From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36995) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YNlaF-0007hR-TJ for qemu-devel@nongnu.org; Tue, 17 Feb 2015 12:05:20 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YNla9-0007WN-Qe for qemu-devel@nongnu.org; Tue, 17 Feb 2015 12:05:15 -0500 Received: from mx1.redhat.com ([209.132.183.28]:53201) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YNla9-0007W5-Ih for qemu-devel@nongnu.org; Tue, 17 Feb 2015 12:05:09 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t1HH57xv015209 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Tue, 17 Feb 2015 12:05:08 -0500 Message-ID: <54E374C2.4040208@redhat.com> Date: Tue, 17 Feb 2015 10:05:06 -0700 From: Eric Blake MIME-Version: 1.0 References: <7d250759ff7d01d2aec5f8f48ed51afb7fcfb17c.1424190993.git.mprivozn@redhat.com> <20150217165311.GF8344@redhat.com> In-Reply-To: <20150217165311.GF8344@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3AF4a62VtGLFB9wkgJaoEMg50GvhMtWio" Subject: Re: [Qemu-devel] [PATCH 1/3] qapi-schema: Make @password in set_password optional List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" , Michal Privoznik Cc: armbru@redhat.com, kraxel@redhat.com, qemu-devel@nongnu.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3AF4a62VtGLFB9wkgJaoEMg50GvhMtWio Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 02/17/2015 09:53 AM, Daniel P. Berrange wrote: > On Tue, Feb 17, 2015 at 05:40:45PM +0100, Michal Privoznik wrote: >> So, imagine you've started a guest with ticketing enabled. You've set >> some password to access your SPICE/VNC session. However, later you >> want to give the access to somebody else's and therefore disable the >> ticketing. Come on, be imaginative! Currently, there's no way how to >> achieve this. And while there are two possible ways to fulfill the >> goal: 1) invent new monitor command to disable ticketing, or 2) let >> @password argument to 'set_password' monitor command be optional, I'm >> choosing the latter. It's easier to implement, after all. >> >> The idea behind, how this will work, is: if user issues the command >> without the password field, it means they want to disable the >> ticketing. Any subsequent call to the call with password field filled >> in, will enable the ticketing again. >=20 > When password auth is enabled with VNC, the use of a NULL / empty strin= g > password is explicitly intended to block access to the VNC server, by > causing the password auth to always return failure. Overloading the > 'set_password' command such that a missing password changes the auth > scheme in use is a really surprising and bad side effect. >=20 > If we want to have the ability to change the authentication protocol > used for VNC/SPICE, then lets add a proper command for this. ie > create a 'set_graphics_auth' command to change auth protocol. This > is really better for VNC anyway, as there are far more possible auth > schemes than just password or no-password, and overloading the > 'set_password' command can't handle that. Agreed about the need for a new command; another rationale is that making an argument optional is NOT discoverable without introspection or painful probing, but adding a new command IS easily discovered via the existing query commands that list all commands. --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --3AF4a62VtGLFB9wkgJaoEMg50GvhMtWio Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJU43TCAAoJEKeha0olJ0NqJiIH+wdn6Xrjaa99lpuVnfkTfeZ2 0xP41mn3Mu5/A50hFqBYqve0TrB5yWcU1VpczEwSg0hZiHR7ZMXnFt8UBeQeEekh rCsaD+HOjNczi6OvDqAgpui9Lxlrv8eog+zE32oj/VcC0IOhTIAntVi9jVTX5C4M TIgbVv80dLcpEfJZa3ZMRuee4qY/yA1TIX4nMVe7rs5jyqutSvGeHjU84t3jZ/mb jyRmUR7opIaUVluU2Jx6kWJ5gFJfekRYzIAhbj/pV3zz328xxSDJM/CEhA4YiQoe BcaGiF+L7oE2dnzpMrSXgHMrOmetcBP6Dnl5Fd+bMy2b/dswdbQOxwLafW3Ne2g= =/jdr -----END PGP SIGNATURE----- --3AF4a62VtGLFB9wkgJaoEMg50GvhMtWio--