Bug 1285883 - Align virt-viewer to engine SSO and remove proprietary HTTP session access [NEEDINFO]
Align virt-viewer to engine SSO and remove proprietary HTTP session access
Status: CLOSED CURRENTRELEASE
Product: ovirt-engine
Classification: oVirt
Component: BLL.Virt (Show other bugs)
4.0.0
Unspecified Unspecified
high Severity medium (vote)
: ovirt-4.0.2
: 4.0.2.4
Assigned To: jniederm
sefi litmanovich
:
Depends On: 1286696 1324457 1339247
Blocks: 975730 ovirt-aaa-sso
  Show dependency treegraph
 
Reported: 2015-11-26 15:50 EST by Alon Bar-Lev
Modified: 2016-08-12 10:22 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
The Virt Viewers .vv file's 'versions=' row requires a remote-viewer that supports the 'sso-token=' row. The minimum versions are: - Windows (64-bit and 32-bit): 2.0-160 - Red Hat Enterprise Linux 7: 2.0-8 - Red Hat Enterprise Linux 6: No supporting sso-token planned.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-08-12 10:22:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Virt
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
eedri: needinfo? (amarchuk)
rule-engine: ovirt‑4.0.z+
rule-engine: blocker+
mgoldboi: planning_ack+
michal.skrivanek: devel_ack+
mavital: testing_ack+


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 61227 master MERGED core: virt-viewer with sso-token support required 2016-07-25 09:37 EDT
oVirt gerrit 61334 ovirt-engine-4.0 MERGED core: virt-viewer with sso-token support required 2016-07-25 10:30 EDT
oVirt gerrit 61336 ovirt-engine-4.0.2 MERGED core: virt-viewer with sso-token support required 2016-07-25 16:53 EDT
oVirt gerrit 61636 master MERGED core: virt-viewer with sso-token support, rhel7 2016-07-28 09:39 EDT
oVirt gerrit 61641 ovirt-engine-4.0 MERGED core: virt-viewer with sso-token support, rhel7 2016-07-28 10:58 EDT
oVirt gerrit 61646 ovirt-engine-4.0.2 MERGED core: virt-viewer with sso-token support, rhel7 2016-07-28 10:58 EDT

  None (edit)
Description Alon Bar-Lev 2015-11-26 15:50:28 EST
We had long discussion about this in bug#975730, gerrit and offline.

It was a mistake to add non standard approach to hijack session, it was a mistake to alter another project to use something that is far from being an interface of product, but you implemented anyway.

Now time to revert.

Please open a bug that blocks this with virt-viewer to use the SSO token to access the restapi instead of using the http session.

The usage of SSO token is specified here[1].

In nut shell it is accessible by adding:

Authorization: Bearer TOKEN

TOKEN is available within application.

[1] http://www.ovirt.org/Features/UniformSSOSupport
Comment 1 Alon Bar-Lev 2015-11-26 16:21:14 EST
BTW: adding the feature as ability to set any header within the .vv as I recommended, would have made it possible to migrate into the new setup without implication of virt-viewer. Unfortunately we need to revisit this one.
Comment 2 Red Hat Bugzilla Rules Engine 2015-11-27 01:05:36 EST
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 3 Michal Skrivanek 2015-11-27 04:36:54 EST
after initial investigation, please open follow up bugs on virt-viewer
need to sync with https://gerrit.ovirt.org/#/c/49278/ and both Linux and Windows version of virt-viewer
Comment 5 Oved Ourfali 2016-03-11 02:14:35 EST
As we handle sessions differently, and if I understand the context correctly, this must be done in 4.0.
Comment 6 vszocs 2016-03-11 09:33:19 EST
(In reply to Oved Ourfali from comment #5)
> As we handle sessions differently, and if I understand the context
> correctly, this must be done in 4.0.

AFAIK, in 4.0 the REST webapp will still support cookie-based server-side session mechanism [1]. This is because there might be systems/tools still relying on this mechanism.

[1] http://www.ovirt.org/develop/release-management/features/infra/restsessionmanagement/

Anyway, in 4.0 we'd like to align UI with SSO, dropping reliance on REST webapp session mechanism. This impacts UI plugins + virt-viewer (vv file) integration. See commit msg [2] for details on impacts of this change.

[2] https://gerrit.ovirt.org/#/c/49278/

Once BZ#1286696 is fixed & verified we can proceed with [2] and close this BZ thereafter.
Comment 7 Sandro Bonazzola 2016-05-02 06:00:08 EDT
Moving from 4.0 alpha to 4.0 beta since 4.0 alpha has been already released and bug is not ON_QA.
Comment 8 vszocs 2016-05-17 08:07:13 EDT
Update: https://gerrit.ovirt.org/#/c/49278/ is now merged in master -> console.vv file now contains `sso-token`, replacing the `jsessionid`.

BZ#1286696 is still on POST with rhel-7.2.z? flag (not approved yet).
Comment 9 Yaniv Lavi 2016-05-23 09:16:40 EDT
oVirt 4.0 beta has been released, moving to RC milestone.
Comment 10 Yaniv Lavi 2016-05-23 09:20:19 EDT
oVirt 4.0 beta has been released, moving to RC milestone.
Comment 11 Michal Skrivanek 2016-06-14 17:04:40 EDT
This _is_ broken as of now as far as I know. 
Martin?
Comment 12 Martin Betak 2016-06-15 07:33:33 EDT
@Vojtech: since the engine patch has been in for some time and both platform bugs BZ#1286696 and BZ#1339247 are now ON_QA is there anything else missing?
Comment 13 vszocs 2016-06-15 09:03:20 EDT
(In reply to Martin Betak from comment #12)
> @Vojtech: since the engine patch has been in for some time and both platform
> bugs BZ#1286696 and BZ#1339247 are now ON_QA is there anything else missing?

BZ#1339247 is for Windows edition of virt-viewer (mingw-virt-viewer).
BZ#1286696 is for RHEL 7.3 virt-viewer.
BZ#1344635 is for RHEL 7.2 virt-viewer -> this is what we need in RHEV 4.

I think there's one more thing to do: update Engine `RemoteViewerSupportedVersions` config value to reflect supported virt-viewer version, similar to what was done in patch https://gerrit.ovirt.org/#/c/56616/
Comment 14 Michal Skrivanek 2016-06-15 09:26:47 EDT
let's wait a bit until the virt-viewer hits the outside world...
Comment 15 Michal Skrivanek 2016-07-22 06:59:31 EDT
Moran, note there is no RHEL6 virt-viewer support (bug 1347656). So fixing this properly limits the console clients to RHEL7.2+ and Windows.
Comment 16 Moran Goldboim 2016-07-25 09:32:23 EDT
(In reply to Michal Skrivanek from comment #15)
> Moran, note there is no RHEL6 virt-viewer support (bug 1347656). So fixing
> this properly limits the console clients to RHEL7.2+ and Windows.

ack on the change, let's make sure documentation is covering it well, specifically on the product requirements definitions.
Comment 20 sefi litmanovich 2016-08-11 11:13:32 EDT
Verified with rhevm-4.0.2.6-0.1.el7ev.noarch.
The scope of this bz: version line in .vv file updated according to virt-viewer versions supporting sso-token.
.vv file and engine-config contains the correct values.
Verified that spice console doesn't open with rhel 6 client.
Verified that spice console opens with rhel 7 with virt-viewer-2.0-11, windows 7 32 bit with 2.0-160 and windows 8 64 bit wiht 2.0-176.

Note You need to log in before you can comment on or make changes to this bug.