Bug 1172978
Summary: | ovirt-optimizer-ui plugins asks for rest credentials after plugin tab is opened | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Lukas Svaty <lsvaty> |
Component: | ovirt-optimizer | Assignee: | Martin Sivák <msivak> |
Status: | CLOSED ERRATA | QA Contact: | Shira Maximov <mshira> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.5.0 | CC: | dfediuck, gklein, juwu, mavital, msivak, vszocs, ykaul |
Target Milestone: | ovirt-3.6.0-rc | ||
Target Release: | 3.6.0 | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | ovirt-optimizer-0.8 | Doc Type: | Bug Fix |
Doc Text: |
Previously, the Optimizer UI plug-in used a different API to authenticate. As a result, users were prompted to log in again when navigating to the optimization field in the Clusters tab. With this update, the Optimizer UI plug-in reuses the Administration Portal login credentials, and does not prompt users to log in again.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-03-09 20:21:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | SLA | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Svaty
2014-12-11 08:48:59 UTC
WebAdmin UI plugin infra acquires REST session with CSRF protection enabled. The "acquire session" HTTP request looks like this: GET /ovirt-engine/api Session-TTL: <engine_session_timeout> Prefer: persistent-auth, csrf-protection, new-auth Therefore, each UI plugin talking with REST should make HTTP request like this: GET <engine_api_url> Prefer: persistent-auth JSESSIONID: <value_from_RestApiSessionAcquired_callback> Simply put, acquired REST session has CSRF protection enabled upon creation (via "Prefer: csrf-protection") which means the client should always send "JSESSIONID" request header in each HTTP request. Also, client should always send "Prefer: persistent-auth" in each HTTP request, otherwise it will cause invalidation of the single (shared) REST session for all UI plugins (which would compromise all UI plugins that might use this REST session). Note that this was announced on devel list some time ago: https://www.mail-archive.com/devel@ovirt.org/msg02455.html Sorry, devel announcement link is following: http://lists.ovirt.org/pipermail/devel/2014-July/008148.html 3.5.1 is already full with bugs (over 80), and since none of these bugs were added as urgent for 3.5.1 release in the tracker bug, moving to 3.5.2 I try to verify this bug on : Red Hat Enterprise Virtualization Manager Version: 3.6.0-0.18.el6 In firefox in worked good, but in chrome i get the message : REST session has not been authenticated yet although i authenticated with REST google plugin. martin - am i missing something ? There is a message between the main app and the UI plugin iframe that gives the credentials to the UI plugin. It is possible that it does not work properly in Chrome. But it seems we do not officially support Chrome yet. Einav can you confirm this please? we do not officially support Chrome for RHEV 3.5 and below, however we want to support Chrome in a "tier 2" level for RHEV 3.6 (see bug 1188226). so I believe that if we have an issue right now, we may want to investigate/fix it specifically for 3.6 (in RHEV 4.0 in which we are supposed to have proper SSO, we may not have this kind of issues anymore). @Vojtech - any thoughts/recommendations on the above? Sorry for my late response. First of all, see attachment https://bugzilla.redhat.com/show_bug.cgi?id=895103#c16 [Sample UI plugin that demonstrates cross-window communication feature] as a reference. I've checked the sources [ovirt-optimizer/dist/ovirt-optimizer-uiplugin], the sequence should be like this: 1, user clicks on "Optimizer Result" sub tab, which loads the sub tab's content (Angular application) into an iframe 2, Optimizer application calls "parent.postMessage" to request REST API session ID from UI plugin host page 3, in UI plugin host page, "MessageReceived" callback is fired, which sets REST API session ID into application -> at this point, "RestApiSessionAcquired" callback should have been already called by UI plugin infra Since REST API session acquiry is async (HTTP) operation, and since "MessageReceived" is triggered by sub tab's content afer sub tab selection (step 2 above), there is no guarantee which one of these callbacks will be called first. Suggested things to check in Chrome (@Martin, can you please assist?): - ensure RestApiSessionAcquired is called with REST API session ID value (index.html:94) - ensure MessageReceived is called with given data (index.html:100) As for 4.0 with SSO, the REST API integration for UI plugins will be changed (avoid creating REST API session, just pass SSO token to UI plugins so they can authenticate their REST API requests). @Martin, if MessageReceived callback is still not called in Chrome (despite that UI plugin defines "allowedMessageOrigins: ['*']" and both HTMLs are on same origin), please isolate the problem into a minimal UI plugin and I will debug it more deeply. verified on (in firefox): Red Hat Enterprise Virtualization Manager Version: 3.6.0.3-0.1.el6 verification steps: 1. Log to WA portal 2. Navigate to Cluster/ovirt-optimizer This BZ was verified in Firefox (which is good) but the reported issue (see comment #6) occured in Chrome.. should I investigate based on my comment #9? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0427.html |