Bug 894687 - [rhevm] - Webadmin - Web Admin tries to acquire REST API session using UI user credentials ("Authentication Required" browser popup)
Summary: [rhevm] - Webadmin - Web Admin tries to acquire REST API session using UI use...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-webadmin-portal
Version: 3.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 3.2.0
Assignee: Vojtech Szocs
QA Contact: David Botzer
URL:
Whiteboard: ux
Depends On:
Blocks: 948448
TreeView+ depends on / blocked
 
Reported: 2013-01-13 08:22 UTC by David Botzer
Modified: 2015-09-22 13:09 UTC (History)
14 users (show)

Fixed In Version: sf16
Doc Type: Release Note
Doc Text:
Previously the web browser sent HTTP Authorization headers for all requests to a given origin after the header has already been set for the initial request. This meant the user interface plugin infrastructure acquired a REST API session using web administration portal user credentials including domain and password information, and the session was kept alive until the user signed out of the administration portal. To work around this issue, all user interface plugins now receive a single shared session ID based on the web administration portal user login credentials. This session times out after six hours, and the administration portal will not attempt to keep this session alive using periodic heartbeat requests. The plugin is in charge of keeping its session alive, and if no plugin interacts with the REST API session via the provided ID for more than six hours, the session will time out.
Clone Of:
Environment:
Last Closed:
oVirt Team: ---
Target Upstream Version:
Embargoed:
sgrinber: Triaged+

Attachments (Terms of Use)
auth-popup (132.79 KB, image/png)
2013-01-13 08:49 UTC, David Botzer 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 14411 0 None None None Never

Description David Botzer 2013-01-13 08:22:51 UTC 
Description of problem:
I keep getting in webadmin popup "Authentication Required"
"The site says: Engine"

Version-Release number of selected component (if applicable):
3.2/sf3

How reproducible:
always

Steps to Reproduce:
1.Install rhevm+dwh+reports
2.While working with Webadmin
  
Actual results:
"Authentication Required" browser popup

Expected results:
Should not display popup window

Additional info:
Vojtech Szocs wrote:
----------------------
the "Authentication Required" browser popup is indeed related to Engine REST API integration in UI Plugins infrastructure.

Upon each successful (Web Admin UI) login, UI Plugins infrastructure tries to acquire new REST API session [1] via HTTP GET to /api, passing 'Prefer:persistent-auth' header along with user/domain/password information via HTTP basic auth ('Authorization') header. In other words, Web Admin tries to acquire REST API session using UI user credentials. While the user stays authenticated in Web Admin UI, UI Plugins infrastructure sends periodic heartbeat requests to keep the acquired REST API session alive, until the user signs out of Web Admin.

If you see the "Authentication Required" browser popup, it means that REST API rejected the request as unauthorized (wrong user credentials), which is really strange. David, are there any steps to reproduce this problem?

Some facts about "Authentication Required" browser popup:
- triggered on any response (including AJAX/XHR) with status code 401 (Unauthorized)
- can NOT be disabled via JavaScript, it's part of standard browser behavior [2]

To disable "Authentication Required" browser popup on failed request, REST API could respond with status code other than 401 (Unauthorized), but this actually works against the general HTTP basic auth specification.

Vojtech

[1] http://www.ovirt.org/Features/RESTSessionManagement
[2] http://stackoverflow.com/questions/8008072/how-to-close-or-disable-base-authentication-popup-in-webdriverfirefoxdriver-te
Comment 1 David Botzer 2013-01-13 08:49:56 UTC 
Created attachment 677644 [details]
auth-popup
Comment 3 Michael Pasternak 2013-02-19 14:13:17 UTC 
afaics this BZ ain't related to api.
Comment 4 Vojtech Szocs 2013-02-25 11:21:49 UTC 
Indeed, WebAdmin's UI Plugins infrastructure tries to acquire REST API session upon successful UI login and pass the session ID to all plugins. This is essentially how REST API support works in UI Plugins.

The problem is web browsers displaying "Authentication Required" popup upon 401 (Unauthorized) response, which *cannot* be prevented with JavaScript/GWT.

From HTTP client perspective, this is perfectly OK. From web application (JavaScript/browser) client perspective, this is problematic.

@David, do you think we should acquire REST API session only under certain condition (e.g. configuration value)?

@Michael, is there anything you would suggest with regard to 401 response handling in web clients (browsers)?
Comment 5 Einav Cohen 2013-02-26 17:16:26 UTC 
Vojtech: 

- why are we getting the "Authentication Required" response in the first place? is something wrong with the way we attempt to acquire a REST API session and/or with the heartbeat mechanism? this is what should really be investigated.

- not sure if we already have this or not: maybe we should have a global configuration value for enabling/disabling ui plugins (in case there is a "disaster" in one or more of the existing plugins?)

[I am not sure about acquiring REST API session in ui-plugins according to configuration value, as this can ruin the behavior for some (or all) the existing ui-plugins]
Comment 6 Vojtech Szocs 2013-03-04 15:26:12 UTC 
> why are we getting the "Authentication Required" response in the first place?

Good question. WebAdmin tries to acquire REST API session using UI login credentials, so it would mean:
(a) user IS able to log into WebAdmin with given credentials
(b) user IS NOT able to call REST API with given credentials

I was under impression that (a) success always implies (b) success.

> is something wrong with the way we attempt to acquire a REST API session and/or with the heartbeat mechanism? this is what should really be investigated.

Indeed, we should investigate. However, the implementation in WebAdmin generally follows instructions in [http://wiki.ovirt.org/Features/RESTSessionManagement], so it's strange why it works in some cases, and doesn't work in other cases.

> not sure if we already have this or not: maybe we should have a global configuration value for enabling/disabling ui plugins (in case there is a "disaster" in one or more of the existing plugins?)

No, currently we can only disable plugins on per-plugin basis (modifying plugin user configuration file).

I agree with your point, there should be a way to enable/disable UI plugins globally via Engine configuration.

> [I am not sure about acquiring REST API session in ui-plugins according to configuration value, as this can ruin the behavior for some (or all) the existing ui-plugins]

Right, it was just an idea :)
Comment 14 Vojtech Szocs 2013-05-06 14:05:48 UTC 
Upstream patch merged, proceeding with downstream backport/ack/merge process.
Comment 17 David Botzer 2013-05-16 13:56:13 UTC 
Fixed,3.2/SF17
I added AD, and was able to authenticate,
After I blocked the AD server I verified its blocked,
And could not connect, Then I saw no Popup window was displaying
Fixed,3.2/SF17
Comment 21 Itamar Heim 2013-06-11 08:22:17 UTC 
3.2 has been released
Comment 22 Itamar Heim 2013-06-11 08:24:40 UTC 
3.2 has been released
Note You need to log in before you can comment on or make changes to this bug.