Bug 1051568

Summary: [RFE] Ability to configure API calls to not generate a login/logout event
Product: Red Hat Enterprise Virtualization Manager Reporter: Jake Hunsaker <jhunsaker>
Component: ovirt-engine-restapiAssignee: Juan Hernández <juan.hernandez>
Status: CLOSED NOTABUG QA Contact: Shai Revivo <srevivo>
Severity: low Docs Contact:
Priority: low    
Version: 3.2.0CC: acathrow, bazulay, iheim, oramraz, pstehlik, Rhev-m-bugs, yeylon
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: 3.4.0   
Hardware: All   
OS: Linux   
Whiteboard: infra
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-14 19:29:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jake Hunsaker 2014-01-10 15:20:00 UTC 
Who is the customer behind the request?  
Account: name (acct #)  Richard Davis (PGDS UK Limited) / 947978
TAM customer: no/yes  no
SRM customer: no/yes  Yes
Strategic: no/yes  Yes
  
 What is the nature and description of the request?  

Currently API calls generate a login/logout event for every call. Customer would like to be able to configure this logging (enable/disable).
  
 Why does the customer need this? (List the business requirements here) 

To prevent spamming the Event log with login/logout event every time we interact with RHEV using the APIs. 

 How would the customer like to achieve this? (List the functional requirements here)  
  
Either be able to disable this logging or, ideally according to the customer, have a readonly account that can make API calls but not have the login/logout messages logged

 Is there already an existing RFE upstream or in Red Hat Bugzilla? 

Not for this explicitly, however BZ1036896 is open for the readonly admin account feature
  
 Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  

They would like this in 3.3, however I have explained that this is unlikely given 3.3 is in the latter stages of public beta
  
 Is the sales team involved in this request and do they have any additional input?  

No
  

 Would the customer be able to assist in testing this functionality if implemented? 

Yes
Comment 1 Juan Hernández 2014-01-10 15:48:33 UTC 
API calls generate a login/logout event only if not using persistent authentication. If using the Python or Java SDKs this should happen automatically. If the customer is accessing the RESTAPI in some other ways then solution to this problem is to explicitly use persistent authentication. The first request sent by the client should contain the "Prefer" header and the authentication details:

  GET /api HTTP/1.1
  Prefer: persistent-auth
  Content-type: application/xml
  Accept: application/xml
  Authorization: Basic YWRtaW5AaW50ZXJuYWw6cmVkaGF0MTIz

The server will return the response, including a session cookie:

  HTTP/1.1 200 OK
  Header: Date: Fri, 10 Jan 2014 15:32:20 GMT
  Set-Cookie: JSESSIONID=4RNIBiN40YTHC61APsDL-1Tx; Path=/api; Secure

Further requests should send again the "Prefer" header and the session cookie:

  GET /api/vms HTTP/1.1
  Prefer: persistent-auth
  Cookie: JSESSIONID=4RNIBiN40YTHC61APsDL-1Tx
  Content-type: application
  Accept: application

This will generate only one session in the server side, and only one login message in the log.

For more details see here:

http://www.ovirt.org/Features/RESTSessionManagement

I would suggest to use one of the SDKs, as they provide this for free, and simplify the development.

If this is enough for the customer I would suggest to close the bug as NOTABUG.
Comment 3 Jake Hunsaker 2014-01-14 19:29:11 UTC 
Closing this as NOTABUG per C#1