New commit detected on ManageIQ/manageiq-ui-service/fine: https://github.com/ManageIQ/manageiq-ui-self_service/commit/c418f8399363a3dd2c8237c5fadd45d59932b001 commit c418f8399363a3dd2c8237c5fadd45d59932b001 Author: Chris Kacerguis <chriskacerguis.github.com> AuthorDate: Tue Apr 18 10:33:13 2017 -0500 Commit: Satoe Imaishi <simaishi> CommitDate: Wed Apr 19 15:16:11 2017 -0400 Merge pull request #678 from chalettu/token-header Self-service UI doesn't time out when session timeout is reached (cherry picked from commit cd8ee12778a370843435bcd5674d88932c200ae1) https://bugzilla.redhat.com/show_bug.cgi?id=1443166 client/app/core/session.service.js | 1 + 1 file changed, 1 insertion(+)
Hi, We have added this header in, just to be sure, X-Auth-Skip-Token-Renewal=True . Does the "True" have to be capitalized or is it expected to be lower case. Thanks, Chris
Hello, You are right, it should be lower case 'true'. See: https://github.com/ManageIQ/manageiq/blob/08d6d4f35e923b698e23ef94509d8d22706aded0/app/controllers/api/base_controller/authentication.rb#L75 Sorry for the typo in one of the comments. I didn't noticed that capitalization matters here. :-(
I don't see the user logged out after the timeout time expires.
Hi Matt. Does the sui ever log you out or is it just not logging you out when you believe it should have by a certain time? The endpoint that Simon told us to add a header to only gets retrieved by the SUI every 5 minutes. The net result is that it could be taking 5 minutes + whatever timeout you set in Admin UI. Simon might need to explain to me the workflow of what adding that header does but I suspect its just an issue that because of the delay between our requests that it doesn't timeout exactly when is expected.
It never logs out. I know I set it for 5 mins and waited 6, then logged out manually and logged in and waited 8-10 mins and still nothing. Then I repeated and waited 20 mins on a 5 min timeout setting. Regardless the expectation will be if you set it to 5 mins then it should log you out in 5 mins. What version did you test this on?
Simon, Can you explain to me exactly what is supposed to happen when we pass this header you had us add in? Does the API return some piece of info we are supposed to use to log the person out ? I think there must be something in this process we are missing. Thanks in advance, Chris
The service ui does not have 'session' in traditional meaning of the word. We only have a token to authenticate with the API. To emulate session expire, we let this authentication token expire. When the token is used it is automatically renewed/refresh. So, any click on the service ui refreshes the token. Without this mechanism the session would expire after these 5.minutes flat. The problem is that the re-occurring background requests from service ui must not refresh this token, otherwise we end-up with infinite session again. There are about 5 different background queries that have to supply X-Auth-Skip-Token-Renewal=true to not extend the token indefinitely. Use network tab of your browser debugger to see more info. So far so good. Recently, the background query was added on /api?attributes=authorization and X-Auth-Skip-Token-Renewal=true header was not added, so we ended-up with an indefinite session again. Side note: In an ideal world MiQ would revert this logic. We default for renewal and that causes problem. In an ideal world, we would default for no renewal and we would send something like X-Auth-Renew-Token=true only onClick and everything would be greener. Chris, I think the problem here is that we send X-Auth-Skip-Token-Renewal=True instead of X-Auth-Skip-Token-Renewal=true. I am sorry I made this typo in bug 1435459 comment 5. Note, I am not expert on all of this. I just found all this within 5 minutes of looking into https://github.com/search?q=org%3AManageIQ+X-Auth-Skip-Token-Renewal&type=Code HTH!
> Chris, I think the problem here is that we send X-Auth-Skip-Token-Renewal=True > instead of X-Auth-Skip-Token-Renewal=true. I am sorry I made this typo in bug > 1435459 comment 5. Ah, I see you already did that in https://github.com/ManageIQ/manageiq-ui-service/pull/716 Perhaps when we crosslink that pr with this bz, it will get backported.
So I have changed our authorizations http call to ensure this token renewal doesn't happen. Here is the catch. Many pages in the Service UI poll the miq backend every 10 seconds or so for data updates. Because these pages poll , you will not timeout your session on these pages. Any of our list views and our service details page all poll data at a regular basis. This might be why your testing doesn't log you out as expected. New GH PR https://github.com/ManageIQ/manageiq-ui-service/pull/731
New commit detected on ManageIQ/manageiq-ui-service/fine: https://github.com/ManageIQ/manageiq-ui-self_service/commit/431eb1cdd52cd0f17bca1df2ba41ce99036b34f2 commit 431eb1cdd52cd0f17bca1df2ba41ce99036b34f2 Author: Chris Kacerguis <chriskacerguis.github.com> AuthorDate: Tue May 2 14:23:11 2017 -0500 Commit: Satoe Imaishi <simaishi> CommitDate: Tue May 2 15:59:18 2017 -0400 Merge pull request #731 from chalettu/session-timeout Doesn't time out when session timeout is reached (cherry picked from commit b114b90a26e63c4ead172c4c72e93fe565579c5c) https://bugzilla.redhat.com/show_bug.cgi?id=1443166 client/app/core/session.service.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
Confirmed that we are sending the correct header: X-Auth-Skip-Token-Renewal='true' From what we can tell we are sending everything we need to over, but it doesn't appear to log us out. Sending to auth team to investigate (along with the Z-stream clone)
According to Simon and all his testing, this PR should fix it. https://github.com/ManageIQ/manageiq-ui-service/pull/771 Once that is merged, we should test to verify before sending to QE.
(In reply to Chris Kacerguis from comment #18) > According to Simon and all his testing, this PR should fix it. > > https://github.com/ManageIQ/manageiq-ui-service/pull/771 > > Once that is merged, we should test to verify before sending to QE. Tthis PR has been merged. I will work with ChrisH, Tim and Simon to confirm this fixes the issue this morning. JoeV
JoeV - it's merged :) thanks for your help with this.
Tim Wade, ChrisH and I confirmed the change in the PR from Comment 18 does resolve this issue. When ChrisH had initially tested it he did not realize the evmserverd needed to be restarted in order for the updated "Session Timeout" to take effect. Having to restart evmserverd for updates to the "Session Timeout" to take effect is not a perfect user experience I have filed a new BZ [1] to track this, which TimW has offered to work on. Also, ChrisH has to make a similar change as was done in the PR from Comment 18 in other places in the SSUI. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1451848
GH PR https://github.com/ManageIQ/manageiq-ui-service/pull/771 and GH PR https://github.com/ManageIQ/manageiq-ui-service/pull/773 are part of this fix.
New commit detected on ManageIQ/manageiq-ui-service/fine: https://github.com/ManageIQ/manageiq-ui-self_service/commit/94cbabc50b4326da13843951f493cc62f14b40cf commit 94cbabc50b4326da13843951f493cc62f14b40cf Author: Allen Wight <allen.b.wight> AuthorDate: Wed May 17 09:38:19 2017 -0400 Commit: Satoe Imaishi <simaishi> CommitDate: Wed May 17 17:45:23 2017 -0400 Merge pull request #771 from chriskacerguis/master sending string true vs literal true (cherry picked from commit 21de7ce2efaf9ace43df55d25e13de2305d62a83) https://bugzilla.redhat.com/show_bug.cgi?id=1443166 client/app/core/session.service.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
New commit detected on ManageIQ/manageiq-ui-service/fine: https://github.com/ManageIQ/manageiq-ui-self_service/commit/6b46ee169568eef0b65cded5bc42c1abf69fc265 commit 6b46ee169568eef0b65cded5bc42c1abf69fc265 Author: Chris Kacerguis <chriskacerguis.github.com> AuthorDate: Wed May 17 13:09:16 2017 -0500 Commit: Satoe Imaishi <simaishi> CommitDate: Wed May 17 17:48:07 2017 -0400 Merge pull request #773 from chalettu/session-timeout-polling Enabled session timeout on pages that poll (cherry picked from commit 7925f9c9008e4ae0ceca076c45e42c0f4fa73296) https://bugzilla.redhat.com/show_bug.cgi?id=1443166 client/app/requests/order-explorer/order-explorer.component.js | 3 ++- client/app/requests/orders-state.service.js | 4 +++- .../app/services/service-details/service-details.component.js | 6 +++--- .../services/service-explorer/service-explorer.component.js | 3 ++- client/app/services/services-state.service.js | 6 ++++-- client/app/services/vm-details/vm-details.component.js | 10 ++++++---- client/app/services/vms.service.js | 3 ++- 7 files changed, 22 insertions(+), 13 deletions(-)
Setting the 'requires_doc_text' flag to '-' in accordance with a discussion with Chris Pelland.
Until bug https://bugzilla.redhat.com/show_bug.cgi?id=1443166 get's fixed, SSUI will not respect changes to session timeout unless evmserverd is restarted. We need some doc-text around restarting emvserverd if using SSUI and changing session timeout.
Tested on 5.8.0.16 with MIQLDAP and External Auth on FreeIPA. - SSUI now times out on custom session time.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:1367