[nova] noVNC console with password authentication

Brin Zhang(张百林) zhangbailin at inspur.com
Tue Feb 4 12:46:32 UTC 2020 

Hi all:

       About https://review.opendev.org/#/c/623120/ SPEC, there are two different perspectives, one from Alex and one from SPEC author Jingyu.



1.     @Jingyu’s point is add“vnc_password”to the instance’s metadata,“vnc_password”is only provided for libvirtd support. As described in SPEC, the“vnc_password”parameter is populated when the instance generates XML, and when show server details that pop the “vnc_password”from nova api to ensure its security. That we can refer to the implementation of "adminPass" to understand this method.

Its advantage is that it will not break the current nova api, you only need to store“vnc_password”in the instance's metadata.

The disadvantage is that“vnc_password”is in the metadata but the user cannot get it.

In addition, after we are evacuate/rebuild a server that we should reset it’s“vnc_password”, or take out "vnc_password" from the original instance and write into the new instance during evacuate/rebuild.



2.     @Alex’s suggestion is change the Create Console API, add“vnc_password”as a new request optional parameter to the request body, that when we request create the remote console, if the“vnc_password”is not None we will reset the server’s vnc passwd, if“vnc_password”is None, that it will use the novnc password set last time you opened the console.

The advantage is that it is more simple and convenient than storing "vnc_password" in metadata. When evacuate/rebuild, there is no need to consider the problem of "vnc_password" storage, but when we first open the console, we need to set it in the request body the value of "vnc_password".

The disadvantage is that you need to add a new microversion to support this feature, which will break the current nova API (Create Console API).

In addition, from the working principle of the RFB protocol, nova does not care about the "vnc_password" parameter passed in to obtain the Console URL. The verification of the vnc password is the job of the vnc server maintained by libvirtd.



       We look forward to completing it before the SPEC freeze, and hope to get more feedback, especially from the nova core team.

SPEC link: https://review.opendev.org/#/c/623120/



brinzhang

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200204/9eb809d6/attachment-0001.html>

More information about the openstack-discuss mailing list