Bug 1459987 - Changes to timeout setting should not require evmserverd restart [NEEDINFO]
Summary: Changes to timeout setting should not require evmserverd restart
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: API
Version: 5.7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: GA
: 5.8.2
Assignee: Tim Wade
QA Contact: Matt Pusateri
Whiteboard: auth:externalauth:ssui
Depends On: 1451848 1468000
TreeView+ depends on / blocked
Reported: 2017-06-08 18:26 UTC by Satoe Imaishi
Modified: 2017-10-24 00:16 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1451848
Last Closed: 2017-10-24 00:16:35 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:
mpusater: needinfo? (twade)

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3005 0 normal SHIPPED_LIVE Important: Red Hat CloudForms security, bug fix, and enhancement update 2017-10-24 04:15:49 UTC

Comment 2 CFME Bot 2017-06-08 18:31:16 UTC
New commit detected on ManageIQ/manageiq/fine:

commit e201995ab0a9e6df7837866ad43e6b7557d6c003
Author:     Alberto Bellotti <abellotti@users.noreply.github.com>
AuthorDate: Thu May 18 21:12:43 2017 -0400
Commit:     Satoe Imaishi <simaishi@redhat.com>
CommitDate: Thu Jun 8 14:26:53 2017 -0400

    Merge pull request #15124 from imtayadeway/api/token-manager-token-ttl
    Make TokenManager#token_ttl callable (evaluated at call time)
    (cherry picked from commit e35b6c20838e9d63fc6ab8c90ad94a4e8210a4a3)

 lib/services/api/user_token_service.rb |  4 ++--
 lib/token_manager.rb                   | 20 ++++++++++++--------
 spec/lib/token_manager_spec.rb         | 24 ++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 10 deletions(-)
 create mode 100644 spec/lib/token_manager_spec.rb

Comment 3 Matt Pusateri 2017-06-30 19:32:05 UTC
Tested on MIQLDAP (AD, FreeIPA, OpenLDAP) External Auth (AD, FreeIPA).  SSUI didn't seem to time out. Set timeout for 5 mins, waited 6-7 mins each time. Classic UI timed out, but SSUI never did.

Setting this back to ON_DEV as it doesn't seem to work.

Comment 4 Tim Wade 2017-07-05 15:34:53 UTC

From what I understand the SSUI polls the backend every 5 minutes for any updates. So in theory, it could take in the worst case 10 minutes for your session to timeout immediately after changing.

This bug is really concerned with the core of the application - if you believe there to be an issue still with one of the consumers or the API we should probably open a separate issue for that.

Comment 5 Matt Pusateri 2017-07-05 15:42:08 UTC
This timeout worked fine when I verified the original bug. https://bugzilla.redhat.com/show_bug.cgi?id=1443166  Now maybe I got lucky verifying it?  But as I understood things, I thought we had a fix for SSUI polling every 5 mins.

Comment 6 Tim Wade 2017-07-05 17:28:57 UTC

That BZ was concerned with the SSUI erroneously refreshing the token (and hence extending the ttl) on every request.

It seems that you have already verified this works independently of the SSUI. If you have an issue with the SSUI can you either open a new ticket for that, or reassign to someone from the SSUI team?

Comment 7 Chris Hale 2017-07-05 17:42:07 UTC
SUI polls every 5 minutes but all polling has been excluded from causing the SUI session to stay alive.  If things aren't working then we would need the API team to help instruct our testing team on what to look for in the logs that indicate the session timeout changed without having to manually reboot the manageiq server process.  If testing says that everything looks like it should in logs etc, then the SUI team can help testing look again at this issue.

Comment 9 Matt Pusateri 2017-07-05 18:46:05 UTC
Per Chris Kacerguis Open regression bug due to SSUI not timing out https://bugzilla.redhat.com/show_bug.cgi?id=1468000.  Hold on QA, till he has time to sort things out with SSUI and API teams.

Comment 13 Matt Pusateri 2017-09-07 17:54:44 UTC
Verified due the the SSUI timeout session bug. But I'd really like to be able to verify this via the logs, seeing something logged, or some way to tell via the system.

Comment 15 errata-xmlrpc 2017-10-24 00:16:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.