1358434 – Restapi access should create sessions only if persistent_auth is requested

Bug 1358434 - Restapi access should create sessions only if persistent_auth is requested

Summary: Restapi access should create sessions only if persistent_auth is requested

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	AAA
Sub Component:
Version:	4.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-4.0.4
Target Release:	4.0.4
Assignee:	Ravi Nori
QA Contact:	Lucie Leistnerova
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-20 16:35 UTC by Ravi Nori
Modified:	2016-09-26 12:34 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-09-26 12:34:10 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.0.z+ rule-engine: planning_ack+ mperina: devel_ack+ pstehlik: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	61052	master	MERGED	aaa: Restapi access should create sessions only if persistent_auth is requested	2016-07-21 14:22:17 UTC
oVirt gerrit	61219	ovirt-engine-4.0	MERGED	aaa: Restapi access should create sessions only if persistent_auth is requested	2016-07-26 08:58:58 UTC
oVirt gerrit	61220	ovirt-engine-4.0.2	ABANDONED	aaa: Restapi access should create sessions only if persistent_auth is requested	2016-07-21 16:13:23 UTC

Description Ravi Nori 2016-07-20 16:35:45 UTC

Description of problem:

Accessing api without persistent-auth creates sessions on engine that are not cleaned up until session expires

Version-Release number of selected component (if applicable): 4.0


How reproducible:


Steps to Reproduce:
1. Access api using curl 
   curl -X GET -D - -u admin@internal:<passwd> -H "filter: true" -H "Accept: application/xml" -H "Content-Type: application/xml"  http://127.0.0.1:8080/ovirt-engine/api/vms
2. Returns JSESSIONID in response

Actual results:

A session is created on engine and JSESSIONID is returned

Expected results:

Session should not be created and JSESSIONID should not be returned unless -H "Prefer: persistent-auth" is specified on the command line

Additional info:

JSESSIONID should only be returned if -H "Prefer: persistent-auth"  is passed

Comment 1 Martin Perina 2016-07-21 14:23:01 UTC

Moving back to POST as we need to backport ovirt-engine-4.0

Comment 2 Lucie Leistnerova 2016-09-13 11:53:13 UTC

without -H "Prefer: persistent-auth" restapi doesn't return session id in both Version 3,4

verified in ovirt-engine-restapi-4.0.4.1-0.1.el7ev.noarch

Note You need to log in before you can comment on or make changes to this bug.