[PATCH V2 0/2] let session expire when request access periodically
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> V1 -> V2 Address ming's comment, raise 403 http error when expire. Send UI patch. UI still need to improve as Adam king said. Hong Liang will improve it. ShaoHe Feng (2): auth enhancement: expire the session when the request access periodically UI: set kimchi robot header for some request. src/kimchi/auth.py | 13 +++++++++++++ ui/js/src/kimchi.api.js | 2 ++ 2 files changed, 15 insertions(+) -- 1.8.4.2
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Now UI will access the vms and host periodically. That will never make the session expire. This patch fix this problem. Now the UI can set "Kimchi-Robot" header when it wants to access the vms and host periodically. If the all requests with "Kimchi-Robot" header access for a long time, kimchi will expire the session. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- src/kimchi/auth.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index f8ccea1..8a07e05 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -22,6 +22,7 @@ import cherrypy import grp import PAM import re +import time from kimchi import template @@ -32,6 +33,7 @@ from kimchi.utils import run_command USER_ID = 'userid' USER_GROUPS = 'groups' USER_SUDO = 'sudo' +REFRESH = 'robot-refresh' def debug(msg): @@ -131,6 +133,15 @@ def check_auth_session(): cherrypy.session.release_lock() if session is not None: debug("Session authenticated for user %s" % session) + kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot') + if kimchiRobot and kimchiRobot.startswith("kimchi-robot"): + if (time.time() - cherrypy.session[REFRESH] > + cherrypy.session.timeout * 60): + cherrypy.session[USER_ID] = None + cherrypy.lib.sessions.expire() + raise cherrypy.HTTPError(403) + else: + cherrypy.session[REFRESH] = time.time() return True debug("Session not found") @@ -172,6 +183,7 @@ def login(userid, password): cherrypy.session[USER_ID] = userid cherrypy.session[USER_GROUPS] = user.get_groups() cherrypy.session[USER_SUDO] = user.has_sudo() + cherrypy.session[REFRESH] = time.time() cherrypy.session.release_lock() return user.get_user() @@ -179,6 +191,7 @@ def login(userid, password): def logout(): cherrypy.session.acquire_lock() cherrypy.session[USER_ID] = None + cherrypy.session[REFRESH] = 0 cherrypy.session.release_lock() cherrypy.lib.sessions.expire() -- 1.8.4.2
On 03/04/2014 06:45 AM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Now UI will access the vms and host periodically. That will never make the session expire. This patch fix this problem. Now the UI can set "Kimchi-Robot" header when it wants to access the vms and host periodically. If the all requests with "Kimchi-Robot" header access for a long time, kimchi will expire the session.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- src/kimchi/auth.py | 13 +++++++++++++ 1 file changed, 13 insertions(+)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index f8ccea1..8a07e05 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -22,6 +22,7 @@ import cherrypy import grp import PAM import re +import time
from kimchi import template @@ -32,6 +33,7 @@ from kimchi.utils import run_command USER_ID = 'userid' USER_GROUPS = 'groups' USER_SUDO = 'sudo' +REFRESH = 'robot-refresh'
def debug(msg): @@ -131,6 +133,15 @@ def check_auth_session(): cherrypy.session.release_lock() if session is not None: debug("Session authenticated for user %s" % session) + kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot') + if kimchiRobot and kimchiRobot.startswith("kimchi-robot"): + if (time.time() - cherrypy.session[REFRESH] > + cherrypy.session.timeout * 60): + cherrypy.session[USER_ID] = None + cherrypy.lib.sessions.expire()
+ raise cherrypy.HTTPError(403)
You should use 401 to ask the user to login again. 403 is used when user is logged in but does not have enough permissions to perform an operation 401 Unauthorized The request requires user authentication. 403 Forbidden The server understood the request, but is refusing to fulfill it.
+ else: + cherrypy.session[REFRESH] = time.time() return True
debug("Session not found") @@ -172,6 +183,7 @@ def login(userid, password): cherrypy.session[USER_ID] = userid cherrypy.session[USER_GROUPS] = user.get_groups() cherrypy.session[USER_SUDO] = user.has_sudo() + cherrypy.session[REFRESH] = time.time() cherrypy.session.release_lock() return user.get_user()
@@ -179,6 +191,7 @@ def login(userid, password): def logout(): cherrypy.session.acquire_lock() cherrypy.session[USER_ID] = None + cherrypy.session[REFRESH] = 0 cherrypy.session.release_lock() cherrypy.lib.sessions.expire()
You could also update the cherrypy.session.timeout to 10 or 15 minutes On 03/04/2014 06:45 AM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Now UI will access the vms and host periodically. That will never make the session expire. This patch fix this problem. Now the UI can set "Kimchi-Robot" header when it wants to access the vms and host periodically. If the all requests with "Kimchi-Robot" header access for a long time, kimchi will expire the session.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- src/kimchi/auth.py | 13 +++++++++++++ 1 file changed, 13 insertions(+)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index f8ccea1..8a07e05 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -22,6 +22,7 @@ import cherrypy import grp import PAM import re +import time
from kimchi import template @@ -32,6 +33,7 @@ from kimchi.utils import run_command USER_ID = 'userid' USER_GROUPS = 'groups' USER_SUDO = 'sudo' +REFRESH = 'robot-refresh'
def debug(msg): @@ -131,6 +133,15 @@ def check_auth_session(): cherrypy.session.release_lock() if session is not None: debug("Session authenticated for user %s" % session) + kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot') + if kimchiRobot and kimchiRobot.startswith("kimchi-robot"): + if (time.time() - cherrypy.session[REFRESH] > + cherrypy.session.timeout * 60): + cherrypy.session[USER_ID] = None + cherrypy.lib.sessions.expire() + raise cherrypy.HTTPError(403) + else: + cherrypy.session[REFRESH] = time.time() return True
debug("Session not found") @@ -172,6 +183,7 @@ def login(userid, password): cherrypy.session[USER_ID] = userid cherrypy.session[USER_GROUPS] = user.get_groups() cherrypy.session[USER_SUDO] = user.has_sudo() + cherrypy.session[REFRESH] = time.time() cherrypy.session.release_lock() return user.get_user()
@@ -179,6 +191,7 @@ def login(userid, password): def logout(): cherrypy.session.acquire_lock() cherrypy.session[USER_ID] = None + cherrypy.session[REFRESH] = 0 cherrypy.session.release_lock() cherrypy.lib.sessions.expire()
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Then session will expire when these request access periodically. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Hongliang Wang <hlwang@linux.vnet.ibm.com> --- ui/js/src/kimchi.api.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index fdd9cfc..c93426f 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -84,6 +84,7 @@ var kimchi = { type : 'GET', resend: true, contentType : 'application/json', + headers: {'Kimchi-Robot': 'kimchi-robot'}, dataType : 'json', success : suc, error: err @@ -335,6 +336,7 @@ var kimchi = { url : kimchi.url + 'vms', type : 'GET', contentType : 'application/json', + headers: {'Kimchi-Robot': 'kimchi-robot'}, dataType : 'json', resend: true, success : suc, -- 1.8.4.2
participants (2)
-
Aline Manera -
shaohef@linux.vnet.ibm.com