Bug 1276083 - jsessionid cookie does not work with /api, only with /ovirt-engine/api
jsessionid cookie does not work with /api, only with /ovirt-engine/api
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
3.6.0
Unspecified Unspecified
unspecified Severity high
: ovirt-3.6.1
: ---
Assigned To: Juan Hernández
infra
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-28 12:20 EDT by Christophe Fergeau
Modified: 2016-02-10 14:14 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-02 09:15:53 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christophe Fergeau 2015-10-28 12:20:01 EDT
Trying to connect to a VM through a .vv file to get foreign menu is not working with a recent RHEV 3.6 instance. I realized this is caused by the jsessionid cookie only allowing password-less access to /ovirt-engine/api, and not to /api. In RHEL 6.7, we are using /api (RHEL 7 is using /ovirt-engine/api), which explains why the foreign menu is not showing up.
Comment 1 Oved Ourfali 2015-11-01 02:55:21 EST
Juan, can you take a look?
Comment 2 Juan Hernández 2015-11-02 08:47:11 EST
According to my tests both /api and /ovirt-engine/api handle the JSESSIONID cookie correctly. May it be that you are using /ovirt-engine/api to get some information and then /api to request the .vv file? If you are doing that then it won't work, as the cookie obtained for /ovirt-engine/api isn't valid for /api (and the other way around).

Please use the following script to verify that cookies work correctly, and report the results:

---8<---
#!/bin/sh -ex

url="https://engine.example.com/api"
user="admin@internal"
password="..."
cookies="cookies.txt"
vm_id="..."
console_id="5350494345"

# Request the base URL, so that we get a cookie:
curl \
--verbose \
--cacert /etc/pki/ovirt-engine/ca.pem \
--request GET \
--user "${user}:${password}" \
--cookie "${cookies}" \
--cookie-jar "${cookies}" \
--header "Accept: application/xml" \
--header "Prefer: persistent-auth" \
"${url}"

# Request the .vv file for the VM, without providing credentials, this should
# work as we already have the cookies:
curl \
--verbose \
--cacert /etc/pki/ovirt-engine/ca.pem \
--request GET \
--cookie "${cookies}" \
--cookie-jar "${cookies}" \
--header "Accept: application/x-virt-viewer" \
--header "Prefer: persistent-auth" \
"${url}/vms/${vm_id}/graphicsconsoles/${console_id}
--->8---

Make sure to use the right credentials and "vm_id".

Take into account that the output of this script will contain your password, inside the "Authentication" header, so you may want to edit it before sharing.
Comment 3 Christophe Fergeau 2015-11-02 09:06:31 EST
(In reply to Juan Hernández from comment #2)
> According to my tests both /api and /ovirt-engine/api handle the JSESSIONID
> cookie correctly. May it be that you are using /ovirt-engine/api to get some
> information and then /api to request the .vv file? If you are doing that
> then it won't work, as the cookie obtained for /ovirt-engine/api isn't valid
> for /api (and the other way around).

Oh, this is most likely the issue I'm having. For these tests, I've been trying to use the jsessionid I get from a .vv file. On RHEL6, libgovirt will try to use ovirt.example.com/api, on RHEL7 libgovirt will use ovirt.example.com/ovirt-engine/api. .vv files only list one jsessionid, so I guess this mandates the use of /ovirt-engine/api to use the REST API in this context.

 
> Please use the following script to verify that cookies work correctly, and
> report the results:
> 
> ---8<---
> #!/bin/sh -ex
> 
> url="https://engine.example.com/api"
> user="admin@internal"
> password="..."
> cookies="cookies.txt"
> vm_id="..."
> console_id="5350494345"
> 
> # Request the base URL, so that we get a cookie:
> curl \
> --verbose \
> --cacert /etc/pki/ovirt-engine/ca.pem \
> --request GET \
> --user "${user}:${password}" \
> --cookie "${cookies}" \
> --cookie-jar "${cookies}" \
> --header "Accept: application/xml" \
> --header "Prefer: persistent-auth" \
> "${url}"
> 
> # Request the .vv file for the VM, without providing credentials, this should
> # work as we already have the cookies:
> curl \
> --verbose \
> --cacert /etc/pki/ovirt-engine/ca.pem \
> --request GET \
> --cookie "${cookies}" \
> --cookie-jar "${cookies}" \
> --header "Accept: application/x-virt-viewer" \
> --header "Prefer: persistent-auth" \
> "${url}/vms/${vm_id}/graphicsconsoles/${console_id}
> --->8---
> 

Yes, this script works for me (did not look in details, but I'm getting a HTTP/1.1 204 No Content which answer, which probably occurs _after_ auth succeeded).
Comment 4 Juan Hernández 2015-11-02 09:15:53 EST
Yes, the 204 code indicates that the .vv file can't be generated, probably because the VM is down or it isn't using SPICE (the console id "350494345" corresponds to SPICE), but that happens after authentication.

I'm closing as NOTABUG. If you find additional related issues feel free to reopen.

Note You need to log in before you can comment on or make changes to this bug.