Bug 1285883 - Align virt-viewer to engine SSO and remove proprietary HTTP session access [NEEDINFO]
Summary: Align virt-viewer to engine SSO and remove proprietary HTTP session access
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Virt
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ovirt-4.0.2
: 4.0.2.4
Assignee: jniederm
QA Contact: sefi litmanovich
URL:
Whiteboard:
Depends On: 1286696 1324457 1339247
Blocks: 975730 ovirt-aaa-sso
TreeView+ depends on / blocked
 
Reported: 2015-11-26 20:50 UTC by Alon Bar-Lev
Modified: 2016-08-12 14:22 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
The Virt Viewers .vv file's 'versions=' row requires a remote-viewer that supports the 'sso-token=' row. The minimum versions are: - Windows (64-bit and 32-bit): 2.0-160 - Red Hat Enterprise Linux 7: 2.0-8 - Red Hat Enterprise Linux 6: No supporting sso-token planned.
Clone Of:
Environment:
Last Closed: 2016-08-12 14:22:55 UTC
oVirt Team: Virt
Embargoed:
eedri: needinfo? (amarchuk)
rule-engine: ovirt-4.0.z+
rule-engine: blocker+
mgoldboi: planning_ack+
michal.skrivanek: devel_ack+
mavital: testing_ack+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 61227 0 master MERGED core: virt-viewer with sso-token support required 2016-07-25 13:37:27 UTC
oVirt gerrit 61334 0 ovirt-engine-4.0 MERGED core: virt-viewer with sso-token support required 2016-07-25 14:30:52 UTC
oVirt gerrit 61336 0 ovirt-engine-4.0.2 MERGED core: virt-viewer with sso-token support required 2016-07-25 20:53:33 UTC
oVirt gerrit 61636 0 master MERGED core: virt-viewer with sso-token support, rhel7 2016-07-28 13:39:48 UTC
oVirt gerrit 61641 0 ovirt-engine-4.0 MERGED core: virt-viewer with sso-token support, rhel7 2016-07-28 14:58:17 UTC
oVirt gerrit 61646 0 ovirt-engine-4.0.2 MERGED core: virt-viewer with sso-token support, rhel7 2016-07-28 14:58:35 UTC

Description Alon Bar-Lev 2015-11-26 20:50:28 UTC
We had long discussion about this in bug#975730, gerrit and offline.

It was a mistake to add non standard approach to hijack session, it was a mistake to alter another project to use something that is far from being an interface of product, but you implemented anyway.

Now time to revert.

Please open a bug that blocks this with virt-viewer to use the SSO token to access the restapi instead of using the http session.

The usage of SSO token is specified here[1].

In nut shell it is accessible by adding:

Authorization: Bearer TOKEN

TOKEN is available within application.

[1] http://www.ovirt.org/Features/UniformSSOSupport

Comment 1 Alon Bar-Lev 2015-11-26 21:21:14 UTC
BTW: adding the feature as ability to set any header within the .vv as I recommended, would have made it possible to migrate into the new setup without implication of virt-viewer. Unfortunately we need to revisit this one.

Comment 2 Red Hat Bugzilla Rules Engine 2015-11-27 06:05:36 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 3 Michal Skrivanek 2015-11-27 09:36:54 UTC
after initial investigation, please open follow up bugs on virt-viewer
need to sync with https://gerrit.ovirt.org/#/c/49278/ and both Linux and Windows version of virt-viewer

Comment 5 Oved Ourfali 2016-03-11 07:14:35 UTC
As we handle sessions differently, and if I understand the context correctly, this must be done in 4.0.

Comment 6 Vojtech Szocs 2016-03-11 14:33:19 UTC
(In reply to Oved Ourfali from comment #5)
> As we handle sessions differently, and if I understand the context
> correctly, this must be done in 4.0.

AFAIK, in 4.0 the REST webapp will still support cookie-based server-side session mechanism [1]. This is because there might be systems/tools still relying on this mechanism.

[1] http://www.ovirt.org/develop/release-management/features/infra/restsessionmanagement/

Anyway, in 4.0 we'd like to align UI with SSO, dropping reliance on REST webapp session mechanism. This impacts UI plugins + virt-viewer (vv file) integration. See commit msg [2] for details on impacts of this change.

[2] https://gerrit.ovirt.org/#/c/49278/

Once BZ#1286696 is fixed & verified we can proceed with [2] and close this BZ thereafter.

Comment 7 Sandro Bonazzola 2016-05-02 10:00:08 UTC
Moving from 4.0 alpha to 4.0 beta since 4.0 alpha has been already released and bug is not ON_QA.

Comment 8 Vojtech Szocs 2016-05-17 12:07:13 UTC
Update: https://gerrit.ovirt.org/#/c/49278/ is now merged in master -> console.vv file now contains `sso-token`, replacing the `jsessionid`.

BZ#1286696 is still on POST with rhel-7.2.z? flag (not approved yet).

Comment 9 Yaniv Lavi 2016-05-23 13:16:40 UTC
oVirt 4.0 beta has been released, moving to RC milestone.

Comment 10 Yaniv Lavi 2016-05-23 13:20:19 UTC
oVirt 4.0 beta has been released, moving to RC milestone.

Comment 11 Michal Skrivanek 2016-06-14 21:04:40 UTC
This _is_ broken as of now as far as I know. 
Martin?

Comment 12 Martin Betak 2016-06-15 11:33:33 UTC
@Vojtech: since the engine patch has been in for some time and both platform bugs BZ#1286696 and BZ#1339247 are now ON_QA is there anything else missing?

Comment 13 Vojtech Szocs 2016-06-15 13:03:20 UTC
(In reply to Martin Betak from comment #12)
> @Vojtech: since the engine patch has been in for some time and both platform
> bugs BZ#1286696 and BZ#1339247 are now ON_QA is there anything else missing?

BZ#1339247 is for Windows edition of virt-viewer (mingw-virt-viewer).
BZ#1286696 is for RHEL 7.3 virt-viewer.
BZ#1344635 is for RHEL 7.2 virt-viewer -> this is what we need in RHEV 4.

I think there's one more thing to do: update Engine `RemoteViewerSupportedVersions` config value to reflect supported virt-viewer version, similar to what was done in patch https://gerrit.ovirt.org/#/c/56616/

Comment 14 Michal Skrivanek 2016-06-15 13:26:47 UTC
let's wait a bit until the virt-viewer hits the outside world...

Comment 15 Michal Skrivanek 2016-07-22 10:59:31 UTC
Moran, note there is no RHEL6 virt-viewer support (bug 1347656). So fixing this properly limits the console clients to RHEL7.2+ and Windows.

Comment 16 Moran Goldboim 2016-07-25 13:32:23 UTC
(In reply to Michal Skrivanek from comment #15)
> Moran, note there is no RHEL6 virt-viewer support (bug 1347656). So fixing
> this properly limits the console clients to RHEL7.2+ and Windows.

ack on the change, let's make sure documentation is covering it well, specifically on the product requirements definitions.

Comment 20 sefi litmanovich 2016-08-11 15:13:32 UTC
Verified with rhevm-4.0.2.6-0.1.el7ev.noarch.
The scope of this bz: version line in .vv file updated according to virt-viewer versions supporting sso-token.
.vv file and engine-config contains the correct values.
Verified that spice console doesn't open with rhel 6 client.
Verified that spice console opens with rhel 7 with virt-viewer-2.0-11, windows 7 32 bit with 2.0-160 and windows 8 64 bit wiht 2.0-176.


Note You need to log in before you can comment on or make changes to this bug.