1434605 – SSO token used for the API expires when running only queries

Bug 1434605 - SSO token used for the API expires when running only queries

Summary: SSO token used for the API expires when running only queries

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	AAA
Sub Component:
Version:	future
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high with 1 vote
Target Milestone:	ovirt-4.1.3
Target Release:	4.1.3
Assignee:	Ravi Nori
QA Contact:	Gonza
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-21 21:59 UTC by Juan Hernández
Modified:	2017-07-06 13:16 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-07-06 13:16:14 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.1+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	74470	'None'	ABANDONED	restapi: All queries refresh backend session	2021-02-21 13:16:17 UTC
oVirt gerrit	74527	'None'	MERGED	aaa: SSO token used for the API expires when running only queries	2021-02-21 13:16:16 UTC
oVirt gerrit	74848	'None'	MERGED	aaa: SSO token used for the API expires when running only queries	2021-02-21 13:16:16 UTC
oVirt gerrit	76683	'None'	MERGED	aaa: SSO token used for the API expires when running only queries	2021-02-21 13:16:16 UTC
oVirt gerrit	76715	'None'	MERGED	aaa: SSO token used for the API expires when running only queries	2021-02-21 13:16:17 UTC

Description Juan Hernández 2017-03-21 21:59:20 UTC

The backend has a 30 minutes timeout for its internal sessions, and the lifetime of these sessions isn't extended when running queries, only when running other kind of commands. When the session expires the SSO token also expires. This means that long running API programs that perform only queries will see their SSO tokens expired even if they are performing activity. This is, in my opinion, incorrect. The SSO token used to access the token should not expire if it was used recently, regardless of what it was used for.

Comment 1 Juan Hernández 2017-03-22 14:15:03 UTC

The refresh flag of queries needs to be set/cleared depending on the type of client of the API: webadmin, user portal, or normal API client. This can't be determined by the API itself, so I am abandoning the patch and moving the bug back to the AAA component.

Comment 2 Gonza 2017-05-10 14:17:27 UTC

Tried with:
rhevm-4.1.2.1-0.1.el7.noarch

The provided authorization grant for the auth code expires after UserSessionTimeOutInterval with a query to VMs every 20 seconds.

2017-05-10 17:06:30,861+03 INFO  [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-1) [] User admin@internal successfully logged in with scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access
2017-05-10 17:07:04,795+03 INFO  [org.ovirt.engine.api.restapi.security.CORSSupportFilter] (default task-2) [] CORS support is disabled.
2017-05-10 17:07:05,609+03 INFO  [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-2) [71c8cd1] Running command: CreateUserSessionCommand internal: false.
2017-05-10 17:07:05,788+03 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-2) [71c8cd1] EVENT_ID: USER_VDC_LOGIN(30), Correlation ID: 71c8cd1, Call Stack: null, Custom Event ID: -1, Message: User admin@internal-authz logged in.
2017-05-10 17:08:46,914+03 INFO  [org.ovirt.engine.core.sso.servlets.OAuthRevokeServlet] (default task-11) [] User admin@internal successfully logged out
2017-05-10 17:08:47,019+03 INFO  [org.ovirt.engine.core.bll.aaa.TerminateSessionsForTokenCommand] (default task-12) [12274887] Running command: TerminateSessionsForTokenCommand internal: true.
2017-05-10 17:09:04,947+03 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-14) [] OAuthException invalid_grant: The provided authorization grant for the auth code has expired.
2017-05-10 17:09:04,958+03 ERROR [org.ovirt.engine.core.aaa.filters.SsoRestApiAuthFilter] (default task-13) [] Cannot authenticate using authentication Headers: invalid_grant: The provided authorization grant for the auth code has expired.

Comment 3 Red Hat Bugzilla Rules Engine 2017-05-10 14:17:32 UTC

Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 4 Gonza 2017-06-07 09:30:12 UTC

Verified with:
rhevm-4.1.3.1-0.1.el7.noarch

The provided authorization grant for the auth code does not expire after UserSessionTimeOutInterval with a query to VMs every 20 seconds.

Note You need to log in before you can comment on or make changes to this bug.