Bug 1236976

Summary: [RFE] UIPlugins should not use restapi http session
Product: [oVirt] ovirt-engine Reporter: Alon Bar-Lev <alonbl>
Component: RFEsAssignee: Vojtech Szocs <vszocs>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Matyáš <pmatyas>
Severity: high Docs Contact:
Priority: high    
Version: ---CC: bgraveno, bmcclain, bugs, gklein, iheim, lsurette, mgoldboi, michal.skrivanek, oourfali, pstehlik, rbalakri, sbonazzo, srevivo, vszocs, ykaul
Target Milestone: ovirt-4.0.0-betaKeywords: FutureFeature, Improvement
Target Release: 4.0.0Flags: rule-engine: ovirt-4.0.0+
pstehlik: testing_plan_complete-
mgoldboi: planning_ack+
oourfali: devel_ack+
pstehlik: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Deprecated Functionality
Doc Text:
The user interface (UI) code is now aligned with the Manager's SSO infrastructure by dropping reliance on the REST webapp's HTTP session mechanism in favor of using SSO tokens. This impacts, and potentially breaks all UI plugins because the "RestApiSessionAcquired" callback has been removed. From now on, UI plugins should use the new "api.ssoToken" function when authenticating Manager (e.g. REST API) requests: var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://example.com/ovirt-engine/api'); xhr.setRequestHeader('Authorization', 'Bearer ' + api.ssoToken()); xhr.setRequestHeader('Accept', 'application/json'); xhr.addEventListener('load', function () { // response loaded OK, parse JSON data var data = JSON.parse(this.responseText); }); xhr.send(); The UI plugins no longer need to use session-specific request headers like "Prefer:persistent-auth" and "JSESSIONID:xxx", which simplifies their code.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-05 08:03:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: UX RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SSO test UI plugin none

Description Alon Bar-Lev 2015-06-30 06:01:08 UTC
Marking as Improvement although this is a bug that could not be resolved in previous versions due to backward compatibility with existing UIPlugins.

The UIPlugins should use the restapi in stateless mode, avoiding the issues introduced by inactivity, credential management, session lifecycle, resource leak (currently we leak sessions for a very long time as they set to hard limit) and similar.

We discussed that many times, and 4.0 is the time to do that.

The UIPlugin should hand over the http request to the infrastructure so it can add custom headers before request is actually performed.

In most cases the infrastructure will just set the authorization header / plain header with the authentication token.

I also suggest the UIPlugin will hand over the response to the infrastructure so it can extract important information out of it if it likes.

Another option: the infrastructure will actually perform the http request.

Comment 1 Vojtech Szocs 2015-07-01 15:17:56 UTC
> Another option: the infrastructure will actually perform the http request.

I prefer this option, e.g. expose service to UI plugins for talking with REST API that takes care of specific HTTP request details and processing.

Comment 2 Red Hat Bugzilla Rules Engine 2015-10-19 11:03:05 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 4 Oved Ourfali 2016-03-16 07:33:42 UTC
Vojtech - we already handled this one, right?

Comment 5 Vojtech Szocs 2016-03-17 14:42:12 UTC
(In reply to Oved Ourfali from comment #4)
> Vojtech - we already handled this one, right?

Following action items (on me) are needed to close this one:

1, update https://gerrit.ovirt.org/#/c/49278/ according to Ravi's feedback & build Engine with patch applied for verification

2, [virt-viewer integration] verify VM console connect using virt-viewer build from https://bugzilla.redhat.com/show_bug.cgi?id=1286696#c17

3, [UI plugin API change] verify `api.ssoToken()` by writing sample UI plugin, attach the sample UI plugin to BZ for reference

4, ask BZ#1286696 assignee (Christophe) to merge relevant virt-viewer changes & update BZ status accordingly

5, merge https://gerrit.ovirt.org/#/c/49278/ and move this BZ to MODIFIED

6, announce on oVirt devel list breaking change in UI plugin API, provide sample code on how to migrate existing UI plugins to use the new API

Comment 6 Vojtech Szocs 2016-03-23 14:41:28 UTC
Created attachment 1139621 [details]
SSO test UI plugin

Attaching sample UI plugin to test the newly introduced `api.ssoToken()` function.

Just extract files into $PREFIX/share/ovirt-engine/ui-plugins (where $PREFIX is usually /usr) and reload WebAdmin in your browser. Engine restart is not necessary.

Comment 7 Sandro Bonazzola 2016-05-02 10:09:18 UTC
Moving from 4.0 alpha to 4.0 beta since 4.0 alpha has been already released and bug is not ON_QA.

Comment 8 Oved Ourfali 2016-05-08 07:07:36 UTC
Vojtech - where do we stand with this one?

Comment 9 Vojtech Szocs 2016-05-09 14:52:21 UTC
(In reply to Oved Ourfali from comment #8)
> Vojtech - where do we stand with this one?

Waiting for Christophe to verify upstream virt-viewer SSO changes.

Once verified, the process should be:
- merge https://gerrit.ovirt.org/#/c/49278/ & move BZ to MODIFIED
- announce on oVirt devel the breaking change in UI plugin API

We should open another BZ -- once the virt-viewer build [1] lands in Fedora/RHEL(/Win?), update "RemoteViewerSupportedVersions" Engine config value according to [2].

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1286696
[2] https://gerrit.ovirt.org/#/c/56616/

Comment 10 Oved Ourfali 2016-05-10 05:43:41 UTC
(In reply to vszocs from comment #9)
> (In reply to Oved Ourfali from comment #8)
> > Vojtech - where do we stand with this one?
> 
> Waiting for Christophe to verify upstream virt-viewer SSO changes.
> 
> Once verified, the process should be:
> - merge https://gerrit.ovirt.org/#/c/49278/ & move BZ to MODIFIED
> - announce on oVirt devel the breaking change in UI plugin API
> 
> We should open another BZ -- once the virt-viewer build [1] lands in
> Fedora/RHEL(/Win?), update "RemoteViewerSupportedVersions" Engine config
> value according to [2].
> 
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1286696
> [2] https://gerrit.ovirt.org/#/c/56616/

We need to merge that before feature freeze.
I guess this might get an exception if not, but we should try.

Comment 11 Vojtech Szocs 2016-05-10 16:13:10 UTC
Update: BZ#1324457 is now ON_QA, fixed in version = libgovirt-0.3.3-2.el7

Comment 14 Petr Matyáš 2016-05-26 10:36:16 UTC
Verified on ovirt-engine-4.0.0-0.0.master.20160523171412.git1a7a1f3.el7.centos.noarch

Comment 15 Sandro Bonazzola 2016-07-05 08:03:46 UTC
oVirt 4.0.0 has been released, closing current release.