Open Stack

That is an interesting angle.

There *should* be a way to limit vnc acces to just the owner via
RBAC. If you trust everything else to be setup right that's probbaly
sufficient.

Putting on my paranoid security hat, I wouldn't trust that.  VNC
access at least is completely unsecured at the hypervisor side.  Of
course we have measures in place to prevent anyone directly accessing
that (iptable srules on all hypervisors in my case that get checked
every 30min by config management).

Mistakes happen and if I had hard security needs for a VM I'd want to
be sure I had control of that console not rely on my provider (even if
I'm my own providerer honestly), so I think there's still value in
putting a feature in Nova for this.

-Jon

On Thu, Oct 27, 2016 at 10:53:15AM -0400, George Mihaiescu wrote:
:   You're right, it's probably the following you would want changed:
:   "compute:get_vnc_console": "",
:   "compute:get_spice_console": "",
:   "compute:get_rdp_console": "",
:   "compute:get_serial_console": "",
:   "compute:get_mks_console": "",
:   "compute:get_console_output": "",
:   I thought the use case is to limit console access to users in a shared
:   project environment, where you might have multiple users seeing each
:   other instances, and you don't want them to try logging on the console.
:   You could create a special role that has console access and change the
:   policy file to reference that role for the "compute:get_vnc_console",
:   for example.
:   I don't think you can do it on per-flavor basis.
:   Cheers,
:   George
:
:   On Thu, Oct 27, 2016 at 10:24 AM, Blair Bethwaite
:   <[1]blair.bethwaite at gmail.com> wrote:
:
:     Hi George,
:     On 27 October 2016 at 16:15, George Mihaiescu
:     <[2]lmihaiescu at gmail.com> wrote:
:     > Did you try playing with Nova's policy file and limit the scope
:     for
:     > "compute_extension:console_output": "" ?
:     No, interesting idea though... I suspect it's actually the
:     get_*_console policies we'd need to tweak, I think console_output
:     probably refers to the console log? Anyway, not quite sure how we'd
:     craft policy that would enable us to disable these on a per instance
:     basis though - is it possible to reference image metadata in the
:     context of the policy rule?
:     --
:     Cheers,
:     ~Blairo
:
:References
:
:   1. mailto:blair.bethwaite at gmail.com
:   2. mailto:lmihaiescu at gmail.com