Bug 1276083

Summary: jsessionid cookie does not work with /api, only with /ovirt-engine/api
Product: Red Hat Enterprise Virtualization Manager Reporter: Christophe Fergeau <cfergeau>
Component: ovirt-engineAssignee: Juan Hernández <juan.hernandez>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.6.0CC: amureini, cfergeau, ecohen, gklein, lsurette, oourfali, owwang, rbalakri, Rhev-m-bugs, yeylon
Target Milestone: ovirt-3.6.1   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-02 14:15:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christophe Fergeau 2015-10-28 16:20:01 UTC 
Trying to connect to a VM through a .vv file to get foreign menu is not working with a recent RHEV 3.6 instance. I realized this is caused by the jsessionid cookie only allowing password-less access to /ovirt-engine/api, and not to /api. In RHEL 6.7, we are using /api (RHEL 7 is using /ovirt-engine/api), which explains why the foreign menu is not showing up.
Comment 1 Oved Ourfali 2015-11-01 07:55:21 UTC 
Juan, can you take a look?
Comment 2 Juan Hernández 2015-11-02 13:47:11 UTC 
According to my tests both /api and /ovirt-engine/api handle the JSESSIONID cookie correctly. May it be that you are using /ovirt-engine/api to get some information and then /api to request the .vv file? If you are doing that then it won't work, as the cookie obtained for /ovirt-engine/api isn't valid for /api (and the other way around).

Please use the following script to verify that cookies work correctly, and report the results:

---8<---
#!/bin/sh -ex

url="https://engine.example.com/api"
user="admin@internal"
password="..."
cookies="cookies.txt"
vm_id="..."
console_id="5350494345"

# Request the base URL, so that we get a cookie:
curl \
--verbose \
--cacert /etc/pki/ovirt-engine/ca.pem \
--request GET \
--user "${user}:${password}" \
--cookie "${cookies}" \
--cookie-jar "${cookies}" \
--header "Accept: application/xml" \
--header "Prefer: persistent-auth" \
"${url}"

# Request the .vv file for the VM, without providing credentials, this should
# work as we already have the cookies:
curl \
--verbose \
--cacert /etc/pki/ovirt-engine/ca.pem \
--request GET \
--cookie "${cookies}" \
--cookie-jar "${cookies}" \
--header "Accept: application/x-virt-viewer" \
--header "Prefer: persistent-auth" \
"${url}/vms/${vm_id}/graphicsconsoles/${console_id}
--->8---

Make sure to use the right credentials and "vm_id".

Take into account that the output of this script will contain your password, inside the "Authentication" header, so you may want to edit it before sharing.
Comment 3 Christophe Fergeau 2015-11-02 14:06:31 UTC 
(In reply to Juan Hernández from comment #2)
> According to my tests both /api and /ovirt-engine/api handle the JSESSIONID
> cookie correctly. May it be that you are using /ovirt-engine/api to get some
> information and then /api to request the .vv file? If you are doing that
> then it won't work, as the cookie obtained for /ovirt-engine/api isn't valid
> for /api (and the other way around).

Oh, this is most likely the issue I'm having. For these tests, I've been trying to use the jsessionid I get from a .vv file. On RHEL6, libgovirt will try to use ovirt.example.com/api, on RHEL7 libgovirt will use ovirt.example.com/ovirt-engine/api. .vv files only list one jsessionid, so I guess this mandates the use of /ovirt-engine/api to use the REST API in this context.

 
> Please use the following script to verify that cookies work correctly, and
> report the results:
> 
> ---8<---
> #!/bin/sh -ex
> 
> url="https://engine.example.com/api"
> user="admin@internal"
> password="..."
> cookies="cookies.txt"
> vm_id="..."
> console_id="5350494345"
> 
> # Request the base URL, so that we get a cookie:
> curl \
> --verbose \
> --cacert /etc/pki/ovirt-engine/ca.pem \
> --request GET \
> --user "${user}:${password}" \
> --cookie "${cookies}" \
> --cookie-jar "${cookies}" \
> --header "Accept: application/xml" \
> --header "Prefer: persistent-auth" \
> "${url}"
> 
> # Request the .vv file for the VM, without providing credentials, this should
> # work as we already have the cookies:
> curl \
> --verbose \
> --cacert /etc/pki/ovirt-engine/ca.pem \
> --request GET \
> --cookie "${cookies}" \
> --cookie-jar "${cookies}" \
> --header "Accept: application/x-virt-viewer" \
> --header "Prefer: persistent-auth" \
> "${url}/vms/${vm_id}/graphicsconsoles/${console_id}
> --->8---
> 

Yes, this script works for me (did not look in details, but I'm getting a HTTP/1.1 204 No Content which answer, which probably occurs _after_ auth succeeded).
Comment 4 Juan Hernández 2015-11-02 14:15:53 UTC 
Yes, the 204 code indicates that the .vv file can't be generated, probably because the VM is down or it isn't using SPICE (the console id "350494345" corresponds to SPICE), but that happens after authentication.

I'm closing as NOTABUG. If you find additional related issues feel free to reopen.