Bug 1172978 - ovirt-optimizer-ui plugins asks for rest credentials after plugin tab is opened
Summary: ovirt-optimizer-ui plugins asks for rest credentials after plugin tab is opened
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-optimizer
Version: 3.5.0
Hardware: All
OS: All
medium
medium
Target Milestone: ovirt-3.6.0-rc
: 3.6.0
Assignee: Martin Sivák
QA Contact: Shira Maximov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-11 08:48 UTC by Lukas Svaty
Modified: 2016-03-09 20:21 UTC (History)
7 users (show)

Fixed In Version: ovirt-optimizer-0.8
Doc Type: Bug Fix
Doc Text:
Previously, the Optimizer UI plug-in used a different API to authenticate. As a result, users were prompted to log in again when navigating to the optimization field in the Clusters tab. With this update, the Optimizer UI plug-in reuses the Administration Portal login credentials, and does not prompt users to log in again.
Clone Of:
Environment:
Last Closed: 2016-03-09 20:21:30 UTC
oVirt Team: SLA
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0427 normal SHIPPED_LIVE ovirt-optimizer bug fix and enhancement update 2016-03-10 01:19:39 UTC
oVirt gerrit 36103 master MERGED Add CSRF protection headers when accessing engine's REST Never

Description Lukas Svaty 2014-12-11 08:48:59 UTC
Description of problem:
When logged to WA portal, navigating to cluster -> ovirt-optimizer, I am asked for my login credentials. This should be taken from the current logged session.
At least optimizer is that clever to remember the credentials once I'll add them when he ask for it first time :)

Version-Release number of selected component (if applicable):
ovirt-optimizer-ui-0.4-5.noarch

How reproducible:
100%

Steps to Reproduce:
1. Log to WA portal
2. Navigate to Cluster/ovirt-optimizer


Actual results:
Admin is asked for credentials for logged admin.

Expected results:
Should be taken from current logged session.

Additional info:
I saw no errors in console of plugin.

Comment 1 Vojtech Szocs 2014-12-11 11:33:02 UTC
WebAdmin UI plugin infra acquires REST session with CSRF protection enabled. The "acquire session" HTTP request looks like this:

  GET /ovirt-engine/api
  Session-TTL: <engine_session_timeout>
  Prefer: persistent-auth, csrf-protection, new-auth

Therefore, each UI plugin talking with REST should make HTTP request like this:

  GET <engine_api_url>
  Prefer: persistent-auth
  JSESSIONID: <value_from_RestApiSessionAcquired_callback>

Simply put, acquired REST session has CSRF protection enabled upon creation (via "Prefer: csrf-protection") which means the client should always send "JSESSIONID" request header in each HTTP request.

Also, client should always send "Prefer: persistent-auth" in each HTTP request, otherwise it will cause invalidation of the single (shared) REST session for all UI plugins (which would compromise all UI plugins that might use this REST session).

Note that this was announced on devel list some time ago:

  https://www.mail-archive.com/devel@ovirt.org/msg02455.html

Comment 2 Vojtech Szocs 2014-12-11 12:55:59 UTC
Sorry, devel announcement link is following:

  http://lists.ovirt.org/pipermail/devel/2014-July/008148.html

Comment 3 Eyal Edri 2015-02-25 08:40:04 UTC
3.5.1 is already full with bugs (over 80), and since none of these bugs were added as urgent for 3.5.1 release in the tracker bug, moving to 3.5.2

Comment 6 Shira Maximov 2015-10-11 15:38:07 UTC
I try to verify this bug on : 
Red Hat Enterprise Virtualization Manager Version: 3.6.0-0.18.el6

In firefox in worked good, but in chrome i get the message : REST session has not been authenticated yet
although i authenticated with REST google plugin.

martin - am i missing something ?

Comment 7 Martin Sivák 2015-10-12 08:06:38 UTC
There is a message between the main app and the UI plugin iframe that gives the credentials to the UI plugin. It is possible that it does not work properly in Chrome.

But it seems we do not officially support Chrome yet. 

Einav can you confirm this please?

Comment 8 Einav Cohen 2015-10-12 09:35:15 UTC
we do not officially support Chrome for RHEV 3.5 and below, however we want to support Chrome in a "tier 2" level for RHEV 3.6 (see bug 1188226). 

so I believe that if we have an issue right now, we may want to investigate/fix it specifically for 3.6 (in RHEV 4.0 in which we are supposed to have proper SSO, we may not have this kind of issues anymore). 

@Vojtech - any thoughts/recommendations on the above?

Comment 9 Vojtech Szocs 2015-11-05 15:45:24 UTC
Sorry for my late response.

First of all, see attachment https://bugzilla.redhat.com/show_bug.cgi?id=895103#c16 [Sample UI plugin that demonstrates cross-window communication feature] as a reference.

I've checked the sources [ovirt-optimizer/dist/ovirt-optimizer-uiplugin], the sequence should be like this:

1, user clicks on "Optimizer Result" sub tab, which loads the sub tab's content (Angular application) into an iframe
2, Optimizer application calls "parent.postMessage" to request REST API session ID from UI plugin host page
3, in UI plugin host page, "MessageReceived" callback is fired, which sets REST API session ID into application
   -> at this point, "RestApiSessionAcquired" callback should have been already called by UI plugin infra

Since REST API session acquiry is async (HTTP) operation, and since "MessageReceived" is triggered by sub tab's content afer sub tab selection (step 2 above), there is no guarantee which one of these callbacks will be called first.

Suggested things to check in Chrome (@Martin, can you please assist?):

- ensure RestApiSessionAcquired is called with REST API session ID value (index.html:94)
- ensure MessageReceived is called with given data (index.html:100)

As for 4.0 with SSO, the REST API integration for UI plugins will be changed (avoid creating REST API session, just pass SSO token to UI plugins so they can authenticate their REST API requests).

Comment 10 Vojtech Szocs 2015-11-05 15:49:11 UTC
@Martin, if MessageReceived callback is still not called in Chrome (despite that UI plugin defines "allowedMessageOrigins: ['*']" and both HTMLs are on same origin), please isolate the problem into a minimal UI plugin and I will debug it more deeply.

Comment 11 Shira Maximov 2015-11-19 15:19:10 UTC
verified on (in firefox):
Red Hat Enterprise Virtualization Manager Version: 3.6.0.3-0.1.el6 

verification steps:
1. Log to WA portal
2. Navigate to Cluster/ovirt-optimizer

Comment 12 Vojtech Szocs 2015-11-26 14:26:48 UTC
This BZ was verified in Firefox (which is good) but the reported issue (see comment #6) occured in Chrome.. should I investigate based on my comment #9?

Comment 14 errata-xmlrpc 2016-03-09 20:21:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0427.html


Note You need to log in before you can comment on or make changes to this bug.