----- Original Message -----
From: "Vojtech Szocs" <vszocs(a)redhat.com>
Sent: Monday, May 13, 2013 10:23:30 AM
Hi guys,
just a quick update, recently we fixed an issue [1] with UI Plugin REST API
integration trying to keep-alive the current REST API session, which was
causing repeated "User logged in" events in GUI, along with new REST API
session created each time the heartbeat request was fired. Please refer to
commit message for more details on this issue.
There are some things to be aware of with regard to UI Plugin REST API
integration:
- all plugins still receive a single session ID based on WebAdmin user
credentials, i.e. keep the current "single-admin-session-for-all-plugins"
behavior
- session timeout is set to 6 hours --> 2x more than default REST API session
timeout
- WebAdmin will *not* try to keep-alive the session via periodic heartbeat
requests, i.e. break the current
"keep-session-alive-while-user-stays-authenticated" behavior
In practice, this means that after a user logs into WebAdmin, if no plugin
interacts with the REST API session via provided ID for more than 6 hours,
the session will time-out eventually. Unfortunately, for now, we can't
support the session keep-alive mechanism due to issues with HTTP
'Authorization' header handling in web browsers, but with RFE [2] it would
be possible to re-implement the session keep-alive mechanism.
On the other hand, we'll most likely revisit the current
"single-admin-session-for-all-plugins" behavior in future, i.e. have special
Engine users created for use with UI Plugin REST API integration, with
permissions of such users under control by the admin. This would change the
current behavior to something like "separate-user-session-for-each-plugin",
with individual plugins able to create their own REST API session on demand.
Regards,
Vojtech
[1]
http://gerrit.ovirt.org/#/c/14411/
Thanks, Vojtech - just adding the missing RFE reference ([2]):
[2] Bug 958861 - Support passing auth information without having to use HTTP Authorization
header
[