":"Alternatives"},{"line_number":66,"context_line":"------------"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"None"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Data model impact"},{"line_number":71,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_1bb20832","line":68,"in_reply_to":"3fa7e38b_c088ff21","updated":"2020-02-14 12:43:13.000000000","message":"Done","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"04566cb6e0a974c10e58f21a31c8fefe491bafb7","unresolved":false,"context_lines":[{"line_number":75,"context_line":"REST API impact"},{"line_number":76,"context_line":"---------------"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"None"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"Security impact"},{"line_number":81,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_a0faa30d","line":78,"updated":"2020-02-14 10:32:41.000000000","message":"Please describe the metadata key here as well as the change to the POST /servers/{server_id}/remote-consoles request. The POST /servers/{server_id}/remote-consoles changes also means we need a new API microversion.","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"414a995f386b2cea775dcdd8b59cade22ce84e5f","unresolved":false,"context_lines":[{"line_number":75,"context_line":"REST API impact"},{"line_number":76,"context_line":"---------------"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"None"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"Security impact"},{"line_number":81,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_9d5ef04e","line":78,"range":{"start_line":78,"start_character":0,"end_line":78,"end_character":4},"updated":"2020-02-14 10:26:02.000000000","message":"There is API change, and need microversion.","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"190c8b39ec6107c3433c119991a126508d257021","unresolved":false,"context_lines":[{"line_number":75,"context_line":"REST API impact"},{"line_number":76,"context_line":"---------------"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"None"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"Security impact"},{"line_number":81,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_9bc6f89a","line":78,"range":{"start_line":78,"start_character":0,"end_line":78,"end_character":4},"in_reply_to":"3fa7e38b_9d5ef04e","updated":"2020-02-14 12:43:13.000000000","message":"Done","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"190c8b39ec6107c3433c119991a126508d257021","unresolved":false,"context_lines":[{"line_number":75,"context_line":"REST API impact"},{"line_number":76,"context_line":"---------------"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"None"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"Security impact"},{"line_number":81,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_3bc10482","line":78,"in_reply_to":"3fa7e38b_a0faa30d","updated":"2020-02-14 12:43:13.000000000","message":"Done","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"fcd48cf0d0bb1954ad60657da53b2fdaafd15a78","unresolved":false,"context_lines":[{"line_number":116,"context_line":"New option `vnc` is added to auth_schemes list in `vnc`"},{"line_number":117,"context_line":"segment in `nova.conf`. This allows nova-novncproxy to"},{"line_number":118,"context_line":"detect and load rfb.VNC auth scheme."},{"line_number":119,"context_line":".. code-block:: ini"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"  [vnc]"},{"line_number":122,"context_line":"  auth_schemes \u003d none,vnc,vencrypt"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_e06e5b63","line":119,"updated":"2020-02-14 11:09:41.000000000","message":"This is need to add a blank line above \".. code-block:: ini\" to resolve the docs failed.","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":28889,"name":"Guo Jingyu","email":"guojy8993@163.com","username":"pandatt"},"change_message_id":"190c8b39ec6107c3433c119991a126508d257021","unresolved":false,"context_lines":[{"line_number":116,"context_line":"New option `vnc` is added to auth_schemes list in `vnc`"},{"line_number":117,"context_line":"segment in `nova.conf`. This allows nova-novncproxy to"},{"line_number":118,"context_line":"detect and load rfb.VNC auth scheme."},{"line_number":119,"context_line":".. code-block:: ini"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"  [vnc]"},{"line_number":122,"context_line":"  auth_schemes \u003d none,vnc,vencrypt"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_5bbc0006","line":119,"in_reply_to":"3fa7e38b_e06e5b63","updated":"2020-02-14 12:43:13.000000000","message":"Done","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"fcd48cf0d0bb1954ad60657da53b2fdaafd15a78","unresolved":false,"context_lines":[{"line_number":191,"context_line":"  password. New CLI may look like this:"},{"line_number":192,"context_line":""},{"line_number":193,"context_line":"  Using nova command."},{"line_number":194,"context_line":"  .. code-block:: shell"},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"    $ nova get-vnc-console --vnc-password\u003d\u0027newpasswd\u0027 \u003cVM UUID\u003e"},{"line_number":197,"context_line":""}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_c08d5f29","line":194,"range":{"start_line":194,"start_character":2,"end_line":194,"end_character":23},"updated":"2020-02-14 11:09:41.000000000","message":"ditto.","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"fcd48cf0d0bb1954ad60657da53b2fdaafd15a78","unresolved":false,"context_lines":[{"line_number":197,"context_line":""},{"line_number":198,"context_line":"* `API Guides` needs no updates. However, some texts should be posted"},{"line_number":199,"context_line":"  to notify developers about how to benefit from this feature."},{"line_number":200,"context_line":"  .. code-block:: request-body"},{"line_number":201,"context_line":""},{"line_number":202,"context_line":"    {"},{"line_number":203,"context_line":"        \"os-getVNCConsole\": {"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_40996f68","line":200,"range":{"start_line":200,"start_character":2,"end_line":200,"end_character":30},"updated":"2020-02-14 11:09:41.000000000","message":"add a blank line on this.","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"fcd48cf0d0bb1954ad60657da53b2fdaafd15a78","unresolved":false,"context_lines":[{"line_number":208,"context_line":"* `Configuration Reference` \u0026 `Deployment Guides` need some updates."},{"line_number":209,"context_line":"  A change in nova.conf to enable rfb.VNC auth scheme is added (nova"},{"line_number":210,"context_line":"  -novncproxy cares)."},{"line_number":211,"context_line":"  .. code-block:: ini"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"    [vnc]"},{"line_number":214,"context_line":"    auth_schemes \u003d none,vnc,vencrypt"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_a0b383eb","line":211,"range":{"start_line":211,"start_character":2,"end_line":211,"end_character":21},"updated":"2020-02-14 11:09:41.000000000","message":"ditto.","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"fcd48cf0d0bb1954ad60657da53b2fdaafd15a78","unresolved":false,"context_lines":[{"line_number":228,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":229,"context_line":""},{"line_number":230,"context_line":".. list-table:: Revisions"},{"line_number":231,"context_line":"      :header-rows: 1"},{"line_number":232,"context_line":""},{"line_number":233,"context_line":"   * - Release Name"},{"line_number":234,"context_line":"     - Description"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_20cc7360","line":231,"range":{"start_line":231,"start_character":3,"end_line":231,"end_character":6},"updated":"2020-02-14 11:09:41.000000000","message":"Redundant indentation.","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"fcd48cf0d0bb1954ad60657da53b2fdaafd15a78","unresolved":false,"context_lines":[{"line_number":232,"context_line":""},{"line_number":233,"context_line":"   * - Release Name"},{"line_number":234,"context_line":"     - Description"},{"line_number":235,"context_line":"   * - Train"},{"line_number":236,"context_line":"     - Introduced"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3fa7e38b_80ac4787","line":235,"range":{"start_line":235,"start_character":7,"end_line":235,"end_character":12},"updated":"2020-02-14 11:09:41.000000000","message":"Ussuri","commit_id":"951515d0d122f3f627b8e5a264342663a5dbc4ee"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":33,"context_line":"Use Cases"},{"line_number":34,"context_line":"---------"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"A safer noVNC console will benefit End User. And impacts on Developer/Deployer"},{"line_number":37,"context_line":"are as follows in `Documentation Impact`_ section."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_d6e76544","line":36,"range":{"start_line":36,"start_character":0,"end_line":36,"end_character":44},"updated":"2020-02-14 13:05:56.000000000","message":"You can write something like this: \"The end user can set a vnc console password to avoid the console access url stolen by other user\"?\n\nAlso can add \"The end user can reset the vnc console password when he forget\"","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":33,"context_line":"Use Cases"},{"line_number":34,"context_line":"---------"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"A safer noVNC console will benefit End User. And impacts on Developer/Deployer"},{"line_number":37,"context_line":"are as follows in `Documentation Impact`_ section."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"Proposed change"},{"line_number":40,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_1bfa0811","line":37,"range":{"start_line":36,"start_character":45,"end_line":37,"end_character":50},"updated":"2020-02-14 13:05:56.000000000","message":"remove this","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"* Changes will be patched to python-novaclient (`nova get-vnc-console`"},{"line_number":43,"context_line":"  subcommand) and equivalent in python-openstackclient to provide"},{"line_number":44,"context_line":"  `--vnc-password` for reseting remote Console password."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"* Changes will be patched to nova-api when handling `get-vnc-console`:"},{"line_number":47,"context_line":"  extra logic will be added to handle both cases(vnc password provided,"}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_366599e2","line":44,"range":{"start_line":44,"start_character":39,"end_line":44,"end_character":46},"updated":"2020-02-14 13:05:56.000000000","message":"s/Console/console/","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":44,"context_line":"  `--vnc-password` for reseting remote Console password."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"* Changes will be patched to nova-api when handling `get-vnc-console`:"},{"line_number":47,"context_line":"  extra logic will be added to handle both cases(vnc password provided,"},{"line_number":48,"context_line":"  and not). If password is not provided, we see it as the existing Create"},{"line_number":49,"context_line":"  -Remote-Console operation, then it jumps to old logic. Or we know it\u0027s a"},{"line_number":50,"context_line":"  request to reset password for `Remote Console`, and RPC call will be sent"}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_f65aa11c","line":47,"range":{"start_line":47,"start_character":2,"end_line":47,"end_character":7},"updated":"2020-02-14 13:05:56.000000000","message":"s/extra/Extra","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":48,"context_line":"  and not). If password is not provided, we see it as the existing Create"},{"line_number":49,"context_line":"  -Remote-Console operation, then it jumps to old logic. Or we know it\u0027s a"},{"line_number":50,"context_line":"  request to reset password for `Remote Console`, and RPC call will be sent"},{"line_number":51,"context_line":"  to compute service to reset Console password."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"* Changes will be patched to nova-compute and libvirt driver to handle"},{"line_number":54,"context_line":"  `Reset Remote Console Password` request: vnc password will be parsed and"}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_566055d0","line":51,"range":{"start_line":51,"start_character":30,"end_line":51,"end_character":37},"updated":"2020-02-14 13:05:56.000000000","message":"s/console/Console/","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":50,"context_line":"  request to reset password for `Remote Console`, and RPC call will be sent"},{"line_number":51,"context_line":"  to compute service to reset Console password."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"* Changes will be patched to nova-compute and libvirt driver to handle"},{"line_number":54,"context_line":"  `Reset Remote Console Password` request: vnc password will be parsed and"},{"line_number":55,"context_line":"  validated, `graphics` tag will be reassembled and updated to libvirt"},{"line_number":56,"context_line":"  XML of target instance."}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_d63525a8","line":53,"range":{"start_line":53,"start_character":2,"end_line":53,"end_character":41},"updated":"2020-02-14 13:05:56.000000000","message":"We should mention this is only implement for libvirt virt driver. For the other driver, we should return failure.","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":50,"context_line":"  request to reset password for `Remote Console`, and RPC call will be sent"},{"line_number":51,"context_line":"  to compute service to reset Console password."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"* Changes will be patched to nova-compute and libvirt driver to handle"},{"line_number":54,"context_line":"  `Reset Remote Console Password` request: vnc password will be parsed and"},{"line_number":55,"context_line":"  validated, `graphics` tag will be reassembled and updated to libvirt"},{"line_number":56,"context_line":"  XML of target instance."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"* Changes will be patched to nova-novncproxy: rfb.VNC auth scheme will be"},{"line_number":59,"context_line":"  added. For the fact that project `noVNC` has already provided native support"}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_56bcd505","line":56,"range":{"start_line":53,"start_character":46,"end_line":56,"end_character":25},"updated":"2020-02-14 13:05:56.000000000","message":"you can talk about the libvirt virt dirver implement under the \"Implementation\" section.","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":63,"context_line":"Alternatives"},{"line_number":64,"context_line":"------------"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"As the 20th patchset of current SPEC describes, `vnc pasword` will serve as"},{"line_number":67,"context_line":"a booting param of instance. The shortcoming of this implement is that no API"},{"line_number":68,"context_line":"provided to set Console password after instance is launched."},{"line_number":69,"context_line":""}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_969fadb0","line":66,"range":{"start_line":66,"start_character":0,"end_line":66,"end_character":46},"updated":"2020-02-14 13:05:56.000000000","message":"you needn\u0027t mention it is coming from 20th patchset...","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":90,"context_line":"        \"remote_console\": {"},{"line_number":91,"context_line":"            \"protocol\": \"vnc\","},{"line_number":92,"context_line":"            \"type\": \"novnc\","},{"line_number":93,"context_line":"            \"vnc_password\": \"newpass\""},{"line_number":94,"context_line":"        }"},{"line_number":95,"context_line":"     }"},{"line_number":96,"context_line":""}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_3637d9e6","line":93,"range":{"start_line":93,"start_character":28,"end_line":93,"end_character":37},"updated":"2020-02-14 13:05:56.000000000","message":"we should define the format of this. It would be good we know the schema of vnc password supported by vnc.","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":94,"context_line":"        }"},{"line_number":95,"context_line":"     }"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"  The `vnc_password` and (`protocol`,`type`) are mutually exclusive:"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"  - If only `vnc_password` is provided, it\u0027s used for set console password."},{"line_number":100,"context_line":"  - If only (`protocol`,`type`) are provided, it\u0027s used for obtaining access"}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_9609eddb","line":97,"range":{"start_line":97,"start_character":38,"end_line":97,"end_character":42},"updated":"2020-02-14 13:05:56.000000000","message":"I guess you want to say the type other than \u0027vnc\u0027?\n\nAnd looks like the `{\"type\": \"novnc\"}` is the only type supported, right?","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":100,"context_line":"  - If only (`protocol`,`type`) are provided, it\u0027s used for obtaining access"},{"line_number":101,"context_line":"    url."},{"line_number":102,"context_line":"  - If both `vnc_password` and (`protocol`,`type`) are provided,"},{"line_number":103,"context_line":"    MalformedRequestBody will raise."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"Security impact"},{"line_number":106,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_16609d9d","line":103,"range":{"start_line":103,"start_character":3,"end_line":103,"end_character":36},"updated":"2020-02-14 13:05:56.000000000","message":"`HTTPBadRequest 400` will be returned.","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":101,"context_line":"    url."},{"line_number":102,"context_line":"  - If both `vnc_password` and (`protocol`,`type`) are provided,"},{"line_number":103,"context_line":"    MalformedRequestBody will raise."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"Security impact"},{"line_number":106,"context_line":"---------------"},{"line_number":107,"context_line":""}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_f64b8125","line":104,"updated":"2020-02-14 13:05:56.000000000","message":"for the unsupported virt driver, we should return `HTTPNotImplemented 501`","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":105,"context_line":"Security impact"},{"line_number":106,"context_line":"---------------"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"None"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Surely it will make web console safer. And note that VNC password will"},{"line_number":111,"context_line":"only be securely kept by libvirtd and won\u0027t be displayed in the result"}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_fbfe0c05","line":108,"range":{"start_line":108,"start_character":0,"end_line":108,"end_character":4},"updated":"2020-02-14 13:05:56.000000000","message":"remove this","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":150,"context_line":"Developer impact"},{"line_number":151,"context_line":"----------------"},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"Developers should use latest microversion to be able to"},{"line_number":154,"context_line":"reset Console password."},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"Upgrade impact"},{"line_number":157,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_7b3d3ce4","line":154,"range":{"start_line":153,"start_character":0,"end_line":154,"end_character":23},"updated":"2020-02-14 13:05:56.000000000","message":"Probably just keep this empty. This isn\u0027t developer impact.","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":156,"context_line":"Upgrade impact"},{"line_number":157,"context_line":"--------------"},{"line_number":158,"context_line":""},{"line_number":159,"context_line":"None"},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"Implementation"},{"line_number":162,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_3b090431","line":159,"range":{"start_line":159,"start_character":0,"end_line":159,"end_character":4},"updated":"2020-02-14 13:05:56.000000000","message":"we should bump service object version and rpc version for the \u0027get_vnc_console\u0027 rpc call. Then only when the cluster fully upgrade to Ussuri release, the call can be success. otherwise return failure for the request.","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":217,"context_line":"  CLI) provides `--vnc-password` option to user to reset VNC Console"},{"line_number":218,"context_line":"  password. New CLI may look like this:"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"  Using nova command."},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"  .. code-block:: shell"},{"line_number":223,"context_line":""},{"line_number":224,"context_line":"    $ nova get-vnc-console --vnc-password\u003d\u0027newpasswd\u0027 \u003cVM UUID\u003e ..."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"* `API Guides` needs no updates. However, some texts should be posted"},{"line_number":227,"context_line":"  to notify developers about how to benefit from this feature."}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_f6414138","line":224,"range":{"start_line":220,"start_character":2,"end_line":224,"end_character":67},"updated":"2020-02-14 13:05:56.000000000","message":"this can be added to `the end user impact` section","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":225,"context_line":""},{"line_number":226,"context_line":"* `API Guides` needs no updates. However, some texts should be posted"},{"line_number":227,"context_line":"  to notify developers about how to benefit from this feature."},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"  .. code-block:: json"},{"line_number":230,"context_line":" "},{"line_number":231,"context_line":"    {"},{"line_number":232,"context_line":"        \"remote_console\": {"},{"line_number":233,"context_line":"            \"protocol\": \"vnc\","},{"line_number":234,"context_line":"            \"type\": \"novnc\","},{"line_number":235,"context_line":"            \"vnc_password\": \"newpass\""},{"line_number":236,"context_line":"        }"},{"line_number":237,"context_line":"    }"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"* `Configuration Reference` \u0026 `Deployment Guides` need some updates."},{"line_number":240,"context_line":"  A change in nova.conf to enable rfb.VNC auth scheme is added (nova"}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_163dfdb7","line":237,"range":{"start_line":228,"start_character":0,"end_line":237,"end_character":5},"updated":"2020-02-14 13:05:56.000000000","message":"you already talk about the API detail at API impact section, then you needn\u0027t repeat it at here.","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"21827a906039c05e78b2ee07fc3f358ef15ebe09","unresolved":false,"context_lines":[{"line_number":239,"context_line":"* `Configuration Reference` \u0026 `Deployment Guides` need some updates."},{"line_number":240,"context_line":"  A change in nova.conf to enable rfb.VNC auth scheme is added (nova"},{"line_number":241,"context_line":"  -novncproxy cares)."},{"line_number":242,"context_line":"  .. code-block:: ini"},{"line_number":243,"context_line":""},{"line_number":244,"context_line":"    [vnc]"},{"line_number":245,"context_line":"    auth_schemes \u003d none,vnc,vencrypt"},{"line_number":246,"context_line":""},{"line_number":247,"context_line":"References"},{"line_number":248,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":23,"id":"3fa7e38b_b67189ad","line":245,"range":{"start_line":242,"start_character":21,"end_line":245,"end_character":36},"updated":"2020-02-14 13:05:56.000000000","message":"you needn\u0027t repeat this again","commit_id":"81b3da1c85ee3c31bab59912044339a3597b8adc"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"ee158bc6e62eb461de208e41b3b06cf9867e8f9e","unresolved":false,"context_lines":[{"line_number":103,"context_line":"  - If only ``vnc_password`` is provided, it\u0027s used for set console password."},{"line_number":104,"context_line":"  - If only (``protocol``, ``type``) are provided, it\u0027s used for obtaining"},{"line_number":105,"context_line":"    access url."},{"line_number":106,"context_line":"  - If both ``vnc_password`` and (``protocol``, ``type``) are provided,"},{"line_number":107,"context_line":"    `HttpBadRequest 400` will be returned."},{"line_number":108,"context_line":"  - And for unsupported virt driver, `HttpNotImplemented 501` will be"},{"line_number":109,"context_line":"    returned."},{"line_number":110,"context_line":"  - Only `vnc` and `spice` console protols support reseting password. For"}],"source_content_type":"text/x-rst","patch_set":25,"id":"3fa7e38b_313a8334","line":107,"range":{"start_line":106,"start_character":4,"end_line":107,"end_character":42},"updated":"2020-02-14 14:25:19.000000000","message":"I still don\u0027t understand this.","commit_id":"ada554feb99481f29f4cabca28f623fcc12e10b9"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"ee158bc6e62eb461de208e41b3b06cf9867e8f9e","unresolved":false,"context_lines":[{"line_number":107,"context_line":"    `HttpBadRequest 400` will be returned."},{"line_number":108,"context_line":"  - And for unsupported virt driver, `HttpNotImplemented 501` will be"},{"line_number":109,"context_line":"    returned."},{"line_number":110,"context_line":"  - Only `vnc` and `spice` console protols support reseting password. For"},{"line_number":111,"context_line":"    other protols, `HttpNotImplemented 501` will be returned."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":25,"id":"3fa7e38b_11e667dc","line":110,"range":{"start_line":110,"start_character":19,"end_line":110,"end_character":26},"updated":"2020-02-14 14:25:19.000000000","message":"oh...this isn\u0027t vnc specific. so...spice support, does RDP support also?\n\nIf the spice support this also, then we shouldn\u0027t call it as \"vnc_password\", maybe just password, right?","commit_id":"ada554feb99481f29f4cabca28f623fcc12e10b9"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"59276310ea662c35aeabacb2aa3426a027f3392c","unresolved":false,"context_lines":[{"line_number":5,"context_line":" http://creativecommons.org/licenses/by/3.0/legalcode"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"Nova provides noVNC with password anthentication"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://blueprints.launchpad.net/nova/+spec/nova-support-webvnc-with-password-anthentication"}],"source_content_type":"text/x-rst","patch_set":26,"id":"3fa7e38b_6ca264ae","line":8,"range":{"start_line":8,"start_character":14,"end_line":8,"end_character":19},"updated":"2020-02-14 15:15:24.000000000","message":"since you want to support the spice also. i just think we should only call out noVNC, maybe just call it as \u0027remote console password\u0027, it is more generic.","commit_id":"8405d328d3ad8e653df42691dc40809a4579191b"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"06c13a8a622c011ae2bbd30922e05c720a19ec1a","unresolved":false,"context_lines":[{"line_number":22,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":23,"context_line":"There is only a token authentication against nova novncproxy, with the"},{"line_number":24,"context_line":"``token`` parameter appended to the request access_url. While this is"},{"line_number":25,"context_line":"convenient, anyone who (e.g. A cloud administrator with too much curiosity"},{"line_number":26,"context_line":"about tenants\u0027 business) gets the access_url info will have access to"},{"line_number":27,"context_line":"operating the instance by the web console directly, which is not that safe."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Now an implementation for remote console with password authentication"}],"source_content_type":"text/x-rst","patch_set":28,"id":"3fa7e38b_72d79a22","line":26,"range":{"start_line":25,"start_character":24,"end_line":26,"end_character":24},"updated":"2020-02-14 16:12:27.000000000","message":"the solution still not prevent admins to be curious. It only forces the admin to change the vnc password that will make it obvious that the admin did that.","commit_id":"33a13a1aabee9d89a88c3b7e3e18244b2bd6a0c1"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"06c13a8a622c011ae2bbd30922e05c720a19ec1a","unresolved":false,"context_lines":[{"line_number":87,"context_line":"* Request method: POST(update password for remote console)"},{"line_number":88,"context_line":"  Add ``password`` param to the request body"},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"* Update the Create-Remote-Cosole API:"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"  .. code-block:: json"},{"line_number":93,"context_line":""}],"source_content_type":"text/x-rst","patch_set":28,"id":"3fa7e38b_929c9670","line":90,"range":{"start_line":90,"start_character":27,"end_line":90,"end_character":33},"updated":"2020-02-14 16:12:27.000000000","message":"nit: Console","commit_id":"33a13a1aabee9d89a88c3b7e3e18244b2bd6a0c1"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"06c13a8a622c011ae2bbd30922e05c720a19ec1a","unresolved":false,"context_lines":[{"line_number":99,"context_line":"        }"},{"line_number":100,"context_line":"     }"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"  The ``password`` is in common password format."},{"line_number":103,"context_line":"  The ``password`` parameter is optional:"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"  - If ``password`` is present, console password will be updated while"}],"source_content_type":"text/x-rst","patch_set":28,"id":"3fa7e38b_12cbc672","line":102,"range":{"start_line":102,"start_character":19,"end_line":102,"end_character":48},"updated":"2020-02-14 16:12:27.000000000","message":"I don\u0027t know what this means.","commit_id":"33a13a1aabee9d89a88c3b7e3e18244b2bd6a0c1"}]}