QMP command
{ "execute": "change",
"arguments": { "device": "vnc", "target": "password", "arg": PWD } }
behaves just like
{ "execute": "change-vnc-password",
"arguments": { "password", "arg": PWD } }
Their documentation differs, however. According to
change-vnc-password's documentation, "an empty password [...] will set
the password to the empty string", while change's documentation claims
"no future logins will be allowed". The former is actually correct.
Replace the incorrect claim by a reference to change-vnc-password.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
qapi-schema.json | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/qapi-schema.json b/qapi-schema.json
index 8b015be..58d3a02 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -3011,8 +3011,7 @@
# @arg: If @device is a block device, then this is an optional format to open
# the device with.
# If @device is 'vnc' and @target is 'password', this is the new VNC
-# password to set. If this argument is an empty string, then no future
-# logins will be allowed.
+# password to set. See change-vnc-password for additional notes.
#
# Returns: Nothing on success.
# If @device is not a valid block device, DeviceNotFound
--
2.7.5
Hi
On Wed, Jul 19, 2017 at 9:09 AM, Markus Armbruster <armbru@redhat.com> wrote:
> QMP command
>
> { "execute": "change",
> "arguments": { "device": "vnc", "target": "password", "arg": PWD } }
>
> behaves just like
>
> { "execute": "change-vnc-password",
> "arguments": { "password", "arg": PWD } }
>
> Their documentation differs, however. According to
> change-vnc-password's documentation, "an empty password [...] will set
> the password to the empty string", while change's documentation claims
> "no future logins will be allowed". The former is actually correct.
> Replace the incorrect claim by a reference to change-vnc-password.
>
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The password would have to be NULL to disallow further login, is that
what your other series will allow to do?
> ---
> qapi-schema.json | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/qapi-schema.json b/qapi-schema.json
> index 8b015be..58d3a02 100644
> --- a/qapi-schema.json
> +++ b/qapi-schema.json
> @@ -3011,8 +3011,7 @@
> # @arg: If @device is a block device, then this is an optional format to open
> # the device with.
> # If @device is 'vnc' and @target is 'password', this is the new VNC
> -# password to set. If this argument is an empty string, then no future
> -# logins will be allowed.
> +# password to set. See change-vnc-password for additional notes.
> #
> # Returns: Nothing on success.
> # If @device is not a valid block device, DeviceNotFound
> --
> 2.7.5
>
>
--
Marc-André Lureau
Marc-André Lureau <marcandre.lureau@gmail.com> writes:
> Hi
>
> On Wed, Jul 19, 2017 at 9:09 AM, Markus Armbruster <armbru@redhat.com> wrote:
>> QMP command
>>
>> { "execute": "change",
>> "arguments": { "device": "vnc", "target": "password", "arg": PWD } }
>>
>> behaves just like
>>
>> { "execute": "change-vnc-password",
>> "arguments": { "password", "arg": PWD } }
>>
>> Their documentation differs, however. According to
>> change-vnc-password's documentation, "an empty password [...] will set
>> the password to the empty string", while change's documentation claims
>> "no future logins will be allowed". The former is actually correct.
>> Replace the incorrect claim by a reference to change-vnc-password.
>>
>> Signed-off-by: Markus Armbruster <armbru@redhat.com>
>
> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
>
>
> The password would have to be NULL to disallow further login, is that
> what your other series will allow to do?
I guess it could be applied to change-vnc-password that way.
Markus Armbruster <armbru@redhat.com> writes:
> Marc-André Lureau <marcandre.lureau@gmail.com> writes:
>
>> Hi
>>
>> On Wed, Jul 19, 2017 at 9:09 AM, Markus Armbruster <armbru@redhat.com> wrote:
>>> QMP command
>>>
>>> { "execute": "change",
>>> "arguments": { "device": "vnc", "target": "password", "arg": PWD } }
>>>
>>> behaves just like
>>>
>>> { "execute": "change-vnc-password",
>>> "arguments": { "password", "arg": PWD } }
This should be
"arguments": { "password": PWD } }
>>> Their documentation differs, however. According to
>>> change-vnc-password's documentation, "an empty password [...] will set
>>> the password to the empty string", while change's documentation claims
>>> "no future logins will be allowed". The former is actually correct.
>>> Replace the incorrect claim by a reference to change-vnc-password.
>>>
>>> Signed-off-by: Markus Armbruster <armbru@redhat.com>
>>
>> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
>>
>>
>> The password would have to be NULL to disallow further login, is that
>> what your other series will allow to do?
>
> I guess it could be applied to change-vnc-password that way.
However, making @password optional would be even simpler. Absent
@password = no password feels natural to me.
On 07/19/2017 07:10 AM, Markus Armbruster wrote:
> Marc-André Lureau <marcandre.lureau@gmail.com> writes:
>
>> Hi
>>
>> On Wed, Jul 19, 2017 at 9:09 AM, Markus Armbruster <armbru@redhat.com> wrote:
>>> QMP command
>>>
>>> { "execute": "change",
>>> "arguments": { "device": "vnc", "target": "password", "arg": PWD } }
>>>
>>> behaves just like
>>>
>>> { "execute": "change-vnc-password",
>>> "arguments": { "password", "arg": PWD } }
>>>
>>> Their documentation differs, however. According to
>>> change-vnc-password's documentation, "an empty password [...] will set
>>> the password to the empty string", while change's documentation claims
>>> "no future logins will be allowed". The former is actually correct.
>>> Replace the incorrect claim by a reference to change-vnc-password.
>>>
>>> Signed-off-by: Markus Armbruster <armbru@redhat.com>
>>
>> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
>>
>>
>> The password would have to be NULL to disallow further login, is that
>> what your other series will allow to do?
>
> I guess it could be applied to change-vnc-password that way.
Ideally, 'change' will be deprecated (and certainly we shouldn't add
anything further to it), but yes, 'change-vnc-password' could be
enhanced in 2.11 to use the StrOrNull alternate to use null as the
request for no password (since the empty string "" _is_ hashable as a
password, whether or not we currently allow it to be one).
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
Hi, > The password would have to be NULL to disallow further login, is that > what your other series will allow to do? Disallow logins can be done using "expire-password vnc now". I think having multiple ways to archive the same thing is a bad idea from a security point of view, so I'd suggest to not touch the behavior of the various set-password command variants. cheers, Gerd
Gerd Hoffmann <kraxel@redhat.com> writes: > Hi, > >> The password would have to be NULL to disallow further login, is that >> what your other series will allow to do? > > Disallow logins can be done using "expire-password vnc now". > > I think having multiple ways to archive the same thing is a bad idea > from a security point of view, so I'd suggest to not touch the behavior > of the various set-password command variants. Makes sense.
© 2016 - 2024 Red Hat, Inc.