Update patch set 2

Patch Set 2: Code-Review-1 (2 comments) Patch-set: 2 Reviewer: Gerrit User 11604 <11604@4a232e18-c5a9-48ee-94c0-e04e7cca6543> Label: Code-Review=-1, a550c3d2d926be8dcdc5bdc648ebdc9887987517
2024-04-07 04:33:01 +00:00 · 2024-04-07 04:33:01 +00:00 · 0833f5857c
parent 045ee48839
commit 0833f5857c
1 changed files with 38 additions and 0 deletions
--- a/38
+++ b/38
@ -0,0 +1,38 @@
+{
+  "comments": [
+    {
+      "unresolved": true,
+      "key": {
+        "uuid": "70edb44a_c2403d3b",
+        "filename": "specs/2024.2/approved/libvirt-spice-direct-consoles.rst",
+        "patchSetId": 2
+      },
+      "lineNbr": 95,
+      "author": {
+        "id": 11604
+      },
+      "writtenOn": "2024-04-07T04:33:01Z",
+      "side": 1,
+      "message": "i think this is not a good on two fronts.\n\nfirst if we were to do this it should be done for all console type IMO\nwhich would imply a new parmater to the exiting console type not a new conosle type\n\ni.e. client_type\u003dweb|native\n\nany direct connection to the hypervior is a security risk and im not sure we want to support upstream\n\ni could see use allowing the current proxies to work as a transprent tcp proxy\nor adding a new proxy for that which allocats a public port for when you request a console to be exported but given the risk of leaking internal info like hypervior ips/hostname to non admins i dont think what is propsoed here is viable.",
+      "revId": "46e3a675903174c7daebc430039214311910d318",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
+    },
+    {
+      "unresolved": true,
+      "key": {
+        "uuid": "577b7090_966607bf",
+        "filename": "specs/2024.2/approved/libvirt-spice-direct-consoles.rst",
+        "patchSetId": 2
+      },
+      "lineNbr": 221,
+      "author": {
+        "id": 11604
+      },
+      "writtenOn": "2024-04-07T04:33:01Z",
+      "side": 1,
+      "message": "this is a fairly major security change.\n\nfirst of all the end user today is not intended to be able to discover the hypervior hostname or its ip via any nova restapi.\n\nwe consdier any leakage fo that form nova to be a security bug and you are proposing adding a api that would enable this that anyoen could use.\n\nto me that a pretty big security hole and its not at all comparableto how this works with the console proxy service today.\n\n\ntoday the end user never get the ip or port of the hyperiovr or the vm console port.",
+      "revId": "46e3a675903174c7daebc430039214311910d318",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
+    }
+  ]
+}