Bug 1390844

Summary: Error display: "getAllVmsList( ) error:401" after Login to Engine
Product: [oVirt] cockpit-ovirt Reporter: Wei Wang <weiwang>
Component: GenericAssignee: Marek Libra <mlibra>
Status: CLOSED WONTFIX QA Contact: Wei Wang <weiwang>
Severity: high Docs Contact:
Priority: unspecified    
Version: ---CC: bugs, cshao, fdeutsch, huiwa, huzhao, juan.hernandez, leiwang, mgoldboi, michal.skrivanek, mlibra, mperina, rbarry, rnori, weiwang, yaniwang, ycui
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-04 12:53:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
ks file
none
picture
none
var log
none
engine log none

Description Wei Wang 2016-11-02 04:57:30 UTC 
Created attachment 1216336 [details]
ks file

Description of problem:
Error display: "getAllVmsList( ) error:401" after Login to Engine

Version-Release number of selected component (if applicable):
redhat-virtualization-host-4.0-20161027.1
imgbased-0.8.6-0.1.el7ev.noarch
cockpit-ws-118-2.el7.x86_64
cockpit-ovirt-dashboard-0.10.6-1.4.1.el7ev.noarch


How reproducible:
100%


Steps to Reproduce:
1. Install RHVH with redhat-virtualization-host-4.0-20161027.1 with kickstart script (Attached)
2. Add host to RHEVM and setup Vms
3. Login cockpit website hostIP:9090 with root account
4. Select "virtualization" panel
5. Click "Login to Engine" link under "Technical Preview" list
6. Input engine URL and admin password,then click "Login" button
7. Click "VMs in Cluster" and wait


Actual results:
Error display: "getAllVmsList( ) error:401" is prompted.


Expected results:
There is no error display


Additional info:
The function of logging out the Engine is valid.
Comment 1 Wei Wang 2016-11-02 04:58:13 UTC 
Created attachment 1216337 [details]
picture
Comment 2 Wei Wang 2016-11-02 04:59:11 UTC 
Created attachment 1216338 [details]
var log
Comment 3 Wei Wang 2016-11-02 05:18:23 UTC 
Created attachment 1216339 [details]
engine log
Comment 4 Wei Wang 2016-11-02 05:44:19 UTC 
The bug cannot be reproduced with the preceding build, add regression keyword
Comment 5 Michal Skrivanek 2016-11-03 07:50:31 UTC 
Juan, would you be so kind and suggest a way how to find out the connection between API requests and a failure in engine.log? I'm totally lost:/
Comment 6 Juan Hernández 2016-11-03 09:53:51 UTC 
I don't have a general recipe, but in this particular case the error is 401, unauthorized, so most probably the request didn't reach the API, it was rejected by the authentication layer. The last few lines of the engine.log file say this:

2016-11-02 11:36:44,386 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-22) [] OAuthException invalid_grant: The provided authorization grant for the auth code has expired
2016-11-02 11:36:44,387 ERROR [org.ovirt.engine.core.aaa.filters.SsoRestApiAuthFilter] (default task-27) [] Cannot authenticate using authentication Headers: invalid_grant: The provided authorization grant for the auth code has expired

That confirms that there is some kind of authentication problem, but as there are no more details or stack trace I can't say anything else. The web server access log can help, as we could see more details of the request that the client is sending.

Wei, do you still have the logs of the RHV machine, in particular /var/log/httpd/ssl_access_log. Can you share it? If possible clean that log, reproduce the problem, and attach it.

Ravi, any idea of what can be causing this authentication failure?
Comment 7 Juan Hernández 2016-11-03 10:59:46 UTC 
Looking a bit more into this I see in cockpit-ovirt.log that the host is requesting an authentication token:

11/01/2016 04:33:28 PM http_call: 'https://rhevm-40-1.englab.nay.redhat.com/ovirt-engine/sso/oauth/token?grant_type=urn:ovirt:params:oauth:grant-type:http&scope=ovirt-app-api',
  method:GET, user:admin@internal, headers:{'Accept': 'application/json'}
11/01/2016 04:33:28 PM http_call status_code: 200
11/01/2016 04:33:28 PM build_result, code: 0, message: "Done", content: True
11/01/2016 04:33:28 PM result: {"status": {"message": "Done", "code": 0}, "content": {"access_token": "2e2WcqgH9LWpCiTM3groh2K5T2y1hw7i-R_Oj1KKAghWgkht48S1uCcQKrCXprRXHzJr2q26Elj3pXk7ZUgU_g", "scope": "ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate", "token_type": "bearer", "exp": 1125248176}}

Note the value of the "exp" attribute of the result, 1125248176, in theory that is a date in the past:

  Date date = new Date(1125248176L);
  System.out.println(date);

Produces:

  Wed Jan 14 01:34:08 CET 1970

Is that correct Ravi? There may be a problem with conversion from long to int here:

  https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/utils/SsoUtils.java#L403

Then, several hours later, is using it to request the list of virtual machines, and it fails, apparently because the token is expired:

11/02/2016 11:21:54 AM http_call: 'https://rhevm-40-1.englab.nay.redhat.com/ovirt-engine/api/vms',
  method:GET, user:None, headers:{'Authorization': 'Bearer 2e2WcqgH9LWpCiTM3groh2K5T2y1hw7i-R_Oj1KKAghWgkht48S1uCcQKrCXprRXHzJr2q26Elj3pXk7ZUgU_g', 'Accept': 'application/json'}
11/02/2016 11:21:54 AM http_call status_code: 401

Shouldn't cockpit detect this and renew the SSO token?
Comment 8 Ravi Nori 2016-11-03 13:17:23 UTC 
From the cockpit logs this is what I see.

User authenticated and acquired token at 11/01/2016 04:33:28 PM 
last successful access was done at 11/01/2016 04:49:23 PM. The successful access includes getAllVmsList.
There is a period of inactivity and then at 11/02/2016 11:21:52 AM, the same token is being used to fetch vms and it fails.

The session has been purged from SSO and engine side due to inactivity. Cockpit needs re-authenticate and acquire a new session.
Comment 9 Juan Hernández 2016-11-03 13:35:02 UTC 
What about the value of the "exp" attribute of the authentication result? Is it correct?
Comment 10 Ravi Nori 2016-11-03 15:12:36 UTC 

*** This bug has been marked as a duplicate of bug 1389251 ***
Comment 11 Ravi Nori 2016-11-03 16:09:33 UTC 
Yes there is an issue with the cast to int, will submit a separate patch for that
Comment 12 Red Hat Bugzilla Rules Engine 2016-11-04 10:18:36 UTC 
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Comment 13 Martin Perina 2016-11-18 13:47:17 UTC 
Unfortunately there was a bit noise about this bug, but the real issue is described in Comment 8, cockpit acquired a token, but after some this toked expired, so cockpit need to get new token.
Comment 14 Michal Skrivanek 2016-11-23 12:52:44 UTC 
not a regression really. The token is not refreshed so once it expires it breaks.
Comment 15 Marek Libra 2016-11-28 12:58:00 UTC 
Right, token renewal needs to be implemented.
Comment 16 Michal Skrivanek 2016-12-21 09:09:31 UTC 
The bug was not addressed in time for 4.1. Postponing to 4.2
Comment 17 Marek Libra 2017-09-04 12:41:45 UTC 
"Virtual Machines" (the VDSM part) of cockpit-ovirt has been removed for ovirt 4.2 (https://gerrit.ovirt.org/#/c/80442/ ), I propose to close this bug.
Comment 18 Marek Libra 2017-09-04 12:53:21 UTC 
Removed in 4.2
Comment 19 Wei Wang 2017-09-05 01:56:22 UTC 
Change "Resolution" from "NOTABUT" to "WONTFIX" since it is an effective bug in 4.1.