1051568 – [RFE] Ability to configure API calls to not generate a login/logout event

Bug 1051568 - [RFE] Ability to configure API calls to not generate a login/logout event

Summary: [RFE] Ability to configure API calls to not generate a login/logout event

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine-restapi
Sub Component:
Version:	3.2.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	3.4.0
Assignee:	Juan Hernández
QA Contact:	Shai Revivo
Docs Contact:
URL:
Whiteboard:	infra
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-01-10 15:20 UTC by Jake Hunsaker
Modified:	2019-04-28 09:12 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-01-14 19:29:11 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Jake Hunsaker 2014-01-10 15:20:00 UTC

Who is the customer behind the request?  
Account: name (acct #)  Richard Davis (PGDS UK Limited) / 947978
TAM customer: no/yes  no
SRM customer: no/yes  Yes
Strategic: no/yes  Yes
  
 What is the nature and description of the request?  

Currently API calls generate a login/logout event for every call. Customer would like to be able to configure this logging (enable/disable).
  
 Why does the customer need this? (List the business requirements here) 

To prevent spamming the Event log with login/logout event every time we interact with RHEV using the APIs. 

 How would the customer like to achieve this? (List the functional requirements here)  
  
Either be able to disable this logging or, ideally according to the customer, have a readonly account that can make API calls but not have the login/logout messages logged

 Is there already an existing RFE upstream or in Red Hat Bugzilla? 

Not for this explicitly, however BZ1036896 is open for the readonly admin account feature
  
 Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  

They would like this in 3.3, however I have explained that this is unlikely given 3.3 is in the latter stages of public beta
  
 Is the sales team involved in this request and do they have any additional input?  

No
  

 Would the customer be able to assist in testing this functionality if implemented? 

Yes

Comment 1 Juan Hernández 2014-01-10 15:48:33 UTC

API calls generate a login/logout event only if not using persistent authentication. If using the Python or Java SDKs this should happen automatically. If the customer is accessing the RESTAPI in some other ways then solution to this problem is to explicitly use persistent authentication. The first request sent by the client should contain the "Prefer" header and the authentication details:

  GET /api HTTP/1.1
  Prefer: persistent-auth
  Content-type: application/xml
  Accept: application/xml
  Authorization: Basic YWRtaW5AaW50ZXJuYWw6cmVkaGF0MTIz

The server will return the response, including a session cookie:

  HTTP/1.1 200 OK
  Header: Date: Fri, 10 Jan 2014 15:32:20 GMT
  Set-Cookie: JSESSIONID=4RNIBiN40YTHC61APsDL-1Tx; Path=/api; Secure

Further requests should send again the "Prefer" header and the session cookie:

  GET /api/vms HTTP/1.1
  Prefer: persistent-auth
  Cookie: JSESSIONID=4RNIBiN40YTHC61APsDL-1Tx
  Content-type: application
  Accept: application

This will generate only one session in the server side, and only one login message in the log.

For more details see here:

http://www.ovirt.org/Features/RESTSessionManagement

I would suggest to use one of the SDKs, as they provide this for free, and simplify the development.

If this is enough for the customer I would suggest to close the bug as NOTABUG.

Comment 3 Jake Hunsaker 2014-01-14 19:29:11 UTC

Closing this as NOTABUG per C#1

Note You need to log in before you can comment on or make changes to this bug.