[pve-devel] [RFC manager] ui: workspace: cope better with upgrade related false positive 401 HTTP codes

Thomas Lamprecht t.lamprecht at proxmox.com
Mon Jun 24 15:20:41 CEST 2019 

While we nowadays can work much better with package upgrades relating
the cluster stack it still happens that a pve-cluster upgrade can
produce a false-positive 401 (auth failure) code for a currently
valid ticket, e.g., because a pmxcfs lock was requested but the
pmxcfs was currently not mounted due an upgrade triggered restart.

A frequent case for a few false positive 401 is also a cluster
creation, especially if not done over the web GUI.

Thus add a counter, which gets set to 0 on each successful login or
ticket renewal and gets increased on each 401 error. Only show the
logged out window if we get five or more 401 responses. While 5 may
sound a bit much one needs to remember that we always have quite a
few API call in flight (resource update store, stores from current
panel ...) and thus, if one got really auth denied it will still show
quite fast (1 to 5 seconds, depending on which panel is currently
opened). Further, the backend naturally does not allows to do
anything during this time, this has no security implications
whatsoever.

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
 www/manager6/Workspace.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/www/manager6/Workspace.js b/www/manager6/Workspace.js
index 1d343525..db846efc 100644
--- a/www/manager6/Workspace.js
+++ b/www/manager6/Workspace.js
@@ -27,6 +27,7 @@ Ext.define('PVE.Workspace', {
 	if (loginData.cap) {
 	    Ext.state.Manager.set('GuiCap', loginData.cap);
 	}
+	me.response401count = 0;
 
 	me.onLogin(loginData);
     },
@@ -60,7 +61,12 @@ Ext.define('PVE.Workspace', {
 	// fixme: what about other errors
 	Ext.Ajax.on('requestexception', function(conn, response, options) {
 	    if (response.status == 401 && !PVE.Utils.silenceAuthFailures) { // auth failure
-		me.showLogin();
+		// don't immediately show as logged out to cope better with some big
+		// upgrades, which may temporarily produce a false positive 401 err
+		me.response401count++;
+		if (me.response401count > 5) {
+		    me.showLogin();
+		}
 	    }
 	});
 
-- 
2.20.1

More information about the pve-devel mailing list