1285883 – Align virt-viewer to engine SSO and remove proprietary HTTP session access

Bug 1285883 - Align virt-viewer to engine SSO and remove proprietary HTTP session access

Summary: Align virt-viewer to engine SSO and remove proprietary HTTP session access

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	BLL.Virt
Sub Component:
Version:	4.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	ovirt-4.0.2
Target Release:	4.0.2.4
Assignee:	jniederm
QA Contact:	sefi litmanovich
Docs Contact:
URL:
Whiteboard:
Depends On:	1286696 1324457 1339247
Blocks:	975730 ovirt-aaa-sso
TreeView+	depends on / blocked

Reported:	2015-11-26 20:50 UTC by Alon Bar-Lev
Modified:	2023-09-14 03:13 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	The Virt Viewers .vv file's 'versions=' row requires a remote-viewer that supports the 'sso-token=' row. The minimum versions are: - Windows (64-bit and 32-bit): 2.0-160 - Red Hat Enterprise Linux 7: 2.0-8 - Red Hat Enterprise Linux 6: No supporting sso-token planned.
Clone Of:
Environment:
Last Closed:	2016-08-12 14:22:55 UTC
oVirt Team:	Virt
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.0.z+ rule-engine: blocker+ mgoldboi: planning_ack+ michal.skrivanek: devel_ack+ mavital: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	61227	master	MERGED	core: virt-viewer with sso-token support required	2016-07-25 13:37:27 UTC
oVirt gerrit	61334	ovirt-engine-4.0	MERGED	core: virt-viewer with sso-token support required	2016-07-25 14:30:52 UTC
oVirt gerrit	61336	ovirt-engine-4.0.2	MERGED	core: virt-viewer with sso-token support required	2016-07-25 20:53:33 UTC
oVirt gerrit	61636	master	MERGED	core: virt-viewer with sso-token support, rhel7	2016-07-28 13:39:48 UTC
oVirt gerrit	61641	ovirt-engine-4.0	MERGED	core: virt-viewer with sso-token support, rhel7	2016-07-28 14:58:17 UTC
oVirt gerrit	61646	ovirt-engine-4.0.2	MERGED	core: virt-viewer with sso-token support, rhel7	2016-07-28 14:58:35 UTC

Description Alon Bar-Lev 2015-11-26 20:50:28 UTC

We had long discussion about this in bug#975730, gerrit and offline.

It was a mistake to add non standard approach to hijack session, it was a mistake to alter another project to use something that is far from being an interface of product, but you implemented anyway.

Now time to revert.

Please open a bug that blocks this with virt-viewer to use the SSO token to access the restapi instead of using the http session.

The usage of SSO token is specified here[1].

In nut shell it is accessible by adding:

Authorization: Bearer TOKEN

TOKEN is available within application.

[1] http://www.ovirt.org/Features/UniformSSOSupport

Comment 1 Alon Bar-Lev 2015-11-26 21:21:14 UTC

BTW: adding the feature as ability to set any header within the .vv as I recommended, would have made it possible to migrate into the new setup without implication of virt-viewer. Unfortunately we need to revisit this one.

Comment 2 Red Hat Bugzilla Rules Engine 2015-11-27 06:05:36 UTC

Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 3 Michal Skrivanek 2015-11-27 09:36:54 UTC

after initial investigation, please open follow up bugs on virt-viewer
need to sync with https://gerrit.ovirt.org/#/c/49278/ and both Linux and Windows version of virt-viewer

Comment 5 Oved Ourfali 2016-03-11 07:14:35 UTC

As we handle sessions differently, and if I understand the context correctly, this must be done in 4.0.

Comment 6 Vojtech Szocs 2016-03-11 14:33:19 UTC

(In reply to Oved Ourfali from comment #5)
> As we handle sessions differently, and if I understand the context
> correctly, this must be done in 4.0.

AFAIK, in 4.0 the REST webapp will still support cookie-based server-side session mechanism [1]. This is because there might be systems/tools still relying on this mechanism.

[1] http://www.ovirt.org/develop/release-management/features/infra/restsessionmanagement/

Anyway, in 4.0 we'd like to align UI with SSO, dropping reliance on REST webapp session mechanism. This impacts UI plugins + virt-viewer (vv file) integration. See commit msg [2] for details on impacts of this change.

[2] https://gerrit.ovirt.org/#/c/49278/

Once BZ#1286696 is fixed & verified we can proceed with [2] and close this BZ thereafter.

Comment 7 Sandro Bonazzola 2016-05-02 10:00:08 UTC

Moving from 4.0 alpha to 4.0 beta since 4.0 alpha has been already released and bug is not ON_QA.

Comment 8 Vojtech Szocs 2016-05-17 12:07:13 UTC

Update: https://gerrit.ovirt.org/#/c/49278/ is now merged in master -> console.vv file now contains `sso-token`, replacing the `jsessionid`.

BZ#1286696 is still on POST with rhel-7.2.z? flag (not approved yet).

Comment 9 Yaniv Lavi 2016-05-23 13:16:40 UTC

oVirt 4.0 beta has been released, moving to RC milestone.

Comment 10 Yaniv Lavi 2016-05-23 13:20:19 UTC

oVirt 4.0 beta has been released, moving to RC milestone.

Comment 11 Michal Skrivanek 2016-06-14 21:04:40 UTC

This _is_ broken as of now as far as I know. 
Martin?

Comment 12 Martin Betak 2016-06-15 11:33:33 UTC

@Vojtech: since the engine patch has been in for some time and both platform bugs BZ#1286696 and BZ#1339247 are now ON_QA is there anything else missing?

Comment 13 Vojtech Szocs 2016-06-15 13:03:20 UTC

(In reply to Martin Betak from comment #12)
> @Vojtech: since the engine patch has been in for some time and both platform
> bugs BZ#1286696 and BZ#1339247 are now ON_QA is there anything else missing?

BZ#1339247 is for Windows edition of virt-viewer (mingw-virt-viewer).
BZ#1286696 is for RHEL 7.3 virt-viewer.
BZ#1344635 is for RHEL 7.2 virt-viewer -> this is what we need in RHEV 4.

I think there's one more thing to do: update Engine `RemoteViewerSupportedVersions` config value to reflect supported virt-viewer version, similar to what was done in patch https://gerrit.ovirt.org/#/c/56616/

Comment 14 Michal Skrivanek 2016-06-15 13:26:47 UTC

let's wait a bit until the virt-viewer hits the outside world...

Comment 15 Michal Skrivanek 2016-07-22 10:59:31 UTC

Moran, note there is no RHEL6 virt-viewer support (bug 1347656). So fixing this properly limits the console clients to RHEL7.2+ and Windows.

Comment 16 Moran Goldboim 2016-07-25 13:32:23 UTC

(In reply to Michal Skrivanek from comment #15)
> Moran, note there is no RHEL6 virt-viewer support (bug 1347656). So fixing
> this properly limits the console clients to RHEL7.2+ and Windows.

ack on the change, let's make sure documentation is covering it well, specifically on the product requirements definitions.

Comment 20 sefi litmanovich 2016-08-11 15:13:32 UTC

Verified with rhevm-4.0.2.6-0.1.el7ev.noarch.
The scope of this bz: version line in .vv file updated according to virt-viewer versions supporting sso-token.
.vv file and engine-config contains the correct values.
Verified that spice console doesn't open with rhel 6 client.
Verified that spice console opens with rhel 7 with virt-viewer-2.0-11, windows 7 32 bit with 2.0-160 and windows 8 64 bit wiht 2.0-176.

Comment 21 Red Hat Bugzilla 2023-09-14 03:13:54 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.