On Tue, Jan 12, 2010 at 04:28:46PM -0600, Anthony Liguori wrote: > On 01/12/2010 03:28 PM, Luiz Capitulino wrote: > >On Mon, 11 Jan 2010 13:55:19 +0000 > >"Daniel P. Berrange"<berra...@redhat.com> wrote: > > > > > >>So perhaps we should declare that the lifecycle is > >> > >> - CONNECT (provide IP / port details) > >> - AUTHENTICATED (provide IP / port details + authenticated ID details > >> eg x509 dname, or SASL usernsmae) > >> - DISCONNECT (provide IP / port details) > >> > >> > >>Obviously AUTHENTICATED may be optional if the client goes away > >>immedaitely before trying auth. The AUTHENTICATED event probably > >>also ought to allow for an indication of success vs failure so > >>the app can see failed login attempts > >> > > I'm having an issue with the reporting of failure. > > > > Turns out we can have a few error conditions on login and they are > >auth mechanism dependent. Also, as I'm not familiar with the code, > >it's not always easy to get the ID information on failures. > > > > So, what is simple to do is to have an event called VNC_AUTHENTICATION, > >it will have a 'authenticated' key which can be true or false. If it's true > >authentication has been successful and ID information is available, > >otherwise authentication has failed and only IP/port info is available. > > > > Of course that CONNECT and DISCONNECT events are also provided. > > > > It might be worthwhile looking at the events that gtk-vnc supports. > > | VNC_CONNECTED, <- client has connected > VNC_INITIALIZED,<- initialized is completed > VNC_DISCONNECTED,<- client has disconnected > VNC_AUTH_FAILURE, <- authorization has failed > VNC_AUTH_UNSUPPORTED,<- authorization has failed (could not > negotiate an auth type) > > Initialized can provide you all of the credential information. I think > it's stronger than AUTHENTICATED because authentication alone does not > imply that a session is active. Initialized tells a listener that at the > moment this is received, the VNC session is active. If I'm a management > tool, that's the thing I'm likely interested in.
That is a good point, and if we have the three events at time of 'connect', 'initialized' and 'disconnected', then if a mgmt app sees a 'disconnect' but no 'initialized' event, it knows the authentication was unsuccessful so do not need an explicit flag for that. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
