Bug 1276083 - jsessionid cookie does not work with /api, only with /ovirt-engine/api
Summary: jsessionid cookie does not work with /api, only with /ovirt-engine/api
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ovirt-3.6.1
: ---
Assignee: Juan Hernández
QA Contact:
URL:
Whiteboard: infra
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-28 16:20 UTC by Christophe Fergeau
Modified: 2016-02-10 19:14 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-02 14:15:53 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Christophe Fergeau 2015-10-28 16:20:01 UTC
Trying to connect to a VM through a .vv file to get foreign menu is not working with a recent RHEV 3.6 instance. I realized this is caused by the jsessionid cookie only allowing password-less access to /ovirt-engine/api, and not to /api. In RHEL 6.7, we are using /api (RHEL 7 is using /ovirt-engine/api), which explains why the foreign menu is not showing up.

Comment 1 Oved Ourfali 2015-11-01 07:55:21 UTC
Juan, can you take a look?

Comment 2 Juan Hernández 2015-11-02 13:47:11 UTC
According to my tests both /api and /ovirt-engine/api handle the JSESSIONID cookie correctly. May it be that you are using /ovirt-engine/api to get some information and then /api to request the .vv file? If you are doing that then it won't work, as the cookie obtained for /ovirt-engine/api isn't valid for /api (and the other way around).

Please use the following script to verify that cookies work correctly, and report the results:

---8<---
#!/bin/sh -ex

url="https://engine.example.com/api"
user="admin@internal"
password="..."
cookies="cookies.txt"
vm_id="..."
console_id="5350494345"

# Request the base URL, so that we get a cookie:
curl \
--verbose \
--cacert /etc/pki/ovirt-engine/ca.pem \
--request GET \
--user "${user}:${password}" \
--cookie "${cookies}" \
--cookie-jar "${cookies}" \
--header "Accept: application/xml" \
--header "Prefer: persistent-auth" \
"${url}"

# Request the .vv file for the VM, without providing credentials, this should
# work as we already have the cookies:
curl \
--verbose \
--cacert /etc/pki/ovirt-engine/ca.pem \
--request GET \
--cookie "${cookies}" \
--cookie-jar "${cookies}" \
--header "Accept: application/x-virt-viewer" \
--header "Prefer: persistent-auth" \
"${url}/vms/${vm_id}/graphicsconsoles/${console_id}
--->8---

Make sure to use the right credentials and "vm_id".

Take into account that the output of this script will contain your password, inside the "Authentication" header, so you may want to edit it before sharing.

Comment 3 Christophe Fergeau 2015-11-02 14:06:31 UTC
(In reply to Juan Hernández from comment #2)
> According to my tests both /api and /ovirt-engine/api handle the JSESSIONID
> cookie correctly. May it be that you are using /ovirt-engine/api to get some
> information and then /api to request the .vv file? If you are doing that
> then it won't work, as the cookie obtained for /ovirt-engine/api isn't valid
> for /api (and the other way around).

Oh, this is most likely the issue I'm having. For these tests, I've been trying to use the jsessionid I get from a .vv file. On RHEL6, libgovirt will try to use ovirt.example.com/api, on RHEL7 libgovirt will use ovirt.example.com/ovirt-engine/api. .vv files only list one jsessionid, so I guess this mandates the use of /ovirt-engine/api to use the REST API in this context.

 
> Please use the following script to verify that cookies work correctly, and
> report the results:
> 
> ---8<---
> #!/bin/sh -ex
> 
> url="https://engine.example.com/api"
> user="admin@internal"
> password="..."
> cookies="cookies.txt"
> vm_id="..."
> console_id="5350494345"
> 
> # Request the base URL, so that we get a cookie:
> curl \
> --verbose \
> --cacert /etc/pki/ovirt-engine/ca.pem \
> --request GET \
> --user "${user}:${password}" \
> --cookie "${cookies}" \
> --cookie-jar "${cookies}" \
> --header "Accept: application/xml" \
> --header "Prefer: persistent-auth" \
> "${url}"
> 
> # Request the .vv file for the VM, without providing credentials, this should
> # work as we already have the cookies:
> curl \
> --verbose \
> --cacert /etc/pki/ovirt-engine/ca.pem \
> --request GET \
> --cookie "${cookies}" \
> --cookie-jar "${cookies}" \
> --header "Accept: application/x-virt-viewer" \
> --header "Prefer: persistent-auth" \
> "${url}/vms/${vm_id}/graphicsconsoles/${console_id}
> --->8---
> 

Yes, this script works for me (did not look in details, but I'm getting a HTTP/1.1 204 No Content which answer, which probably occurs _after_ auth succeeded).

Comment 4 Juan Hernández 2015-11-02 14:15:53 UTC
Yes, the 204 code indicates that the .vv file can't be generated, probably because the VM is down or it isn't using SPICE (the console id "350494345" corresponds to SPICE), but that happens after authentication.

I'm closing as NOTABUG. If you find additional related issues feel free to reopen.


Note You need to log in before you can comment on or make changes to this bug.