[Engine-devel] REST session management

Oved Ourfalli ovedo at redhat.com
Mon Apr 16 07:44:31 UTC 2012 


----- Original Message -----
> From: "Geert Jansen" <gjansen at redhat.com>
> To: "Oved Ourfalli" <ovedo at redhat.com>
> Cc: "engine-devel" <engine-devel at ovirt.org>, "Eoghan Glynn" <eglynn at redhat.com>
> Sent: Monday, April 16, 2012 10:26:18 AM
> Subject: Re: [Engine-devel] REST session management
> 
> Hi Oved,
> 
> +1 for this feature.
> 
> [[As a background to the others on the list, this feature is
> absolutely
> essential for certain types of ISV integration. Many ISVs need to
> mirror
> the RHEV inventory (i.e. all VMs, clusters, basically any object
> managed
> by RHEV) in realtime to their own database. The way they do this
> currently is by polling /api/events and look for changes. In order to
> be
> able to react to changes fast, they typically poll every 5 seconds.
> The
> query itself is very efficient, so it doesn't cause a whole lot of
> load
> on RHEV-M. But it floods the log with login/logout events. This
> persistent session feature is a solution for that.]]
> 
Thank you for the background. I'll add it to the wiki page.
 
> Actually my vote would go for your variation #2:
> 
>     The client passes the "Prefer" header field on every request,
>     besides the last one. When the server gets a request with a
>     JSESSIONID, and without the "Prefer" header, it logs out the
>     session.
> 
> It's mostly my gut feeling, but i would say it has these advantages:
> 
> 1. It is more explicit, as on every request you confirm that you
> still
> want the authenticated session to be maintained.
> 2. It is also consistent with the default we have chosen of no
> persistent authentication.
> 3. It does not need a second header, so it is somewhat simpler.
> 

I Agree on that, although I'm not sure whether it is really needed to release the session, rather then rely on timeout.
If we indeed need to provide a way to release the session then I agree this is the best alternative. But if we don't then it will make the API to the client more (but not very) complex in that manner.
The only doubt I have about that is that from reading on the new "Prefer" header, I got the feeling that it is more relevant on session negotiation, and less something you would pass on every request in the session, but I'm not sure about that.

> Regards,
> Geert
> 
> On 04/15/2012 01:06 PM, Oved Ourfalli wrote:
> > Hey,
> >
> > The following wiki page describes a new feature - supporting
> > session management via the REST API:
> > http://www.ovirt.org/wiki/Features/RESTSessionManagement
> >
> > Please review and comment.
> >
> > Thank you,
> > Oved
> 
> --
> Geert Jansen
> Sr. Product Marketing Manager, Red Hat Enterprise Virtualization
> 
> Red Hat S.r.L.           O: +39 095 916287
> Via G. Fara 26           C: +39 348 1980079 (when in US:
> 415-623-0542)
> Milan 20124, Italy       E: gjansen at redhat.com
> _______________________________________________
> Engine-devel mailing list
> Engine-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/engine-devel
>

More information about the Devel mailing list