Add warning for horizon timeout #30
Conversation
|
|
||
| # keystone_timeout is in seconds and horizon_timeout is in minutes | ||
| if horizon_timeout * 60 > keystone_timeout | ||
| validation_error("Horizon timeout is bigger than keystone token expiration and these may cause problems.") |
There was a problem hiding this comment.
Style/IndentationWidth: Use 2 (not 4) spaces for indentation.
There was a problem hiding this comment.
I'd suggest rephrasing to: "The session timeout cannot be larger than the Keystone token expiration timeout."
vwallfahrer
changed the title
vwallfahrer
force-pushed
the
warning_keystone_timeout
branch
2 times, most recently
from
0066165
to
678e19f
Compare
vwallfahrer
changed the title
|
Hrm... code looks good so far but it's the same code twice. Maybe but it in an validation helper method and just call the method. |
|
@rsalevsky you are right there is some code repeated (3 lines). Since the code is repeated in two different files and it's very specific for the validation, I'd say it would make it harder to read if you need to go to a third file for just this three lines. Would the code had been in the same file or had been more critical, I would totally go for a non-repetition approach. |
|
@vuntz 's comment seems to have disappeared after the pull request update. This is his original comment:
Btw, I agree with the rephrasing. Although I'd explicitly mention this is horizon's session timeout: |
|
Just thought of another corner case to try: what happens if we have keystone barclamp installed but not the horizon one? Probably there should be a check when retrieving the proposal to see it's not empty. |
|
I checked our default values for the expirations in cloud5:
So, the situation that triggers this problem is there by default. There won't be any warning in crowbar because it will only show upon a change. We will need to change the default values. If we change the default values, should we also change any documentation for the end user? |
|
I still haven't fully backported this to cloud5 and probably cannot finish this soon. FTR, this is what the code would look like for cloud5: horizon_timeout = proposal["attributes"]["nova_dashboard"]["session_timeout"]
keystone_proposal = ProposalObject.find_proposal("keystone", "default")
unless keystone_proposal.nil?
keystone_timeout = keystone_proposal["attributes"]["keystone"]["token_expiration"]
# keystone_timeout is in seconds and horizon_timeout is in minutes
if horizon_timeout * 60 > keystone_timeout
validation_error("The horizon session timeout cannot be larger than the Keystone token expiration timeout.")
end
end |
I don't think we document that, so go ahead. |
|
Regarding the default timeouts, what about making both (horizon + keystone) to be 4 hours? |
We need to make the settings consistent, at least. I'd possibly go for 24 hours, but no strong opinion. |
| @@ -83,6 +83,15 @@ def validate_proposal_after_save proposal | |||
| validation_error("API version 3 or newer is required when enabling domain specific drivers.") | |||
| end | |||
|
|
|||
| keystone_timeout = proposal["attributes"]["keystone"]["token_expiration"] | |||
| horizon_proposal = Proposal.where(barclamp: "nova_dashboard", name: "default").first | |||
| horizon_timeout = horizon_proposal["attributes"]["nova_dashboard"]["session_timeout"] | |||
There was a problem hiding this comment.
In this case, there's no guarantee that we have a horizon proposal, so we should check if horizon_proposal is nil.
|
Also needs a rebase |
Horizon timeout is impacted by keystone token timeout since when the token gets outdated, then the user is automatically unable to use horizon. This patch includes a check for the timeout of horizon and keystone barclamps.
vwallfahrer
force-pushed
the
warning_keystone_timeout
branch
from
678e19f
to
d2c520d
Compare
| # keystone_timeout is in seconds and horizon_timeout is in minutes | ||
| if horizon_timeout * 60 > keystone_timeout | ||
| validation_error("Setting the Horizon timeout (#{horizon_timeout * 60} minutes) longer than the Keystone token expiration timeout" \ | ||
| "(#{keystone_timeout} minutes) is not supported. Please lower the Horizon token timeout.") |
There was a problem hiding this comment.
unexpected token tSTRING_BEG
unexpected token tRPAREN
vwallfahrer
force-pushed
the
warning_keystone_timeout
branch
from
fb4378b
to
6b4c891
Compare
|
|
||
| timeout_warning = <<-EOF | ||
| Setting the Horizon timeout (#{horizon_timeout} minutes) longer than the Keystone token expiration timeout (#{keystone_timeout * 60} minutes) is not supported. | ||
| Please lower the Horizon token timeout. |
There was a problem hiding this comment.
Here I would change the error and say "Please increase the Keystone token expiration timeout." (since the user is editing the keystone proposal)
vwallfahrer
force-pushed
the
warning_keystone_timeout
branch
from
6b4c891
to
c2d5595
Compare
| keystone_timeout = keystone_proposal["attributes"]["keystone"]["token_expiration"] | ||
|
|
||
| timeout_warning = <<-EOF | ||
| Setting the Horizon timeout (#{horizon_timeout} minutes) longer than the Keystone token expiration timeout (#{keystone_timeout * 60} minutes) is not supported. |
There was a problem hiding this comment.
Metrics/LineLength: Line is too long. [159/150]
|
I would prefer the messages to be part of the i18n file as they are getting touched anyway. |
|
since @vwallfahrer is sick, I'm continuing the PR in this new one: #51 |
|
Continued in #51 |
Horizon timeout is impacted by keystone token timeout since when the
token gets outdated, then the user is automatically unable to use
horizon. This patch includes a check for the timeout of horizon and
keystone barclamps.