Description of problem: Auth SSUI - Self-service UI doesn't time out when session timeout is reached Version-Release number of selected component (if applicable): 5.8.1.0 How reproducible: Steps to Reproduce: 1. Setup either MIQLDAP(AD,FreeIPA, OpenLDAP) or External Auth(FreeIPA,AD) 2. Change session timemout to 5 mins, and do not restart evmserverd 3. Login as valid user to classic UI and SSUI, wait 5 minutes. Classic UI times out as expected, SSUI doesn't Actual results: SSUI doesn't timeout. Expected results: SSUI should time out. Additional info: See bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1443166 https://bugzilla.redhat.com/show_bug.cgi?id=1459987
A Pivotal Tracker story has been created for this Bug: https://www.pivotaltracker.com/story/show/148415143
Ok gonna do the mean thing, ask for a vm for this... With latest sui and latest miq, wasn't able to produce this issue
Created attachment 1294981 [details] it wasn't exactly 5 minutes, but within 8 ish saw this in sui
https://github.com/ManageIQ/manageiq-ui-service/pull/834
PR is in, waiting for merge from Satoe
Chris Kacerguis added a comment in Pivotal Tracker: @awight what's the word on this? Shows as finished, but I'm not seeing a PR.
Chris Kacerguis added a comment in Pivotal Tracker: @awight nvm...found it :)
Chris Kacerguis added a comment in Pivotal Tracker: PR: https://github.com/ManageIQ/manageiq-ui-service/pull/834
Chris Kacerguis added a comment in Pivotal Tracker: Commit by Allen Wight https://github.com/ManageIQ/manageiq-ui-service/commit/a46b8a6567dc978f0ea25cf4985cace0880f9843 Ensures skip-token-header is correctly formed [Fixes #148415143] updates lock file because apprently lock file needs to be updated
Allen added a comment in Pivotal Tracker: Merged into fineeeeeee
We're going to need to put something in the Documentation around setting session time out. In SSUI, there is a polling mechanism that runs every 5 minutes. So if you set a session timeout to 5 minutes, it could take up to 10 minutes for SSUI sessions to timeout. Let's say polling last happened 3 minutes ago, and you set the session timeouts to be 5 minutes. In this scenario, sessions wouldn't time out for 7 minutes. This will obviously be different for every log in, as when a user logs in, we don't know when polling ran versus when they became idle. So sessions will timeout based on session timeout value set plus up to an additional 5 minutes. I believe we should make a note of this in section 4.1.4.2.1 of the General Configuration Guide. Not sure is we reference session timeouts in any other documentation.
Session timeouts seem to be partially working. I've been able to set the session timout to 5 mins and see it timeout around 7+ and 10+ minutes. That is as expected with the polling time. Problem is that I didn't modify the session timeout (left it at 1hr defautlt) and my session timed out in 1 min 20 sec. I suspect it timed out when the polling time expired.
I've been able to see this early timeout happen 3-4 times. Sending back to Dev for investigation.
*** Bug 1487436 has been marked as a duplicate of this bug. ***
Ok after taking another look at this, SUI does not do anything with the timeout aside from reacting when any api request responds with a 401 with an error kind of `unauthorized` (and of course renewing the token, but we took care of that in another bz) Looks be no polling taking place that preserves the session, ie. all polling has the `X-Auth-Skip-Token-Renewal:true` The problem is, we can't manage a session life greater than 5 minutes (at idle) even when ops is set to 10min so my thought is whenever timeout is updated in opsui the api isn't reacting :-/ Gonna be resigning this one, but 100% down to 🍐 (pair) if anyone needs me.
The Session Timeout changes in the UI are not being reflected properly in the UI request type. incidentally the API does properly reflect the Session Timeout changes for the WS request type. On the appliance UI set the Session Timeout to 20m On the shell enter the below, noting the token_ttl is not updated for the --request-type=ui but it is updated for the --request-type=ws It should be updated for the --request-type=ui so the SUI can take advantage of Session Timeout updates. # vmdb; tools/rest_api.rb get auth --requester-type=ui { "auth_token": "aa1d863c687f5b817aff9d8b718753e8", "token_ttl": 3600, "expires_on": "2017-11-09T22:37:32Z" } # vmdb; tools/rest_api.rb get auth --requester-type=ws { "auth_token": "5790c02d806eb2b809dd1ab98ee3400b", "token_ttl": 1200, "expires_on": "2017-11-09T21:57:37Z" }
https://github.com/ManageIQ/manageiq-api/pull/199
New commit detected on ManageIQ/manageiq-api/master: https://github.com/ManageIQ/manageiq-api/commit/f8deb94ffa28b1d0cdee62b7681755f2e782b783 commit f8deb94ffa28b1d0cdee62b7681755f2e782b783 Author: Joe VLcek <jvlcek> AuthorDate: Fri Nov 10 11:46:28 2017 -0500 Commit: Joe VLcek <jvlcek> CommitDate: Fri Nov 10 14:02:46 2017 -0500 Reflect session timeout settings updates in the UI requester type https://bugzilla.redhat.com/show_bug.cgi?id=1468000 lib/services/api/user_token_service.rb | 7 ++++--- spec/requests/authentication_spec.rb | 11 +++++++++++ 2 files changed, 15 insertions(+), 3 deletions(-)