Bug 1468000 - Auth SSUI - Self-service UI doesn't time out when session timeout is reached
Auth SSUI - Self-service UI doesn't time out when session timeout is reached
Status: POST
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance (Show other bugs)
5.8.0
Unspecified Unspecified
medium Severity medium
: GA
: 6.0.0
Assigned To: Joe Vlcek
Matt Pusateri
auth:miqldap:extrernalauth:ssui
: Regression, TestOnly
: 1487436 (view as bug list)
Depends On:
Blocks: 1451848 1513489 1459987
  Show dependency treegraph
 
Reported: 2017-07-05 14:33 EDT by Matt Pusateri
Modified: 2017-11-28 20:09 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Session Timeout Reason: SSUI Works differently than Classic UI. Result:
Story Points: ---
Clone Of:
: 1513489 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
it wasn't exactly 5 minutes, but within 8 ish saw this in sui (555.27 KB, image/png)
2017-07-06 11:26 EDT, Allen W
no flags Details

  None (edit)
Description Matt Pusateri 2017-07-05 14:33:45 EDT
Description of problem:
Auth SSUI - Self-service UI doesn't time out when session timeout is reached

Version-Release number of selected component (if applicable):
5.8.1.0

How reproducible:


Steps to Reproduce:
1. Setup either MIQLDAP(AD,FreeIPA, OpenLDAP) or External Auth(FreeIPA,AD)
2. Change session timemout to 5 mins, and do not restart evmserverd
3. Login as valid user to classic UI and SSUI, wait 5 minutes. Classic UI times out as expected, SSUI doesn't

Actual results:
SSUI doesn't timeout.

Expected results:
SSUI should time out. 

Additional info:
See bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1443166 https://bugzilla.redhat.com/show_bug.cgi?id=1459987
Comment 2 Chris Kacerguis 2017-07-06 10:18:37 EDT
A Pivotal Tracker story has been created for this Bug: https://www.pivotaltracker.com/story/show/148415143
Comment 3 Allen W 2017-07-06 11:25:26 EDT
Ok gonna do the mean thing, ask for a vm for this... With latest sui and latest miq, wasn't able to produce this issue
Comment 4 Allen W 2017-07-06 11:26 EDT
Created attachment 1294981 [details]
it wasn't exactly 5 minutes, but within 8 ish saw this in sui
Comment 7 Chris Kacerguis 2017-07-10 22:34:47 EDT
PR is in, waiting for merge from Satoe
Comment 9 Chris Kacerguis 2017-07-26 13:12:53 EDT
Chris Kacerguis added a comment in Pivotal Tracker:   
   
@awight what's the word on this?  Shows as finished, but I'm not seeing a PR.
Comment 10 Chris Kacerguis 2017-07-26 13:13:26 EDT
Chris Kacerguis added a comment in Pivotal Tracker:   
   
@awight nvm...found it :)
Comment 11 Chris Kacerguis 2017-07-26 13:13:35 EDT
Chris Kacerguis added a comment in Pivotal Tracker:   
   
PR: https://github.com/ManageIQ/manageiq-ui-service/pull/834
Comment 12 Chris Kacerguis 2017-08-09 15:32:27 EDT
Chris Kacerguis added a comment in Pivotal Tracker:   
   
Commit by Allen Wight
https://github.com/ManageIQ/manageiq-ui-service/commit/a46b8a6567dc978f0ea25cf4985cace0880f9843

Ensures skip-token-header is correctly formed [Fixes #148415143]

updates lock file because apprently lock file needs to be updated
Comment 13 Chris Kacerguis 2017-08-15 08:11:42 EDT
Allen added a comment in Pivotal Tracker:   
   
Merged into fineeeeeee
Comment 14 Matt Pusateri 2017-08-31 11:58:23 EDT
We're going to need to put something in the Documentation around setting session time out.

In SSUI, there is a polling mechanism that runs every 5 minutes.  So if you set a session timeout to 5 minutes, it could take up to 10 minutes for SSUI sessions to timeout.  Let's say polling last happened 3 minutes ago, and you set the session timeouts to be 5 minutes. In this scenario, sessions wouldn't time out for 7 minutes.  This will obviously be different for every log in, as when a user logs in, we don't know when polling ran versus when they became idle. So sessions will  timeout based on session timeout value set plus up to an additional 5 minutes.

I believe we should make a note of this in section 4.1.4.2.1 of the General Configuration Guide. Not sure is we reference session timeouts in any other documentation.
Comment 15 Matt Pusateri 2017-08-31 15:40:40 EDT
Session timeouts seem to be partially working. I've been able to set the session timout to 5 mins and see it timeout around 7+ and 10+ minutes. That is as expected with the polling time.

Problem is that I didn't modify the session timeout (left it at 1hr defautlt) and my session timed out in 1 min 20 sec. I suspect it timed out when the polling time expired.
Comment 16 Matt Pusateri 2017-08-31 16:09:49 EDT
I've been able to see this early timeout happen 3-4 times. Sending back to Dev for investigation.
Comment 17 Chris Kacerguis 2017-09-01 10:54:26 EDT
*** Bug 1487436 has been marked as a duplicate of this bug. ***
Comment 19 Allen W 2017-10-09 13:31:10 EDT
Ok after taking another look at this, SUI does not do anything with the timeout aside from reacting when any api request responds with a 401 with an error kind of `unauthorized` (and of course renewing the token, but we took care of that in another bz) Looks be no polling taking place that preserves the session, ie. all polling has the `X-Auth-Skip-Token-Renewal:true` 

The problem is, we can't manage a session life greater than 5 minutes (at idle) even when ops is set to 10min so my thought is whenever timeout is updated in opsui the api isn't reacting :-/

Gonna be resigning this one, but 100% down to 🍐 (pair) if anyone needs me.
Comment 21 Joe Vlcek 2017-11-09 16:41:03 EST
The Session Timeout changes in the UI are not being reflected properly in the UI request type. incidentally the API does properly reflect the Session Timeout changes for the WS request type.

On the appliance UI set the Session Timeout to 20m
On the shell enter the below, noting the token_ttl is not updated for the --request-type=ui but it is updated for the --request-type=ws It should be updated for the --request-type=ui so the SUI can take advantage of Session Timeout updates.

# vmdb; tools/rest_api.rb get  auth --requester-type=ui
{
  "auth_token": "aa1d863c687f5b817aff9d8b718753e8",
  "token_ttl": 3600,
  "expires_on": "2017-11-09T22:37:32Z"
}

# vmdb; tools/rest_api.rb get  auth --requester-type=ws
{
  "auth_token": "5790c02d806eb2b809dd1ab98ee3400b",
  "token_ttl": 1200,
  "expires_on": "2017-11-09T21:57:37Z"
}
Comment 23 CFME Bot 2017-11-10 14:34:41 EST
New commit detected on ManageIQ/manageiq-api/master:
https://github.com/ManageIQ/manageiq-api/commit/f8deb94ffa28b1d0cdee62b7681755f2e782b783

commit f8deb94ffa28b1d0cdee62b7681755f2e782b783
Author:     Joe VLcek <jvlcek@redhat.com>
AuthorDate: Fri Nov 10 11:46:28 2017 -0500
Commit:     Joe VLcek <jvlcek@redhat.com>
CommitDate: Fri Nov 10 14:02:46 2017 -0500

    Reflect session timeout settings updates in the UI requester type
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1468000

 lib/services/api/user_token_service.rb |  7 ++++---
 spec/requests/authentication_spec.rb   | 11 +++++++++++
 2 files changed, 15 insertions(+), 3 deletions(-)

Note You need to log in before you can comment on or make changes to this bug.