1667489 – UserSessionTimeOutInterval key doesn't take effect on VM Portal

Bug 1667489 - UserSessionTimeOutInterval key doesn't take effect on VM Portal

Summary: UserSessionTimeOutInterval key doesn't take effect on VM Portal

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-web-ui
Sub Component:
Version:	4.2.8
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	ovirt-4.3.5
Target Release:	---
Assignee:	biakymet
QA Contact:	samuel macko
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-18 15:47 UTC by Olimp Bockowski
Modified:	2020-08-03 15:29 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previously, although SSO tokens are supposed to expire after a period of user inactivity that is defined in engine-config, the VM portal sent a request every minute. Consequently, the SSO token never expired on the VM portal, and the VM portal continued running even when was unused in the background. This bug is now fixed. When the user does not actively use the VM portal for a period of time defined in engine-config, the VM portal presents a prompt. The user is automatically logged out after 30 seconds unless choosing to stay logged in.
Clone Of:
Environment:
Last Closed:	2019-08-12 11:55:44 UTC
oVirt Team:	UX
Target Upstream Version:
Embargoed:
Flags:	lsvaty: testing_plan_complete-

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	/oVirt ovirt-web-ui pull 968	None	None	None	2020-06-30 17:23:51 UTC
Red Hat Knowledge Base (Solution)	3817531	None	None	None	2019-01-18 15:59:20 UTC
Red Hat Product Errata	RHBA-2019:2449	None	None	None	2019-08-12 11:55:50 UTC

Description Olimp Bockowski 2019-01-18 15:47:34 UTC

Description of problem:
The key UserSessionTimeOutInterval for engine-config is used to set timeout interval in minutes, after which inactive user sessions expire.
It doesn't take effect for VM Portal, but works perfectly for Administrator Portal.

Version-Release number of selected component (if applicable):
4.2.7

How reproducible:
always

Steps to Reproduce:
1. engine-config --set UserSessionTimeOutInterval=1
2. systemctl restart ovirt-engine
3. in 2 annonymous windows log into VM portal and Administrator Portal
4. Wait more than 1 minute and see that the user is logged out from Admin but not VM Portal

Actual results:
User in VM Portal is never logged out

Expected results:
the parameter takes effect for both Portals

Additional info:
Most likely the difference is due to the fact that in ovirt-web-ui we have JS frontend and there are perdiocal REST API requests, while in Admin Portal it is handled in a different way? Maybe we should resolve it providing some counter/observer in ovirt-web-ui?

Justification from a customer why it is a bug:

"From the perspective of the user and the administrator:
- one product feature has been lost
- the behavior is no longer consistent to the documentation
- there is a big security risk because the VM_Portal remains logged in.

Since the VM portal is hidden when the console is opened, the user does not log off the portal while working with his VM.
As a result, hundreds of VM portals remain active throughout the day and noticeably burden the RHV management server.
This is what I can notice during my work on Management-Portal. "

Comment 3 Michal Skrivanek 2019-03-18 09:01:37 UTC

https://github.com/oVirt/ovirt-web-ui/pull/968

Comment 4 Scott Dickerson 2019-05-23 18:14:46 UTC

(In reply to Michal Skrivanek from comment #3)
> https://github.com/oVirt/ovirt-web-ui/pull/968

Merged 16-Apr: https://github.com/oVirt/ovirt-web-ui/pull/968#event-2279267505

smacko tested and approved 16-Apr: https://github.com/oVirt/ovirt-web-ui/pull/968#issuecomment-483598228

Comment 5 Scott Dickerson 2019-05-30 17:04:45 UTC

Note: Logout components were refactored [1] and touched the SessionActivityTracker in PR 868.  This caused regression [2].  Regression is fixed in [3].

[1] https://github.com/oVirt/ovirt-web-ui/pull/1014
[2] https://github.com/oVirt/ovirt-web-ui/issues/1024
[3] https://github.com/oVirt/ovirt-web-ui/pull/1025

Comment 9 samuel macko 2019-07-10 11:08:17 UTC

Verified on ovirt-engine 4.3.5.3-0.1.el7.
Verified by following the reproducer.

Comment 11 errata-xmlrpc 2019-08-12 11:55:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2449

Comment 12 Daniel Gur 2019-08-28 13:14:17 UTC

sync2jira

Comment 13 Daniel Gur 2019-08-28 13:19:19 UTC

sync2jira

Note You need to log in before you can comment on or make changes to this bug.