Created attachment 1208863 [details] vdsm.log Description of problem: It is not possible to connect to VNC with /api/vms/{vmId}/ticket if VNC + SPICE is enabled. It works if we set vm's console protocols to standalone VNC. It also works if we setup VNC + SPICE and connect with a password from vv file. Version-Release number of selected component (if applicable): 4.0.0 and 4.0.3 Steps to Reproduce: 1. set vm's console protocols to VNC + SPICE 2. get vv file for VNC 3. get /api/vms/{vmId}/ticket 4. rewrite vv file's password with the ticket 5. connect Actual results: Authentication failed
This should probably work, but I wonder why do you need to replace the password that is inside the .vv file? I'd suggest to avoid doing that.
Filipe, I also do not quite understand what are you trying to do and what exactly fails. Can you please add a bit more details?
after offline discussion we want to add a proper ticketing support for multiple graphics The current vms/<id>/ticket is a legacy one always preferring SPICE. It should be made obsolete in favor of this new per-graphics API
(In reply to Juan Hernández from comment #1) > This should probably work, but I wonder why do you need to replace the > password that is inside the .vv file? I'd suggest to avoid doing that. I made an secondary example with .vv file, but in our use case in moVirt we are not using it. We are just getting the ticket + separately console's address and port from the API. I think the problem should be the same.
OK, please make sure to document this behaviour in the sepcification of the existing "ticket" operation. I mean here: https://github.com/oVirt/ovirt-engine-api-model/blob/master/src/main/java/services/VmService.java#L657-L690 It should contain something like this: /** * ... * * [IMPORTANT] * ==== * If the virtual machine is configured to support only one graphics protocol * then the generated authentication token will be valid for that protocol. * But if the virtual machine is configured to support multiple protocols, * VNC and SPICE, then the authentication token will only be valid for * the SPICE protocol. * * In order to obtain an authentication token for a specific protocol, for * example for VNC, use the `ticket` method of the <<services/graphics_console, * service>> that manages the graphics consoles of the virtual machine, sending * a request like this: * * .... * POST /ovirt-engine/api/vms/123/graphicsconsoles/564E43/ticket * .... * ==== */ interface Ticket { ... } This is assuming that we will add an "ticket" method to the graphics console service: https://github.com/oVirt/ovirt-engine-api-model/blob/master/src/main/java/services/GraphicsConsoleService.java This new method should, if possible, behave like the existing "ticket" method, but should return authentication tokens valid for the specific protocol. This is my understanding, please feel free to correct me.
The fix for this issue should be included in oVirt 4.1.0 beta 1 released on December 1st. If not included please move back to modified.
Verify: Engine: oVirt Engine Version: 4.2.0-0.0.master.20170104114928.git5490b36.el7.centos Host: OS Version:RHEL - 7.3 - 7.el7 Kernel Version:3.10.0 - 514.el7.bug1404060_20.x86_64 KVM Version:2.6.0 - 28.el7_3.3 LIBVIRT Version:libvirt-2.0.0-10.el7_3.2 VDSM Version:vdsm-4.20.0-128.git7001c0a.el7.centos SPICE Version:0.12.4 - 19.el7 Steps: 1. Create VM and set the console option to: VNS + SPICE 2. Run VM and connect to VNC session 3. Via REST send POST request: https://{engine FQDN}/ovirt-engine/api/vms/{VM-id}/graphicsconsoles/{consoleId}/ticket with empty action: <action/> expect response returns the ticket info: <action> <ticket> <expiry>{int value}</expiry> <value>{string value}</value> </ticket> </action> 4. Retest with SPICE session. Results: In spice and vnc the ticket info (expiry and value) returns.