Piotr Kliczewski has submitted this change and it was merged. Change subject: webadmin: Use existing Engine session for REST API integration ...................................................................... webadmin: Use existing Engine session for REST API integration Before this patch ================= * WebAdmin login triggers creation of separate (logical) Engine session through creation of new (physical) REST session using HTTP basic auth -> REST session is acquired using current WebAdmin user credentials -> REST session ID is provided to all UI plugins * above causes two separate user login operations with same credentials and therefore two "user has logged in" events in Engine server log * acquired (physical) REST session, as well as corresponding (logical) Engine session, are _NOT_ closed upon WebAdmin logout, even though these sessions were created with WebAdmin user credentials After this patch ================ * WebAdmin login _DOES NOT_ trigger creation of separate (logical) Engine session; instead, it reuses existing Engine user session -> REST session is still acquired, but instead of HTTP basic auth credentials, we're passing existing Engine session auth token to associate REST session with current user's Engine session -> REST session ID is provided to all UI plugins * above ensures single user login operation upon WebAdmin login * since acquired REST session maps to existing Engine session, WebAdmin user logout makes that REST session unusable, even if the REST session itself is still alive We use Prefer:new-auth to ensure that new REST session is created on each WebAdmin login. Important note for UI plugin developers ======================================= REST session ID passed to UI plugins via "RestApiSessionAcquired" hook, also represented by JSESSIONID cookie for /api, will become unusable after WebAdmin logout. Since UI plugins are active (invoked by the infra) only while the user is authenticated, this shouldn't impact UI plugins that use provided REST session (cookie) to talk directly with Engine. Change-Id: Ic3905b3b5834a0f7327321e93064274df0d1db65 Bug-Url: https://bugzilla.redhat.com/1161734 Bug-Url: https://bugzilla.redhat.com/1161730 Signed-off-by: Vojtech Szocs <vszocs@redhat.com> --- M frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/Frontend.java M frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/FrontendLoginHandler.java M frontend/webadmin/modules/frontend/src/test/java/org/ovirt/engine/ui/frontend/FrontendActionTest.java M frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/restapi/RestApiSessionManager.java M frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/system/ApplicationInit.java 5 files changed, 93 insertions(+), 69 deletions(-) Approvals: Alon Bar-Lev: Verified Alexander Wels: Looks good to me, approved -- To view, visit http://gerrit.ovirt.org/35248 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ic3905b3b5834a0f7327321e93064274df0d1db65 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: ovirt-engine-3.5 Gerrit-Owner: Alon Bar-Lev <alonbl@redhat.com> Gerrit-Reviewer: Alexander Wels <awels@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alonbl@redhat.com> Gerrit-Reviewer: Oved Ourfali <oourfali@redhat.com> Gerrit-Reviewer: Piotr Kliczewski <piotr.kliczewski@gmail.com> Gerrit-Reviewer: Tal Nisan <tnisan@redhat.com> Gerrit-Reviewer: Vojtech Szocs <vszocs@redhat.com> Gerrit-Reviewer: Yair Zaslavsky <yzaslavs@redhat.com> Gerrit-Reviewer: automation@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server