Change in ovirt-engine[master]: restapi: Create audit message for deprecated API usage

Code Review gerrit at ovirt.org
Mon Feb 13 12:05:41 UTC 2017 

>From Martin Peřina <mperina at redhat.com>:

Martin Peřina has submitted this change and it was merged.

Change subject: restapi: Create audit message for deprecated API usage
......................................................................


restapi: Create audit message for deprecated API usage

Currently there is no mechanism to notify users that are using a
deprecated version of the API. In order to address that this patch
introduces a mechanism that will check the version of the API for each
request, and will send a message to the audit log in case it is
deprecated. The message will look like this:

  Client from address "192.168.122.38" is using version 3 of the
  API, which has been deprecated since version 4.0 of the engine,
  and will no longer be supported starting with version 4.2. Make
  sure to update that client to use a supported versions of
  the API and the SDKs, before upgrading to version 4.2 of
  the engine.

This feature will be enabled by default for version 3 of the API, and
will be configurably by the administrator using the following
configuration setting:

  #
  # Comma separated list of versions of the API that are deprecated. Each
  # deprecated version is specified by three values, separated by colons.
  # The first value is the version of the API that is deprecated. The
  # second value is the version of the engine where that version of the
  # API was deprecated. The third value is the version of the engine where
  # that version of the API will be removed. For example, the following
  # text:
  #
  #   3:4.0:4.2
  #
  # Means that version 3 of the API was deprecated in version 4.0 of the
  # engine and will be removed in version 4.2 of the engine.
  #
  # When the engine detects a request that is using a deprecated version
  # of the API it will send a message to the audit log explaining it.
  #
  ENGINE_API_DEPRECATED_VERSIONS="3:4.0:4.2"

This setting is intended to allow disabling the feature. If the
administrator wants to do so, she can just use an empty value:

  # cat >> /etc/ovirt-engine/engin.conf.d/99-mute-deprecation.conf <<.
  ENGINE_API_DEPRECATED_VERSIONS=""

To avoid flooding the audit log when there are applications that send
many requests using the deprecated version of the API the messages will
be sent only once per day, for each different client IP address.

As the message will be written to the audit log table, other
applications, for example the setup tool, can use it to determine if
there are applications that used recently a deprecated version of the
API. For example, to check if a deprecated version of the API was used
in the last 30 days:

  select
    count(*)
  from
    audit_log
  where
    log_type = 13000 and
    age(now(), log_time) < '30 days'

Change-Id: I69cd6344fdb013869fef85518bd4b3ed36466b43
Bug-Url: https://bugzilla.redhat.com/1400996
Signed-off-by: Juan Hernandez <juan.hernandez at redhat.com>
---
A backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddDeprecatedApiEventCommand.java
M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/AuditLogType.java
A backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/AddDeprecatedApiEventParameters.java
M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/VdcActionType.java
M backend/manager/modules/dal/src/main/resources/bundles/AuditLogMessages.properties
A backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/DeprecatedVersionInfo.java
M backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/LocalConfig.java
M backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/invocation/VersionFilter.java
M packaging/services/ovirt-engine/ovirt-engine.conf.in
9 files changed, 341 insertions(+), 6 deletions(-)

Approvals:
  Martin Peřina: Looks good to me, approved
  Juan Hernandez: Verified
  Jenkins CI: Passed CI tests
  Moti Asayag: Looks good to me, but someone else must approve



-- 
To view, visit https://gerrit.ovirt.org/67745
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I69cd6344fdb013869fef85518bd4b3ed36466b43
Gerrit-PatchSet: 8
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Martin Peřina <mperina at redhat.com>
Gerrit-Reviewer: Moti Asayag <masayag at redhat.com>
Gerrit-Reviewer: Ori Liel <oliel at redhat.com>
Gerrit-Reviewer: Oved Ourfali <oourfali at redhat.com>
Gerrit-Reviewer: gerrit-hooks <automation at ovirt.org>

More information about the Engine-commits mailing list