From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com&gt; The default timeout of sessions is 60 minutes. Set the timeout of sessions 10 minutes explicitly. Kimchi should have 10 minutes of time out value for the browser login session. If session got inactive for 10 minutes then it should expire automatically. And should ask user for relogin. This is required for the security reason. But this timeout will not take effect on some tabs, such as guest tab. The root cause is because the front end refreshes the vm list every 5 seconds by sending the "GET /vms" REST API call to the server. The follow patch will solve this problem. Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com&gt; --- src/kimchi/config.py.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index d73a8f4..426fbd1 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -150,6 +150,9 @@ class UIConfig(dict): class KimchiConfig(dict): + # session time out is 10 minutes + SESSIONSTIMEOUT = 10 + kimchi_config = { '/': {'tools.trailing_slash.on': False, 'request.methods_with_bodies': ('POST', 'PUT'), @@ -159,6 +162,7 @@ class KimchiConfig(dict): 'tools.sessions.httponly': True, 'tools.sessions.locking': 'explicit', 'tools.sessions.storage_type': 'ram', + 'tools.sessions.timeout': SESSIONSTIMEOUT, 'tools.kimchiauth.on': False}, '/data/screenshots': { 'tools.staticdir.on': True,

From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com&gt; Now UI will access the vms and host periodically. That will never make the session expire. This patch fix this problem. Now the UI can set "Kimchi-Robot" header when it wants to access the vms and host periodically. If the all requests with "Kimchi-Robot" header access for a long time, kimchi will expire the session. Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com&gt; --- src/kimchi/auth.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index af3b610..b042d73 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -22,6 +22,7 @@ import cherrypy import grp import PAM import re +import time from kimchi import template @@ -32,6 +33,7 @@ from kimchi.utils import run_command USER_ID = 'userid' USER_GROUPS = 'groups' USER_SUDO = 'sudo' +REFRESH = 'robot-refresh' def debug(msg): @@ -131,6 +133,15 @@ def check_auth_session(): cherrypy.session.release_lock() if session is not None: debug("Session authenticated for user %s" % session) + kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot') + if kimchiRobot == "kimchi-robot": + if (time.time() - cherrypy.session[REFRESH] > + cherrypy.session.timeout * 60): + cherrypy.session[USER_ID] = None + cherrypy.lib.sessions.expire() + raise cherrypy.HTTPError(401) + else: + cherrypy.session[REFRESH] = time.time() return True debug("Session not found") @@ -172,6 +183,7 @@ def login(userid, password): cherrypy.session[USER_ID] = userid cherrypy.session[USER_GROUPS] = user.get_groups() cherrypy.session[USER_SUDO] = user.has_sudo() + cherrypy.session[REFRESH] = time.time() cherrypy.session.release_lock() return user.get_user() @@ -179,6 +191,7 @@ def login(userid, password): def logout(): cherrypy.session.acquire_lock() cherrypy.session[USER_ID] = None + cherrypy.session[REFRESH] = 0 cherrypy.session.release_lock() cherrypy.lib.sessions.expire()

From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com&gt; Then session will expire when these request access periodically. Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com&gt; Signed-off-by: Hongliang Wang <hlwang(a)linux.vnet.ibm.com&gt; --- ui/js/src/kimchi.api.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index fdd9cfc..c93426f 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -84,6 +84,7 @@ var kimchi = { type : 'GET', resend: true, contentType : 'application/json', + headers: {'Kimchi-Robot': 'kimchi-robot'}, dataType : 'json', success : suc, error: err @@ -335,6 +336,7 @@ var kimchi = { url : kimchi.url + 'vms', type : 'GET', contentType : 'application/json', + headers: {'Kimchi-Robot': 'kimchi-robot'}, dataType : 'json', resend: true, success : suc,

On 2014年03月06日 07:44, shaohef(a)linux.vnet.ibm.com wrote: > From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com> update test_config.py.in > > Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com&gt; > --- > tests/test_config.py.in | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/tests/test_config.py.in b/tests/test_config.py.in > index 06f9300..a2d5f9d 100644 > --- a/tests/test_config.py.in > +++ b/tests/test_config.py.in > @@ -90,6 +90,7 @@ class ConfigTests(unittest.TestCase): > Paths.get_prefix = PluginPaths.get_prefix = get_prefix > paths = Paths() > CACHEEXPIRES = 31536000 > + SESSIONSTIMEOUT = 10 > configObj = { > '/': {'tools.trailing_slash.on': False, > 'request.methods_with_bodies': ('POST', 'PUT'), > @@ -99,6 +100,7 @@ class ConfigTests(unittest.TestCase): > 'tools.sessions.httponly': True, > 'tools.sessions.locking': 'explicit', > 'tools.sessions.storage_type': 'ram', > + 'tools.sessions.timeout': SESSIONSTIMEOUT, > 'tools.kimchiauth.on': False}, > '/css': { > 'tools.staticdir.on': True, Well, I'm not sure this test is enough, for common scenerio, we check if given error is triggered after timeout. Can you consider this way?