Using gateone as openstack console for cloud servers

[hchilbule]

I am working on prototype for my project which will work like this:

• a user requests console access to one of his server using openstack API
• openstack API returns a url like https://yourserver.com?token=abscd234
• user copy pastes the lint into a browser
• yourserver.com request hits gateone server
• the token=abscd234 need to get validated by calling a opnestack API ( auth backend )
• validation of this token returns gateone: ssh-user, ssh-host, ssh-pass or key
• gateone redirects user to a page which auto-connects to given ssh-host
• information like enter ssh host is never asked from user or allowed to be given
• this token is only valid for a short time, it does not work for long time (~ 5 minutes )
• user has to call openstack API again to generate a unique URL if console access it required after his session expired

So far I have managed to hack the auth.py to use openstack token validation and it works. I also create a user with name as unique identifier of console request.

Can you please give me some pointers on implementing this ?
Bit lost in the gateone code while looking for ways to implement this.

Thanks in advance!

• Harish

[liftoff]

Why not just open a URL to the Gate One server directly instead of having the user copy & paste the token? You can pass whatever you want via query strings like this:

https://gateone-server/?openstack_authtoken=abscd234

Then from JavaScript (just create a little plugin like plugins/openstack/static/openstack.js) you can access that token like so using Gate One's API:

var authtoken = GateOne.Utils.getQueryVariable('openstack_authtoken');

...and you can pass that to a server-side plugin (to hand the data off to the command you're running) or to the command directly once it's opened via something like GateOne.Terminal.sendString(authtoken).

For reference, I tried to create an OpenStack plugin for Gate One like this a while back for Horizon but ran into trouble trying to get it working like a console. Basically, at the time there was only one serial port available to attach and it was being hogged by some other part of OpenStack. Since I couldn't get access to the console I just stopped since you can already use SSH with Gate One.

Getting access to the serial console would've been perfect.

[hchilbule]

Thanks for your response. I am trying to use gate one for serial console for baremetal devices which do not support openstack's novnc connections.

You are right, the user will get URL like https://consoleserver.com?token=abncd124. I have managed to write auth handler which hooks on to the openstack API to validates it or sends error message like 'invalid console session..'. However had issues in getting the complete connection URL to the ssh_connect.py ( version v1.1 ). Did not find any good ways to send the secret connection information to connect to serial console server / account to ssh_connect.py without modifying core handler code ( avoid ) so that in future we can use new versions of gateone.

[hchilbule]

Also I could not get my auth handler to hook into plain vanilla gateone.py since argument --auth= only supports built-in auths. Had to hack code in auth.py to get my handler hooked. Do you suggest any better ways ?