VM Portal requires to refresh the API session when there is some activity in the UI. The current state is still not sufficient as there is no way for ovirt-web-ui to trigger the refresh on user actions. See more details in: https://gerrit.ovirt.org/#/c/74848/ https://gerrit.ovirt.org/#/c/74470/ https://github.com/oVirt/ovirt-web-ui/issues/308
Ravi could you please describe how ovirt-web-ui could specify which RESTAPI queries should refresh session and which not?
VM portal should acquire the token with ovirt-app-api scope. This refreshes the session on VM portal usage. The session can also be refreshed by passing QueryParametersBase.refresh as true.
(In reply to Ravi Nori from comment #2) > VM portal should acquire the token with ovirt-app-api scope. This refreshes > the session on VM portal usage. > > The session can also be refreshed by passing QueryParametersBase.refresh as > true. Is this enough for ovirt-web-ui usage or something is still missing ?
the ovirt-app-api scope refreshes session on each call? That's not really desired as for inactive users the background data refreshes shouldn't refresh session. That QueryParametersBase.refresh is a header in API?
Yes ovirt-app-api scope refreshes session on each call. Currently I don't think restapi sets/exposes the QueryParametersBase.refresh parameter. Calls from webadmin set the value to false for background data refreshes. Adding need info on Juan
The API doesn't currently allow the user to control the refresh parameter. And I think it shouldn't. Instead of having the API controlling the duration of the session of the UI it should be the other way around: the UI controlling the duration of the session of the API. The UI can keep track of when it sent the last request that was not interactive. It can then close the API session and log-out the user when it considers it convenient. Can we do that? Anyhow, if I understand correctly the description of the bug, the issue is that the API session is expiring when there is still activity in the client side. Is that reproducible?
It is fine if UI controls the duration. The UI logic can indeed track when to refresh, but there needs to be a way how to do that. > Anyhow, if I understand correctly the description of the bug, the issue is that the API session is expiring when there is still activity in the client side. Is that reproducible? Yes, that's correct. See bug description for links.
Ravi, can UI sent a request with token and specify different scope to control if session should be refreshed or not? If not, any suggestion to enable client to control session refresh?
Can the web-ui use the ovirt-app-api scope, like other API clients do? How? That would make sure that the session is refreshed with every request.
(In reply to Martin Perina from comment #8) > Ravi, can UI sent a request with token and specify different scope to > control if session should be refreshed or not? If not, any suggestion to > enable client to control session refresh? Scope is obtained when the token is obtained and stays the same for the session. So we cannot use scope to control if a session needs to refreshed.
(In reply to Juan Hernández from comment #9) > Can the web-ui use the ovirt-app-api scope, like other API clients do? How? > That would make sure that the session is refreshed with every request. On current master it is not possible to specify a separate scope for web-ui since we are using unified login and both webadmin and web-ui will inherit the same scope. I can submit a patch to use app-scope. The app-scope can be "ovirt-app-api" for web-ui and "ovirt-app-admin" for web-admin. The app-scope can used to determine if the session is refreshed. Nothing should change as far as restapi is concerned.
The patch adds a new context init parameter "app-scope" which can be configured in web.xml of vm portal. This scope is different from the SSO scope used to obtain the token. The new scope is used internally to determine the scope of the app. The app-scope of "ovirt-app-api" would refresh the session on each query. UI can perform queries using restapi as usual nothing changes there. The UI can keep track of when it sent the last request that was not interactive. It can then close the API session and log-out when session times out. So all that needs to be done is. 1. Add new context init parameter in web.xml 2. Keep track of requests 3. invoke logout on timeout
VM portal does not log out while working with it. So this issue is fixed, but side effect is now, that it doesn't log out at all. See https://github.com/oVirt/ovirt-web-ui/issues/436 verified in ovirt-engine-4.2.0-0.5.master.el7.noarch, ovirt-engine-extension-aaa-jdbc-1.1.6-1.el7ev.noarch, ovirt-web-ui-1.3.2-1.el7ev.noarch
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017. Since the problem described in this bug report should be resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.