)]}'
{"specs/wallaby/approved/nova-support-webvnc-with-password-anthentication.rst":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"980c975d1627a1b46671180922bb40d5b8ef6433","unresolved":false,"context_lines":[{"line_number":39,"context_line":"Proposed change"},{"line_number":40,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"* Changes will be patched to python-novaclient (``nova get-*-console``"},{"line_number":43,"context_line":"  subcommand) and equivalent in python-openstackclient to provide"},{"line_number":44,"context_line":"  ``--password`` for reseting remote console password."},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_6d5a924f","line":42,"range":{"start_line":42,"start_character":2,"end_line":42,"end_character":26},"updated":"2020-10-27 16:15:58.000000000","message":"i think you ment\n\n\"Changes will be proposed\"","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"380c0cdb576bfa8a9f668485d9ba53ae53d65724","unresolved":false,"context_lines":[{"line_number":39,"context_line":"Proposed change"},{"line_number":40,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"* Changes will be patched to python-novaclient (``nova get-*-console``"},{"line_number":43,"context_line":"  subcommand) and equivalent in python-openstackclient to provide"},{"line_number":44,"context_line":"  ``--password`` for reseting remote console password."},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_a3c0327e","line":42,"range":{"start_line":42,"start_character":2,"end_line":42,"end_character":26},"in_reply_to":"3f65232a_6d5a924f","updated":"2020-10-28 07:25:51.000000000","message":"Done","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"66e76c592db8f83c833308652ccb9342aa981fde","unresolved":false,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"* Changes will be patched to python-novaclient (``nova get-*-console``"},{"line_number":43,"context_line":"  subcommand) and equivalent in python-openstackclient to provide"},{"line_number":44,"context_line":"  ``--password`` for reseting remote console password."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"* Changes will be patched to nova-api when creating remote console:"},{"line_number":47,"context_line":"  Extra logic will be added to handle both cases(console password"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_977c5bec","line":44,"updated":"2020-10-27 14:17:27.000000000","message":"in other words, a new API microversion will be provided in the nova API and OSC will need to provide a specific version for using it.","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"380c0cdb576bfa8a9f668485d9ba53ae53d65724","unresolved":false,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"* Changes will be patched to python-novaclient (``nova get-*-console``"},{"line_number":43,"context_line":"  subcommand) and equivalent in python-openstackclient to provide"},{"line_number":44,"context_line":"  ``--password`` for reseting remote console password."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"* Changes will be patched to nova-api when creating remote console:"},{"line_number":47,"context_line":"  Extra logic will be added to handle both cases(console password"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f621f24_33d20836","line":44,"in_reply_to":"3f65232a_977c5bec","updated":"2020-10-28 07:25:51.000000000","message":"Ok, let\u0027s rephrase it.","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"980c975d1627a1b46671180922bb40d5b8ef6433","unresolved":false,"context_lines":[{"line_number":43,"context_line":"  subcommand) and equivalent in python-openstackclient to provide"},{"line_number":44,"context_line":"  ``--password`` for reseting remote console password."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"* Changes will be patched to nova-api when creating remote console:"},{"line_number":47,"context_line":"  Extra logic will be added to handle both cases(console password"},{"line_number":48,"context_line":"  provided, and not). If password is not provided, we see it as the"},{"line_number":49,"context_line":"  existing ``Create Remote Console`` operation, then it jumps to old"},{"line_number":50,"context_line":"  logic. Or we know it\u0027s a request to reset password for"},{"line_number":51,"context_line":"  ``Remote Console``, and RPC call will be sent to compute service to"},{"line_number":52,"context_line":"  reset console password."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* Changes will be patched to nova-compute and virt driver to handle"},{"line_number":55,"context_line":"  ``Reset Remote Console Password`` request. And this\u0027s only implment"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_083cacbd","line":52,"range":{"start_line":46,"start_character":2,"end_line":52,"end_character":25},"updated":"2020-10-27 16:15:58.000000000","message":"i think this can just be replaced with \n\n\"The nova api will be extended to support console passwared when creating a remote console.\"\n\n\nhowever what d you mean by  ``Create Remote Console`` operation,\n\nthere is no operation to create a remote console.\n\nthey are created automatically if you configure a host with a console e.g. novnc.\n\nthe api operations we have today are to list the contence of the console log or retrive a url to the existing console.\n\nso if you want to have a password protected console you would need to make that part of the server create operation.\n\naddtionally we will need to support set and clear console password actions at the nova api to allow it to change after the vm is created.\n\nthe sematics shoudl be that setting a password on a instnce created without a password initally either is an error or results in a password being required for all futrue connections.\n\nthat should be defined in this spec.","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"58914697e4ef30877540f4d6dfc9a04d356eb062","unresolved":false,"context_lines":[{"line_number":43,"context_line":"  subcommand) and equivalent in python-openstackclient to provide"},{"line_number":44,"context_line":"  ``--password`` for reseting remote console password."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"* Changes will be patched to nova-api when creating remote console:"},{"line_number":47,"context_line":"  Extra logic will be added to handle both cases(console password"},{"line_number":48,"context_line":"  provided, and not). If password is not provided, we see it as the"},{"line_number":49,"context_line":"  existing ``Create Remote Console`` operation, then it jumps to old"},{"line_number":50,"context_line":"  logic. Or we know it\u0027s a request to reset password for"},{"line_number":51,"context_line":"  ``Remote Console``, and RPC call will be sent to compute service to"},{"line_number":52,"context_line":"  reset console password."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* Changes will be patched to nova-compute and virt driver to handle"},{"line_number":55,"context_line":"  ``Reset Remote Console Password`` request. And this\u0027s only implment"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_08f4acce","line":52,"range":{"start_line":46,"start_character":2,"end_line":52,"end_character":25},"in_reply_to":"3f65232a_083cacbd","updated":"2020-10-27 16:31:09.000000000","message":"There are actually two \"create consoles\" APIs. The first was only for the old nova-consoles services (XenAPI-only) and was removed in Ussuri [1]. The second, which is what I think we\u0027re talking about here, is still present [2]. Given the references to this \u0027remote-consoles\u0027 API below, I suspect this is what we\u0027re talking about here.\n\nHowever, I agree that this is not clear.\n\n[1] https://docs.openstack.org/api-ref/compute/#lists-consoles\n[2] https://docs.openstack.org/api-ref/compute/#create-console","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"073ebe85dc45ec77ab5207dce006242be1faf834","unresolved":false,"context_lines":[{"line_number":43,"context_line":"  subcommand) and equivalent in python-openstackclient to provide"},{"line_number":44,"context_line":"  ``--password`` for reseting remote console password."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"* Changes will be patched to nova-api when creating remote console:"},{"line_number":47,"context_line":"  Extra logic will be added to handle both cases(console password"},{"line_number":48,"context_line":"  provided, and not). If password is not provided, we see it as the"},{"line_number":49,"context_line":"  existing ``Create Remote Console`` operation, then it jumps to old"},{"line_number":50,"context_line":"  logic. Or we know it\u0027s a request to reset password for"},{"line_number":51,"context_line":"  ``Remote Console``, and RPC call will be sent to compute service to"},{"line_number":52,"context_line":"  reset console password."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* Changes will be patched to nova-compute and virt driver to handle"},{"line_number":55,"context_line":"  ``Reset Remote Console Password`` request. And this\u0027s only implment"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_68c0c07c","line":52,"range":{"start_line":46,"start_character":2,"end_line":52,"end_character":25},"in_reply_to":"3f65232a_083cacbd","updated":"2020-10-27 16:23:52.000000000","message":"oh you are refering to \n\nhttps://docs.openstack.org/api-ref/compute/?expanded\u003dcreate-console-detail#server-consoles\n\ninstead of \nhttps://docs.openstack.org/api-ref/compute/?expanded\u003dcreate-console-detail#show-console-output-os-getconsoleoutput-action\nand the server actions for the other console\nhttps://docs.openstack.org/api-ref/compute/?expanded\u003dcreate-console-detail#get-vnc-console-os-getvncconsole-action-deprecated\n\nthe console outpu server action still need to be protected\n\npost /servers/{server_id}/action\n{\n    \"os-getConsoleOutput\": {\n        \"length\": 50\n    }\n}\n\n\nand the deprecated action also need to be blocked when the instance has a password set.\n\nthe nova client and openstack client i belive still supprot hte old apis.","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"4738e7b64c917e64e3fda8028f04e92a5be9bc7b","unresolved":false,"context_lines":[{"line_number":43,"context_line":"  subcommand) and equivalent in python-openstackclient to provide"},{"line_number":44,"context_line":"  ``--password`` for reseting remote console password."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"* Changes will be patched to nova-api when creating remote console:"},{"line_number":47,"context_line":"  Extra logic will be added to handle both cases(console password"},{"line_number":48,"context_line":"  provided, and not). If password is not provided, we see it as the"},{"line_number":49,"context_line":"  existing ``Create Remote Console`` operation, then it jumps to old"},{"line_number":50,"context_line":"  logic. Or we know it\u0027s a request to reset password for"},{"line_number":51,"context_line":"  ``Remote Console``, and RPC call will be sent to compute service to"},{"line_number":52,"context_line":"  reset console password."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* Changes will be patched to nova-compute and virt driver to handle"},{"line_number":55,"context_line":"  ``Reset Remote Console Password`` request. And this\u0027s only implment"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_888d5c33","line":52,"range":{"start_line":46,"start_character":2,"end_line":52,"end_character":25},"in_reply_to":"3f65232a_08f4acce","updated":"2020-10-27 16:41:46.000000000","message":"ya i tought we still had a get console url server action that worked for all console types but no we have a different endpont. i was confusing it with the console show action but i dont really understand why show and get url are differennt.\n\nwe cant add console to instances that are running right? we just use the config options so i dont really unser stand how the create-console works.\n\nas an end user you wont know what type so of console the cloud can support so a create really does not make sense to me.","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"4738e7b64c917e64e3fda8028f04e92a5be9bc7b","unresolved":false,"context_lines":[{"line_number":43,"context_line":"  subcommand) and equivalent in python-openstackclient to provide"},{"line_number":44,"context_line":"  ``--password`` for reseting remote console password."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"* Changes will be patched to nova-api when creating remote console:"},{"line_number":47,"context_line":"  Extra logic will be added to handle both cases(console password"},{"line_number":48,"context_line":"  provided, and not). If password is not provided, we see it as the"},{"line_number":49,"context_line":"  existing ``Create Remote Console`` operation, then it jumps to old"},{"line_number":50,"context_line":"  logic. Or we know it\u0027s a request to reset password for"},{"line_number":51,"context_line":"  ``Remote Console``, and RPC call will be sent to compute service to"},{"line_number":52,"context_line":"  reset console password."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* Changes will be patched to nova-compute and virt driver to handle"},{"line_number":55,"context_line":"  ``Reset Remote Console Password`` request. And this\u0027s only implment"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_a8d3f837","line":52,"range":{"start_line":46,"start_character":2,"end_line":52,"end_character":25},"in_reply_to":"3f65232a_68c0c07c","updated":"2020-10-27 16:41:46.000000000","message":"https://github.com/openstack/python-openstackclient/blob/master/openstackclient/compute/v2/console.py#L128\n\nthe sdk and openstack client as a result still use the onld actions api\n\nhttps://github.com/openstack/openstacksdk/blob/9f0749029267ef9780c289dee78a7a87524d7d97/openstack/compute/v2/server.py#L487-L493\n\nhttps://github.com/openstack/openstacksdk/blob/9f0749029267ef9780c289dee78a7a87524d7d97/openstack/compute/v2/server.py#L20-L26\n\n\nnova client has support for both\n\nhttps://github.com/openstack/python-novaclient/blob/master/novaclient/v2/servers.py#L35-L41\nhttps://github.com/openstack/python-novaclient/blob/master/novaclient/v2/servers.py#L993-L1006\n\nfor microver 2-2.5\n\nand the new endpoitn for later verions\n\nhttps://github.com/openstack/python-novaclient/blob/master/novaclient/v2/servers.py#L1019-L1040","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"380c0cdb576bfa8a9f668485d9ba53ae53d65724","unresolved":false,"context_lines":[{"line_number":43,"context_line":"  subcommand) and equivalent in python-openstackclient to provide"},{"line_number":44,"context_line":"  ``--password`` for reseting remote console password."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"* Changes will be patched to nova-api when creating remote console:"},{"line_number":47,"context_line":"  Extra logic will be added to handle both cases(console password"},{"line_number":48,"context_line":"  provided, and not). If password is not provided, we see it as the"},{"line_number":49,"context_line":"  existing ``Create Remote Console`` operation, then it jumps to old"},{"line_number":50,"context_line":"  logic. Or we know it\u0027s a request to reset password for"},{"line_number":51,"context_line":"  ``Remote Console``, and RPC call will be sent to compute service to"},{"line_number":52,"context_line":"  reset console password."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* Changes will be patched to nova-compute and virt driver to handle"},{"line_number":55,"context_line":"  ``Reset Remote Console Password`` request. And this\u0027s only implment"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f621f24_d32ab48e","line":52,"range":{"start_line":46,"start_character":2,"end_line":52,"end_character":25},"in_reply_to":"3f65232a_a8d3f837","updated":"2020-10-28 07:25:51.000000000","message":"Let me rephrase it, to make it clearer.","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"980c975d1627a1b46671180922bb40d5b8ef6433","unresolved":false,"context_lines":[{"line_number":51,"context_line":"  ``Remote Console``, and RPC call will be sent to compute service to"},{"line_number":52,"context_line":"  reset console password."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* Changes will be patched to nova-compute and virt driver to handle"},{"line_number":55,"context_line":"  ``Reset Remote Console Password`` request. And this\u0027s only implment"},{"line_number":56,"context_line":"  for libvirt driver. For other virt drivers, NotImplement will raise."},{"line_number":57,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_a87658a3","line":54,"range":{"start_line":54,"start_character":2,"end_line":54,"end_character":26},"updated":"2020-10-27 16:15:58.000000000","message":"Changes will be proposed ...","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"380c0cdb576bfa8a9f668485d9ba53ae53d65724","unresolved":false,"context_lines":[{"line_number":51,"context_line":"  ``Remote Console``, and RPC call will be sent to compute service to"},{"line_number":52,"context_line":"  reset console password."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* Changes will be patched to nova-compute and virt driver to handle"},{"line_number":55,"context_line":"  ``Reset Remote Console Password`` request. And this\u0027s only implment"},{"line_number":56,"context_line":"  for libvirt driver. For other virt drivers, NotImplement will raise."},{"line_number":57,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f621f24_33196888","line":54,"range":{"start_line":54,"start_character":2,"end_line":54,"end_character":26},"in_reply_to":"3f65232a_a87658a3","updated":"2020-10-28 07:25:51.000000000","message":"Done","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"980c975d1627a1b46671180922bb40d5b8ef6433","unresolved":false,"context_lines":[{"line_number":55,"context_line":"  ``Reset Remote Console Password`` request. And this\u0027s only implment"},{"line_number":56,"context_line":"  for libvirt driver. For other virt drivers, NotImplement will raise."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"* Changes will be patched to nova-novncproxy: auth schemes(e.g:rfb.VNC)"},{"line_number":59,"context_line":"  will be added. For the fact that project ``noVNC`` has already provided"},{"line_number":60,"context_line":"  native support for password authentication(RFB version negotiation,"},{"line_number":61,"context_line":"  handshakes and password authentication), so rfb.VNC can escape from"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_88871c62","line":58,"range":{"start_line":58,"start_character":2,"end_line":58,"end_character":26},"updated":"2020-10-27 16:15:58.000000000","message":"again \"Changes will be proposed\" or just say\n\nthe nova-novncproxy will be update too support ...","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"380c0cdb576bfa8a9f668485d9ba53ae53d65724","unresolved":false,"context_lines":[{"line_number":55,"context_line":"  ``Reset Remote Console Password`` request. And this\u0027s only implment"},{"line_number":56,"context_line":"  for libvirt driver. For other virt drivers, NotImplement will raise."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"* Changes will be patched to nova-novncproxy: auth schemes(e.g:rfb.VNC)"},{"line_number":59,"context_line":"  will be added. For the fact that project ``noVNC`` has already provided"},{"line_number":60,"context_line":"  native support for password authentication(RFB version negotiation,"},{"line_number":61,"context_line":"  handshakes and password authentication), so rfb.VNC can escape from"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f621f24_131eec6f","line":58,"range":{"start_line":58,"start_character":2,"end_line":58,"end_character":26},"in_reply_to":"3f65232a_88871c62","updated":"2020-10-28 07:25:51.000000000","message":"Done","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"58914697e4ef30877540f4d6dfc9a04d356eb062","unresolved":false,"context_lines":[{"line_number":64,"context_line":"Alternatives"},{"line_number":65,"context_line":"------------"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"New booting parameter ``console_pasword`` will be added to launch instances."},{"line_number":68,"context_line":"And the password will be used to assemble ``graphics`` tag in libvirt XML."},{"line_number":69,"context_line":"In this way, password-encrypted remote console will be implemented."},{"line_number":70,"context_line":"The shortcoming of this implement is that no API provided to reset console"},{"line_number":71,"context_line":"password after instance is booted."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"Data model impact"},{"line_number":74,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_081dcc0e","line":71,"range":{"start_line":67,"start_character":0,"end_line":71,"end_character":34},"updated":"2020-10-27 16:31:09.000000000","message":"Not necessarily. You could extend the existing \u0027changePassword\u0027 server action. That currently accepts an object with a single key, \u0027adminPass\u0027. You could add an additional key, \u0027consolePass\u0027.","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"43adaddef60a2fd8be79f18cb8ebdd5b90f0389b","unresolved":false,"context_lines":[{"line_number":64,"context_line":"Alternatives"},{"line_number":65,"context_line":"------------"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"New booting parameter ``console_pasword`` will be added to launch instances."},{"line_number":68,"context_line":"And the password will be used to assemble ``graphics`` tag in libvirt XML."},{"line_number":69,"context_line":"In this way, password-encrypted remote console will be implemented."},{"line_number":70,"context_line":"The shortcoming of this implement is that no API provided to reset console"},{"line_number":71,"context_line":"password after instance is booted."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"Data model impact"},{"line_number":74,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_8898bc1b","line":71,"range":{"start_line":67,"start_character":0,"end_line":71,"end_character":34},"in_reply_to":"3f65232a_081dcc0e","updated":"2020-10-27 16:54:42.000000000","message":"i do like this idea.","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"66e76c592db8f83c833308652ccb9342aa981fde","unresolved":false,"context_lines":[{"line_number":84,"context_line":"URL: /servers/{server_id}/remote-consoles"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"* Request method: POST(update password for remote console)"},{"line_number":87,"context_line":"  Add ``password`` param to the request body"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"* Update the Create-Remote-Console API:"},{"line_number":90,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_97657b48","line":87,"updated":"2020-10-27 14:17:27.000000000","message":"security note: as an operator, if you really want this, make sure that the Nova API is using HTTPS...","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"66e76c592db8f83c833308652ccb9342aa981fde","unresolved":false,"context_lines":[{"line_number":117,"context_line":"Surely it will make web console safer. And note that console password will"},{"line_number":118,"context_line":"only be securely kept by libvirtd and won\u0027t be displayed in the result"},{"line_number":119,"context_line":"of ``virsh dumpxml \u003cinstance UUID\u003e`` or definition XMLs managed by libvirt"},{"line_number":120,"context_line":"/qemu in local filesystem except. Briefly speaking, no potential security"},{"line_number":121,"context_line":"risks will be introduced."},{"line_number":122,"context_line":""},{"line_number":123,"context_line":"Notifications impact"},{"line_number":124,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_3756275e","line":121,"range":{"start_line":120,"start_character":52,"end_line":121,"end_character":25},"updated":"2020-10-27 14:17:27.000000000","message":"if apache logs and HTTPs are in use, indeed. If you have an API proxy, meh to the logs.","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"380c0cdb576bfa8a9f668485d9ba53ae53d65724","unresolved":false,"context_lines":[{"line_number":117,"context_line":"Surely it will make web console safer. And note that console password will"},{"line_number":118,"context_line":"only be securely kept by libvirtd and won\u0027t be displayed in the result"},{"line_number":119,"context_line":"of ``virsh dumpxml \u003cinstance UUID\u003e`` or definition XMLs managed by libvirt"},{"line_number":120,"context_line":"/qemu in local filesystem except. Briefly speaking, no potential security"},{"line_number":121,"context_line":"risks will be introduced."},{"line_number":122,"context_line":""},{"line_number":123,"context_line":"Notifications impact"},{"line_number":124,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f621f24_b668c6ba","line":121,"range":{"start_line":120,"start_character":52,"end_line":121,"end_character":25},"in_reply_to":"3f65232a_3756275e","updated":"2020-10-28 07:25:51.000000000","message":"right","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"66e76c592db8f83c833308652ccb9342aa981fde","unresolved":false,"context_lines":[{"line_number":172,"context_line":""},{"line_number":173,"context_line":"We should bump service object version and rpc version"},{"line_number":174,"context_line":"for the \u0027get_*_console\u0027 rpc call. Then only when the"},{"line_number":175,"context_line":"cluster fully upgrade to Ussuri release, the call can be"},{"line_number":176,"context_line":"success. otherwise return failure for the request."},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"Implementation"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_97ca9b17","line":175,"range":{"start_line":175,"start_character":8,"end_line":175,"end_character":39},"updated":"2020-10-27 14:17:27.000000000","message":"Hey Marty! Run at 88 miles per hour !\nhttps://www.gannett-cdn.com/-mm-/94572ad71c1c554abae670ec7bd4871e2898e3b2/c\u003d0-142-3000-1837/local/-/media/2015/10/21/USATODAY/USATODAY/635809824922215243-AP-BACK-TO-THE-FUTURE-DAY-76890712.JPG?width\u003d3000\u0026height\u003d1695\u0026fit\u003dcrop\u0026format\u003dpjpg\u0026auto\u003dwebp","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"380c0cdb576bfa8a9f668485d9ba53ae53d65724","unresolved":false,"context_lines":[{"line_number":172,"context_line":""},{"line_number":173,"context_line":"We should bump service object version and rpc version"},{"line_number":174,"context_line":"for the \u0027get_*_console\u0027 rpc call. Then only when the"},{"line_number":175,"context_line":"cluster fully upgrade to Ussuri release, the call can be"},{"line_number":176,"context_line":"success. otherwise return failure for the request."},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"Implementation"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f621f24_d63102ef","line":175,"range":{"start_line":175,"start_character":8,"end_line":175,"end_character":39},"in_reply_to":"3f65232a_97ca9b17","updated":"2020-10-28 07:25:51.000000000","message":"LOL","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"58914697e4ef30877540f4d6dfc9a04d356eb062","unresolved":false,"context_lines":[{"line_number":265,"context_line":"   * - Ussuri"},{"line_number":266,"context_line":"     - Approved"},{"line_number":267,"context_line":"   * - Victoria"},{"line_number":268,"context_line":"     - Reposeposed"},{"line_number":269,"context_line":"   * - Wallaby"},{"line_number":270,"context_line":"     - Reposeposed"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f65232a_c8e0f4fd","line":268,"range":{"start_line":268,"start_character":7,"end_line":268,"end_character":18},"updated":"2020-10-27 16:31:09.000000000","message":"Re-proposed","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"380c0cdb576bfa8a9f668485d9ba53ae53d65724","unresolved":false,"context_lines":[{"line_number":265,"context_line":"   * - Ussuri"},{"line_number":266,"context_line":"     - Approved"},{"line_number":267,"context_line":"   * - Victoria"},{"line_number":268,"context_line":"     - Reposeposed"},{"line_number":269,"context_line":"   * - Wallaby"},{"line_number":270,"context_line":"     - Reposeposed"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f621f24_b63a86ca","line":268,"range":{"start_line":268,"start_character":7,"end_line":268,"end_character":18},"in_reply_to":"3f65232a_c8e0f4fd","updated":"2020-10-28 07:25:51.000000000","message":"Done","commit_id":"5cef0313000504549b7ec6425ac80821ae5c24a8"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d46635937f445e17e7429054fbbef90cefa8060a","unresolved":false,"context_lines":[{"line_number":47,"context_line":"  remote console."},{"line_number":48,"context_line":"  There are two ``create console`` APIs. The first was only for the old"},{"line_number":49,"context_line":"  nova-consoles services (XenAPI-only) and was removed in Ussuri release [1]_."},{"line_number":50,"context_line":"  The second, which is we will changes to support console password, is still"},{"line_number":51,"context_line":"  valid [2]_."},{"line_number":52,"context_line":"  And the server actions for the other console [3]_, the console output"},{"line_number":53,"context_line":"  server action still need to be protected, and the deprecated action also"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f621f24_aac72564","line":50,"range":{"start_line":50,"start_character":23,"end_line":50,"end_character":38},"updated":"2020-11-09 17:33:12.000000000","message":"what we will change","commit_id":"f3481b8ecef1781e53cf722a75c14952d3f74f59"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"481615209bc9573911e56ba197d47ba999ca1a83","unresolved":false,"context_lines":[{"line_number":47,"context_line":"  remote console."},{"line_number":48,"context_line":"  There are two ``create console`` APIs. The first was only for the old"},{"line_number":49,"context_line":"  nova-consoles services (XenAPI-only) and was removed in Ussuri release [1]_."},{"line_number":50,"context_line":"  The second, which is we will changes to support console password, is still"},{"line_number":51,"context_line":"  valid [2]_."},{"line_number":52,"context_line":"  And the server actions for the other console [3]_, the console output"},{"line_number":53,"context_line":"  server action still need to be protected, and the deprecated action also"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f621f24_5c6ba383","line":50,"range":{"start_line":50,"start_character":23,"end_line":50,"end_character":38},"in_reply_to":"1f621f24_aac72564","updated":"2020-11-11 10:11:39.000000000","message":"It\u0027s in *REST API impact*, add passwd to the create remote console API.","commit_id":"f3481b8ecef1781e53cf722a75c14952d3f74f59"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"daed82ba999f0267a41b7f0a09b10e0613709deb","unresolved":false,"context_lines":[{"line_number":110,"context_line":"    password. If both ``password`` and (``protocol``, ``type``)"},{"line_number":111,"context_line":"    are provided, and protocol/type not in support list"},{"line_number":112,"context_line":"    ``HttpBadRequest 400`` will be returned."},{"line_number":113,"context_line":"  - And for unsupported virt driver, `HttpNotImplemented 501` will be"},{"line_number":114,"context_line":"    returned."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"Security impact"},{"line_number":117,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f621f24_8082a9fe","line":114,"range":{"start_line":113,"start_character":0,"end_line":114,"end_character":13},"updated":"2020-11-17 14:50:15.000000000","message":"I\u0027d rather return something like HTTP40x in case not all the computes support it.","commit_id":"f3481b8ecef1781e53cf722a75c14952d3f74f59"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"cd6e65548f1d8817313c40fc3b2a7dbde7669371","unresolved":false,"context_lines":[{"line_number":110,"context_line":"    password. If both ``password`` and (``protocol``, ``type``)"},{"line_number":111,"context_line":"    are provided, and protocol/type not in support list"},{"line_number":112,"context_line":"    ``HttpBadRequest 400`` will be returned."},{"line_number":113,"context_line":"  - And for unsupported virt driver, `HttpNotImplemented 501` will be"},{"line_number":114,"context_line":"    returned."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"Security impact"},{"line_number":117,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f621f24_99d7c0bf","line":114,"range":{"start_line":113,"start_character":0,"end_line":114,"end_character":13},"in_reply_to":"1f621f24_8082a9fe","updated":"2020-11-17 18:03:11.000000000","message":"I agree with Sylvain. \n\n501 is very confusing and always understand in multiple way. 501 specifically defined as \u0027HTTP method not defined\u0027 which are POST/PUT/GET/DELETE etc are not implemented. so returning 501 can easily be interpreted as \u0027POST /servers/{server_id}/remote-consoles\u0027 is not implemented instead of \u0027passowrd\u0027 setting is not implemented. \n\nOur case is a clear case of \u0027Feature not implemented\u0027 and returning 501, in this case, is not 100% right. I think returning 400 is right code here with the error message something like \u0027password resetting are not supported\u0027so that client knows they just need to remove the \u0027password\u0027 field to make the request success.","commit_id":"f3481b8ecef1781e53cf722a75c14952d3f74f59"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"282c4785dfc44e1367d5f6cd191e41299d0bad51","unresolved":false,"context_lines":[{"line_number":110,"context_line":"    password. If both ``password`` and (``protocol``, ``type``)"},{"line_number":111,"context_line":"    are provided, and protocol/type not in support list"},{"line_number":112,"context_line":"    ``HttpBadRequest 400`` will be returned."},{"line_number":113,"context_line":"  - And for unsupported virt driver, `HttpNotImplemented 501` will be"},{"line_number":114,"context_line":"    returned."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"Security impact"},{"line_number":117,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f621f24_c2f77c8c","line":114,"range":{"start_line":113,"start_character":0,"end_line":114,"end_character":13},"in_reply_to":"1f621f24_99d7c0bf","updated":"2020-11-19 00:42:44.000000000","message":"Thanks, done.","commit_id":"f3481b8ecef1781e53cf722a75c14952d3f74f59"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d46635937f445e17e7429054fbbef90cefa8060a","unresolved":false,"context_lines":[{"line_number":116,"context_line":"Security impact"},{"line_number":117,"context_line":"---------------"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Surely it will make web console safer. And note that console password will"},{"line_number":120,"context_line":"only be securely kept by libvirtd and won\u0027t be displayed in the result"},{"line_number":121,"context_line":"of ``virsh dumpxml \u003cinstance UUID\u003e`` or definition XMLs managed by libvirt"},{"line_number":122,"context_line":"/qemu in local filesystem except. Briefly speaking, no potential security"},{"line_number":123,"context_line":"risks will be introduced."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Notifications impact"},{"line_number":126,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f621f24_ca52613b","line":123,"range":{"start_line":119,"start_character":0,"end_line":123,"end_character":25},"updated":"2020-11-09 17:33:12.000000000","message":"If we don\u0027t store this password, what happens when you hard reboot an instance?","commit_id":"f3481b8ecef1781e53cf722a75c14952d3f74f59"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"282c4785dfc44e1367d5f6cd191e41299d0bad51","unresolved":false,"context_lines":[{"line_number":116,"context_line":"Security impact"},{"line_number":117,"context_line":"---------------"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Surely it will make web console safer. And note that console password will"},{"line_number":120,"context_line":"only be securely kept by libvirtd and won\u0027t be displayed in the result"},{"line_number":121,"context_line":"of ``virsh dumpxml \u003cinstance UUID\u003e`` or definition XMLs managed by libvirt"},{"line_number":122,"context_line":"/qemu in local filesystem except. Briefly speaking, no potential security"},{"line_number":123,"context_line":"risks will be introduced."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Notifications impact"},{"line_number":126,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f621f24_222e30fa","line":123,"range":{"start_line":119,"start_character":0,"end_line":123,"end_character":25},"in_reply_to":"1f621f24_60b78df6","updated":"2020-11-19 00:42:44.000000000","message":"Done","commit_id":"f3481b8ecef1781e53cf722a75c14952d3f74f59"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"daed82ba999f0267a41b7f0a09b10e0613709deb","unresolved":false,"context_lines":[{"line_number":116,"context_line":"Security impact"},{"line_number":117,"context_line":"---------------"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Surely it will make web console safer. And note that console password will"},{"line_number":120,"context_line":"only be securely kept by libvirtd and won\u0027t be displayed in the result"},{"line_number":121,"context_line":"of ``virsh dumpxml \u003cinstance UUID\u003e`` or definition XMLs managed by libvirt"},{"line_number":122,"context_line":"/qemu in local filesystem except. Briefly speaking, no potential security"},{"line_number":123,"context_line":"risks will be introduced."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Notifications impact"},{"line_number":126,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f621f24_60b78df6","line":123,"range":{"start_line":119,"start_character":0,"end_line":123,"end_character":25},"in_reply_to":"1f621f24_bcdf5738","updated":"2020-11-17 14:50:15.000000000","message":"Brin, Juste write the above please for making sure we accept this. FWIW, I\u0027m OK with this.","commit_id":"f3481b8ecef1781e53cf722a75c14952d3f74f59"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"481615209bc9573911e56ba197d47ba999ca1a83","unresolved":false,"context_lines":[{"line_number":116,"context_line":"Security impact"},{"line_number":117,"context_line":"---------------"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Surely it will make web console safer. And note that console password will"},{"line_number":120,"context_line":"only be securely kept by libvirtd and won\u0027t be displayed in the result"},{"line_number":121,"context_line":"of ``virsh dumpxml \u003cinstance UUID\u003e`` or definition XMLs managed by libvirt"},{"line_number":122,"context_line":"/qemu in local filesystem except. Briefly speaking, no potential security"},{"line_number":123,"context_line":"risks will be introduced."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Notifications impact"},{"line_number":126,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f621f24_bcdf5738","line":123,"range":{"start_line":119,"start_character":0,"end_line":123,"end_character":25},"in_reply_to":"1f621f24_ca52613b","updated":"2020-11-11 10:11:39.000000000","message":"If we har reboot the instance, it will be recreate XML when is booting, and the old console will be disconnect.\nIf you want to open the instance console again, you can reset password again.","commit_id":"f3481b8ecef1781e53cf722a75c14952d3f74f59"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"daed82ba999f0267a41b7f0a09b10e0613709deb","unresolved":false,"context_lines":[{"line_number":174,"context_line":""},{"line_number":175,"context_line":"We should bump service object version and rpc version for the \u0027get_*_console\u0027"},{"line_number":176,"context_line":"rpc call. Then only when the cluster fully upgrade to Wallaby release, the"},{"line_number":177,"context_line":"call can be success. otherwise return failure for the request."},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"Implementation"},{"line_number":180,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f621f24_00c85971","line":177,"updated":"2020-11-17 14:50:15.000000000","message":"Ack, thanks. Which HTTP return code would you want to provide ?","commit_id":"f3481b8ecef1781e53cf722a75c14952d3f74f59"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"cd6e65548f1d8817313c40fc3b2a7dbde7669371","unresolved":false,"context_lines":[{"line_number":174,"context_line":""},{"line_number":175,"context_line":"We should bump service object version and rpc version for the \u0027get_*_console\u0027"},{"line_number":176,"context_line":"rpc call. Then only when the cluster fully upgrade to Wallaby release, the"},{"line_number":177,"context_line":"call can be success. otherwise return failure for the request."},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"Implementation"},{"line_number":180,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f621f24_344f936b","line":177,"in_reply_to":"1f621f24_00c85971","updated":"2020-11-17 18:03:11.000000000","message":"+1, i think returning 400 here too make consistency. and with clear error message.","commit_id":"f3481b8ecef1781e53cf722a75c14952d3f74f59"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"282c4785dfc44e1367d5f6cd191e41299d0bad51","unresolved":false,"context_lines":[{"line_number":174,"context_line":""},{"line_number":175,"context_line":"We should bump service object version and rpc version for the \u0027get_*_console\u0027"},{"line_number":176,"context_line":"rpc call. Then only when the cluster fully upgrade to Wallaby release, the"},{"line_number":177,"context_line":"call can be success. otherwise return failure for the request."},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"Implementation"},{"line_number":180,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f621f24_02f2149b","line":177,"in_reply_to":"1f621f24_344f936b","updated":"2020-11-19 00:42:44.000000000","message":"Done","commit_id":"f3481b8ecef1781e53cf722a75c14952d3f74f59"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1aca3f294e670bf9396ff5741a4f31f1c04f7efc","unresolved":false,"context_lines":[{"line_number":21,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":22,"context_line":"There is only a token authentication against nova novncproxy, with the"},{"line_number":23,"context_line":"``token`` parameter appended to the request access_url. While this is"},{"line_number":24,"context_line":"convenient, anyone who (e.g. A cloud administrator with too much curiosity"},{"line_number":25,"context_line":"about tenants\u0027 business) gets the access_url info will have access to"},{"line_number":26,"context_line":"operating the instance by the web console directly, which is not that safe."},{"line_number":27,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"fffc6b78_80ed4927","line":24,"range":{"start_line":24,"start_character":29,"end_line":24,"end_character":50},"updated":"2020-11-20 13:51:18.000000000","message":"just to be clear the cloud admin could always just look a tthe console logs for any linux instance and still observe the content of the therminal\n\nfor graphical evns its less of an issue but this feature is not really about protecting form the cloud admin they have other ways to monitor what is going on in the guest it they want too.\n\nthis is for protecting form others that happen to intercept the token while the token is still valid.\n\nthere is a time out on the token.","commit_id":"39f671018cc163c35746469f1ba250b9f93f218a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1aca3f294e670bf9396ff5741a4f31f1c04f7efc","unresolved":false,"context_lines":[{"line_number":42,"context_line":"* A new microversion will be provided in the nova API (``nova get-*-console``"},{"line_number":43,"context_line":"  subcommand) and OSC will need to provide a specific version for reseting"},{"line_number":44,"context_line":"  remote console password."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"* The nova API will be extended to support console password when creating a"},{"line_number":47,"context_line":"  remote console."},{"line_number":48,"context_line":"  There are two ``create console`` APIs. The first was only for the old"},{"line_number":49,"context_line":"  nova-consoles services (XenAPI-only) and was removed in Ussuri release [1]_."},{"line_number":50,"context_line":"  The second, which is we will changes to support console password, is still"},{"line_number":51,"context_line":"  valid [2]_."},{"line_number":52,"context_line":"  And the server actions for the other console [3]_, the console output"},{"line_number":53,"context_line":"  server action still need to be protected, and the deprecated action also"},{"line_number":54,"context_line":"  need to be blocked when the instance has a password set."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"* Changes will be proposed to nova-compute and virt driver to handle"},{"line_number":57,"context_line":"  ``Reset Remote Console Password`` request. And this\u0027s only implment"}],"source_content_type":"text/x-rst","patch_set":6,"id":"fffc6b78_a0196d89","line":54,"range":{"start_line":45,"start_character":0,"end_line":54,"end_character":58},"updated":"2020-11-20 13:51:18.000000000","message":"+1","commit_id":"39f671018cc163c35746469f1ba250b9f93f218a"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"b57e9999db370d08fdc972f4701dc4bf9e6413d8","unresolved":true,"context_lines":[{"line_number":66,"context_line":"Alternatives"},{"line_number":67,"context_line":"------------"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"New booting parameter ``console_pasword`` will be added to launch instances."},{"line_number":70,"context_line":"And the password will be used to assemble ``graphics`` tag in libvirt XML."},{"line_number":71,"context_line":"In this way, password-encrypted remote console will be implemented."},{"line_number":72,"context_line":"The shortcoming of this implement is that no API provided to reset console"}],"source_content_type":"text/x-rst","patch_set":6,"id":"25a53fa9_fe4938bc","line":69,"range":{"start_line":69,"start_character":24,"end_line":69,"end_character":39},"updated":"2021-01-04 13:26:44.000000000","message":"nit: console_password","commit_id":"39f671018cc163c35746469f1ba250b9f93f218a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1aca3f294e670bf9396ff5741a4f31f1c04f7efc","unresolved":false,"context_lines":[{"line_number":100,"context_line":"        }"},{"line_number":101,"context_line":"     }"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"  The ``password`` is in common password format (not more than 8 characters,"},{"line_number":104,"context_line":"  see `vnc security`_)."},{"line_number":105,"context_line":"  The ``password`` parameter is optional:"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"  - If ``password`` is present, console password will be updated while"}],"source_content_type":"text/x-rst","patch_set":6,"id":"fffc6b78_c018f182","line":104,"range":{"start_line":103,"start_character":49,"end_line":104,"end_character":23},"updated":"2020-11-20 13:51:18.000000000","message":"that really not that secure but ok.\n\nim a littel conflicted about leaking such an implemantion detail via our api.\n\nwe likely want to do the same valiadtion our selves but i also dont want to block other virt driver form adding supprot with more complex password.\n\ni think we can leave that to the implemenation to resolved however.","commit_id":"39f671018cc163c35746469f1ba250b9f93f218a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1aca3f294e670bf9396ff5741a4f31f1c04f7efc","unresolved":false,"context_lines":[{"line_number":116,"context_line":"Security impact"},{"line_number":117,"context_line":"---------------"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Surely it will make web console safer. And note that console password will"},{"line_number":120,"context_line":"only be securely kept by libvirtd and won\u0027t be displayed in the result"},{"line_number":121,"context_line":"of ``virsh dumpxml \u003cInstance UUID\u003e`` or definition XMLs managed by libvirt"},{"line_number":122,"context_line":"/qemu in local filesystem except. Briefly speaking, no potential security"}],"source_content_type":"text/x-rst","patch_set":6,"id":"fffc6b78_1b3b8ed1","line":119,"range":{"start_line":119,"start_character":0,"end_line":119,"end_character":37},"updated":"2020-11-20 13:51:18.000000000","message":"minimally, if the console is not hosted on a https endpoing your password will be sent in the clear and anyone that could have intercepted the token can still grab it.\n\nits minimally more secure but with the low entroypy in only 8 chariters while it improves the security its really is a minor improvement.","commit_id":"39f671018cc163c35746469f1ba250b9f93f218a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1aca3f294e670bf9396ff5741a4f31f1c04f7efc","unresolved":false,"context_lines":[{"line_number":123,"context_line":"risks will be introduced."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"If we hard reboot the instance, it will be recreate XML when is booting,"},{"line_number":127,"context_line":"and the old console will be disconnect. If you want to open the instance\u0027s"},{"line_number":128,"context_line":"console again, you can reset the password and open a new console."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Notifications impact"},{"line_number":131,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"fffc6b78_bb5b622c","line":128,"range":{"start_line":126,"start_character":0,"end_line":128,"end_character":65},"updated":"2020-11-20 13:51:18.000000000","message":"im not going to block on this but im surprised we are allowing this.\n\ni dont want nova to save passwords anywyaher in our database but its jsut surprising that we are ok with losing them entirely. \n\nif other are ok with it i guess that is fine but this need to be documented clearly in client and api docs for this feature.","commit_id":"39f671018cc163c35746469f1ba250b9f93f218a"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"a9391000c14e4c7ae2315033823ce3e8e3b7fb0e","unresolved":false,"context_lines":[{"line_number":123,"context_line":"risks will be introduced."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"If we hard reboot the instance, it will be recreate XML when is booting,"},{"line_number":127,"context_line":"and the old console will be disconnect. If you want to open the instance\u0027s"},{"line_number":128,"context_line":"console again, you can reset the password and open a new console."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Notifications impact"},{"line_number":131,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5bede7e2_4615a1a8","line":128,"range":{"start_line":126,"start_character":0,"end_line":128,"end_character":65},"in_reply_to":"fffc6b78_bb5b622c","updated":"2020-11-23 01:26:28.000000000","message":"It can be documented in VNC related docs.","commit_id":"39f671018cc163c35746469f1ba250b9f93f218a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1aca3f294e670bf9396ff5741a4f31f1c04f7efc","unresolved":false,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":"  .. code-block:: shell"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"    $ nova get-vnc-console --vnc-password\u003d\u0027newpasswd\u0027 \u003cVM UUID\u003e ..."},{"line_number":152,"context_line":"    $ nova get-spice-console --vnc-password\u003d\u0027newpasswd\u0027 \u003cVM UUID\u003e ..."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"Performance Impact"},{"line_number":156,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"fffc6b78_3b47724e","line":153,"range":{"start_line":151,"start_character":3,"end_line":153,"end_character":0},"updated":"2020-11-20 13:51:18.000000000","message":"it would have been nice to have the osc version too.","commit_id":"39f671018cc163c35746469f1ba250b9f93f218a"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"a9391000c14e4c7ae2315033823ce3e8e3b7fb0e","unresolved":false,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":"  .. code-block:: shell"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"    $ nova get-vnc-console --vnc-password\u003d\u0027newpasswd\u0027 \u003cVM UUID\u003e ..."},{"line_number":152,"context_line":"    $ nova get-spice-console --vnc-password\u003d\u0027newpasswd\u0027 \u003cVM UUID\u003e ..."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"Performance Impact"},{"line_number":156,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"164150d1_88b27423","line":153,"range":{"start_line":151,"start_character":3,"end_line":153,"end_character":0},"in_reply_to":"fffc6b78_3b47724e","updated":"2020-11-23 01:26:28.000000000","message":"Yes, this is a new feature, new version will be added in novaclient, osc and openstackclient.","commit_id":"39f671018cc163c35746469f1ba250b9f93f218a"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"b57e9999db370d08fdc972f4701dc4bf9e6413d8","unresolved":true,"context_lines":[{"line_number":177,"context_line":"Upgrade impact"},{"line_number":178,"context_line":"--------------"},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"We should bump service object version and rpc version for the \u0027get_*_console\u0027"},{"line_number":181,"context_line":"rpc call. Then only when the cluster fully upgrade to Wallaby release, the"},{"line_number":182,"context_line":"call can be success. otherwise return ``HttpBadRequest 400`` for the request."},{"line_number":183,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"25779155_5001b93b","line":180,"range":{"start_line":180,"start_character":37,"end_line":180,"end_character":53},"updated":"2021-01-04 13:26:44.000000000","message":"The rpc is not changed as the vnc password is added to the instance.metadata instead of adding a new parameter to the rpc API. Please update this spec after the implementation merged to make the impl and the spec in synch","commit_id":"39f671018cc163c35746469f1ba250b9f93f218a"}]}