6:52 p.m.
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
V2 -> V3
raise 401 http error when expire.
Set the timeout of sessions 10 minutes explicitly.
V1 -> V2
Address ming's comment, raise 403 http error when expire.
Send UI patch.
UI still need to improve as Adam king said.
Hong Liang will improve it.
ShaoHe Feng (3):
add timeout for sessions
auth enhancement: expire the session when the request access
periodically
UI: set kimchi robot header for some request.
src/kimchi/auth.py | 13 +++++++++++++
src/kimchi/config.py.in | 4 ++++
ui/js/src/kimchi.api.js | 2 ++
3 files changed, 19 insertions(+)
--
1.8.4.2
6:52 p.m.
New subject: [PATCH V3 1/3] add timeout for sessions
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
The default timeout of sessions is 60 minutes.
Set the timeout of sessions 10 minutes explicitly.
Kimchi should have 10 minutes of time out value for the browser login
session.
If session got inactive for 10 minutes then it should expire
automatically.
And should ask user for relogin. This is required for the security
reason.
But this timeout will not take effect on some tabs, such as guest tab.
The root cause is because the front end refreshes the vm list every 5
seconds
by sending the "GET /vms" REST API call to the server.
The follow patch will solve this problem.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
---
src/kimchi/config.py.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
index d73a8f4..426fbd1 100644
--- a/src/kimchi/config.py.in
+++ b/src/kimchi/config.py.in
@@ -150,6 +150,9 @@ class UIConfig(dict):
class KimchiConfig(dict):
+ # session time out is 10 minutes
+ SESSIONSTIMEOUT = 10
+
kimchi_config = {
'/': {'tools.trailing_slash.on': False,
'request.methods_with_bodies': ('POST', 'PUT'),
@@ -159,6 +162,7 @@ class KimchiConfig(dict):
'tools.sessions.httponly': True,
'tools.sessions.locking': 'explicit',
'tools.sessions.storage_type': 'ram',
+ 'tools.sessions.timeout': SESSIONSTIMEOUT,
'tools.kimchiauth.on': False},
'/data/screenshots': {
'tools.staticdir.on': True,
--
1.8.4.2
11:51 p.m.
New subject: [PATCH V3 1/3] add timeout for sessions
in order to test this patch set, please:
change the
+ SESSIONSTIMEOUT = 10
as
+ SESSIONSTIMEOUT = 1
then
$ ./autogen
$ make
$ sudo PYTHONPATH=src ./src/kimchid --host "0.0.0.0"
$ firefox http://localhost:8000/#tabs/guests
and waiting 1 minute.
Thanks.
On 03/05/2014 08:52 AM, shaohef(a)linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
The default timeout of sessions is 60 minutes.
Set the timeout of sessions 10 minutes explicitly.
Kimchi should have 10 minutes of time out value for the browser login
session.
If session got inactive for 10 minutes then it should expire
automatically.
And should ask user for relogin. This is required for the security
reason.
But this timeout will not take effect on some tabs, such as guest tab.
The root cause is because the front end refreshes the vm list every 5
seconds
by sending the "GET /vms" REST API call to the server.
The follow patch will solve this problem.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
---
src/kimchi/config.py.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
index d73a8f4..426fbd1 100644
--- a/src/kimchi/config.py.in
+++ b/src/kimchi/config.py.in
@@ -150,6 +150,9 @@ class UIConfig(dict):
class KimchiConfig(dict):
+ # session time out is 10 minutes
+ SESSIONSTIMEOUT = 10
+
kimchi_config = {
'/': {'tools.trailing_slash.on': False,
'request.methods_with_bodies': ('POST', 'PUT'),
@@ -159,6 +162,7 @@ class KimchiConfig(dict):
'tools.sessions.httponly': True,
'tools.sessions.locking': 'explicit',
'tools.sessions.storage_type': 'ram',
+ 'tools.sessions.timeout': SESSIONSTIMEOUT,
'tools.kimchiauth.on': False},
'/data/screenshots': {
'tools.staticdir.on': True,
--
Thanks and best regards!
Sheldon Feng(冯少合)<shaohef(a)linux.vnet.ibm.com>
IBM Linux Technology Center
6:52 p.m.
New subject: [PATCH V3 2/3] auth enhancement: expire the session when the request access periodically
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Now UI will access the vms and host periodically.
That will never make the session expire.
This patch fix this problem.
Now the UI can set "Kimchi-Robot" header when it wants to access the vms
and host periodically.
If the all requests with "Kimchi-Robot" header access for a long time, kimchi
will expire the session.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
---
src/kimchi/auth.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
index af3b610..b042d73 100644
--- a/src/kimchi/auth.py
+++ b/src/kimchi/auth.py
@@ -22,6 +22,7 @@ import cherrypy
import grp
import PAM
import re
+import time
from kimchi import template
@@ -32,6 +33,7 @@ from kimchi.utils import run_command
USER_ID = 'userid'
USER_GROUPS = 'groups'
USER_SUDO = 'sudo'
+REFRESH = 'robot-refresh'
def debug(msg):
@@ -131,6 +133,15 @@ def check_auth_session():
cherrypy.session.release_lock()
if session is not None:
debug("Session authenticated for user %s" % session)
+ kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot')
+ if kimchiRobot == "kimchi-robot":
+ if (time.time() - cherrypy.session[REFRESH] >
+ cherrypy.session.timeout * 60):
+ cherrypy.session[USER_ID] = None
+ cherrypy.lib.sessions.expire()
+ raise cherrypy.HTTPError(401)
+ else:
+ cherrypy.session[REFRESH] = time.time()
return True
debug("Session not found")
@@ -172,6 +183,7 @@ def login(userid, password):
cherrypy.session[USER_ID] = userid
cherrypy.session[USER_GROUPS] = user.get_groups()
cherrypy.session[USER_SUDO] = user.has_sudo()
+ cherrypy.session[REFRESH] = time.time()
cherrypy.session.release_lock()
return user.get_user()
@@ -179,6 +191,7 @@ def login(userid, password):
def logout():
cherrypy.session.acquire_lock()
cherrypy.session[USER_ID] = None
+ cherrypy.session[REFRESH] = 0
cherrypy.session.release_lock()
cherrypy.lib.sessions.expire()
--
1.8.4.2
6:52 p.m.
New subject: [PATCH V3 3/3] UI: set kimchi robot header for some request.
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Then session will expire when these request access periodically.
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
Signed-off-by: Hongliang Wang <hlwang(a)linux.vnet.ibm.com>
---
ui/js/src/kimchi.api.js | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index fdd9cfc..c93426f 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -84,6 +84,7 @@ var kimchi = {
type : 'GET',
resend: true,
contentType : 'application/json',
+ headers: {'Kimchi-Robot': 'kimchi-robot'},
dataType : 'json',
success : suc,
error: err
@@ -335,6 +336,7 @@ var kimchi = {
url : kimchi.url + 'vms',
type : 'GET',
contentType : 'application/json',
+ headers: {'Kimchi-Robot': 'kimchi-robot'},
dataType : 'json',
resend: true,
success : suc,
--
1.8.4.2
12:54 p.m.
Need to update the test cases
======================================================================
FAIL: test_kimchi_config (test_config.ConfigTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/alinefm/kimchi/tests/test_config.py", line 160, in
test_kimchi_config
self.assertEquals(kimchi_config, configObj)
AssertionError: {'/data/screenshots': {'tools.nocache.on': False,
'tools.staticdir.dir': '/home/alinefm/kimchi/data/screenshots',
'tools.staticdir.on': True}, '/data/debugreports':
{'tools.kimchiauth.on': True, 'tools.nocache.on': False,
'tools.staticdir.dir': '/home/alinefm/kimchi/data/debugreports',
'tools.staticdir.content_types': {'xz': 'application/x-xz'},
'tools.staticdir.on': True}, '/libs': {'tools.expires.on': True,
'tools.nocache.on': False, 'tools.staticdir.dir':
'/home/alinefm/kimchi/ui/libs', 'tools.expires.secs': 31536000,
'tools.staticdir.on': True}, '/help': {'tools.nocache.on': False,
'tools.staticdir.dir': '/home/alinefm/kimchi/ui/pages/help',
'tools.staticdir.on': True}, '/favicon.ico':
{'tools.staticfile.on':
True, 'tools.staticfile.filename':
'/home/alinefm/kimchi/ui/images/logo.ico'}, '/config/ui/tabs.xml':
{'tools.nocache.on': True, 'tools.staticfile.on': True,
'tools.staticfile.filename': '/home/alinefm/kimchi/config/ui/tabs.xml'},
'/images': {'tools.nocache.on': False, 'tools.staticdir.dir':
'/home/alinefm/kimchi/ui/images', 'tools.staticdir.on': True},
'/css':
{'tools.expires.on': True, 'tools.nocache.on': False,
'tools.staticdir.dir': '/home/alinefm/kimchi/ui/css',
'tools.expires.secs': 31536000, 'tools.staticdir.on': True}, '/':
{'tools.sessions.httponly': True, 'tools.sessions.on': True,
'tools.nocache.on': True, 'tools.sessions.storage_type': 'ram',
'tools.sessions.timeout': 10, 'request.methods_with_bodies':
('POST',
'PUT'), 'tools.trailing_slash.on': False, 'tools.kimchiauth.on':
False,
'tools.sessions.name': 'kimchi', 'tools.sessions.locking':
'explicit'},
'/js': {'tools.expires.on': True, 'tools.nocache.on': False,
'tools.staticdir.dir': '/home/alinefm/kimchi/ui/js',
'tools.expires.secs': 31536000, 'tools.staticdir.on': True}} !=
{'/data/screenshots': {'tools.nocache.on': False,
'tools.staticdir.dir':
'/home/alinefm/kimchi/data/screenshots', 'tools.staticdir.on': True},
'/data/debugreports': {'tools.kimchiauth.on': True,
'tools.nocache.on':
False, 'tools.staticdir.dir': '/home/alinefm/kimchi/data/debugreports',
'tools.staticdir.content_types': {'xz': 'application/x-xz'},
'tools.staticdir.on': True}, '/libs': {'tools.expires.on': True,
'tools.nocache.on': False, 'tools.expires.secs': 31536000,
'tools.staticdir.dir': '/home/alinefm/kimchi/ui/libs',
'tools.staticdir.on': True}, '/config/ui/tabs.xml':
{'tools.nocache.on':
True, 'tools.staticfile.on': True, 'tools.staticfile.filename':
'/home/alinefm/kimchi/config/ui/tabs.xml'}, '/favicon.ico':
{'tools.staticfile.on': True, 'tools.staticfile.filename':
'/home/alinefm/kimchi/ui/images/logo.ico'}, '/js':
{'tools.expires.on':
True, 'tools.nocache.on': False, 'tools.expires.secs': 31536000,
'tools.staticdir.dir': '/home/alinefm/kimchi/ui/js',
'tools.staticdir.on': True}, '/images': {'tools.nocache.on':
False,
'tools.staticdir.dir': '/home/alinefm/kimchi/ui/images',
'tools.staticdir.on': True}, '/help': {'tools.nocache.on': False,
'tools.staticdir.dir': '/home/alinefm/kimchi/ui/pages/help',
'tools.staticdir.on': True}, '/css': {'tools.expires.on': True,
'tools.nocache.on': False, 'tools.expires.secs': 31536000,
'tools.staticdir.dir': '/home/alinefm/kimchi/ui/css',
'tools.staticdir.on': True}, '/': {'tools.sessions.httponly':
True,
'tools.sessions.on': True, 'tools.nocache.on': True,
'tools.sessions.storage_type': 'ram',
'request.methods_with_bodies':
('POST', 'PUT'), 'tools.trailing_slash.on': False,
'tools.kimchiauth.on': False, 'tools.sessions.name': 'kimchi',
'tools.sessions.locking': 'explicit'}}
----------------------------------------------------------------------
Ran 158 tests in 149.610s
FAILED (failures=1)
[05/Mar/2014:15:50:05] ENGINE Waiting for child threads to terminate...
make[3]: *** [check-local] Error 1
make[3]: Leaving directory `/home/alinefm/kimchi/tests'
make[2]: *** [check-am] Error 2
make[2]: Leaving directory `/home/alinefm/kimchi/tests'
make[1]: *** [check] Error 2
make[1]: Leaving directory `/home/alinefm/kimchi/tests'
make: *** [check-recursive] Error 1
On 03/04/2014 09:52 PM, shaohef(a)linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
V2 -> V3
raise 401 http error when expire.
Set the timeout of sessions 10 minutes explicitly.
V1 -> V2
Address ming's comment, raise 403 http error when expire.
Send UI patch.
UI still need to improve as Adam king said.
Hong Liang will improve it.
ShaoHe Feng (3):
add timeout for sessions
auth enhancement: expire the session when the request access
periodically
UI: set kimchi robot header for some request.
src/kimchi/auth.py | 13 +++++++++++++
src/kimchi/config.py.in | 4 ++++
ui/js/src/kimchi.api.js | 2 ++
3 files changed, 19 insertions(+)
9:17 a.m.
New subject: [PATCH V3 0/3] let session expire when request access periodically
Applied. Thanks.
Regards,
Aline Manera
3944
days inactive
3945
days old
7 comments
4 participants
participants (4)
-
Aline Manera -
Ramon Medeiros -
shaohef@linux.vnet.ibm.com -
Sheldon