Enforce remote console session timeout¶
https://blueprints.launchpad.net/nova/+spec/enforce-remote-console-session-timeout
Currently providing vnc console consists 3 parts:
- 1 - Working Conosle for Nova instance.
Once a Nova instance is created in the hypervisor, the hypervisor itself provides a console without the need for additional installations within the instnace (as per nova.conf). To access the console, operators can use virsh console instance-xxx, which provides a serial console (character terminal access) and prompts the instance login console.
- 2 - Provide console access outside compute node via browser.
When user creates a console URL to access console via a web browser.
$ openstack console URL show <vm>
The cmd calls Nova API, the Nova API in turn, communicates through the RPC to compute service, which returns a new URL for connecting to an existing console.
The command does not create a new console but rather generates a URL for connecting to the existing console. This URL includes a token for authentication via the proxy.
This URL can be used to connect to the Nova instance console. The console token is used to athenticate with the proxy, enabling new sessions to be established until the token ttl expires. The existing session continue to function even after token expiration until the tcp connection is closed.
- 3- Controller’s Nova Proxy: Bridging Client Browser and Compute Node
When a user connects to the provided URL via a browser, the Nova Proxy acts as an intermediary. It establishes a WebSocket connection to the hypervisor and proxies the console to the client. For VNC consoles, the Nova Proxy serves an HTML page with a JavaScript application that runs at client side in the user’s browser, providing a VNC client experience. In the case of a serial console, the Nova Proxy provides a direct WebSocket connection without a pre-built client, allowing users to create their own clients that interact with the WebSocket.
[ Nova API, Compute, virt driver ]
[client browser] <======> <======> [target virtual machine]
[ Nova proxy ]
Controller Node Compute Node
Problem description¶
Today, there is no mechanism in place to enforce the termination of a console session when the console token expires. Users can continue to access the console beyond the token expiration, and there is a need to address this behavior to enhance security measures.
Use Cases¶
As an operator, I want to make sure that with console authentication TTL, console sessions get closed too, and hence the user should get disconnected from the console automatically.
Proposed change¶
Implement a timer mechanism to automatically close target socket connection from server side when token has expired based on exact token expiration time. This will interrupt the real time console session on client side browser or other application.
Also, introduce a new consoleauth config option enforce_session_timeout that allows operator to enable or disable the token expiry check. The default setting is disabled, with False as its default value. This gives flexibility to exisiting console user based on their specific requirements.
Alternatives¶
Client-side polling to check for token expiration. But as there are many vnc clients, its better to address the issue at server side to ensure a consistency in session timeout.
Data model impact¶
None
REST API impact¶
None
Security impact¶
This change enable strict time span for console access requiring, While it doesn’t inherently enhance the safety of console access, it ensures that users must reauthenticate after a specified time period.
Notifications impact¶
None
Other end user impact¶
None
Performance Impact¶
None
Other deployer impact¶
A new optional config option will be added.
Developer impact¶
None
Upgrade impact¶
None
Implementation¶
Assignee(s)¶
- Primary assignee:
auniyal
Feature Liaison¶
- Feature liaison:
auniyal
Work Items¶
Update Nova webproxy code
tests
Dependencies¶
None
Testing¶
funtional
Documentation Impact¶
release notes
References¶
None
History¶
Release Name |
Description |
|---|---|
2024.1 Caracal |
Introduced |
