Manageiq: Issue with websocket notifications in Self-Service UI

Created on 4 Apr 2017  路  17Comments  路  Source: ManageIQ/manageiq

Hi guys.

If I try to access VM console from Self-Service UI I get the error in "Browser Web Console" that Firefox can't establish a connection to the server at wss://miq02.example.com/ws/notification:

Use of getPreventDefault() is deprecated.  Use defaultPrevented instead.  lib-4910db4b2e.js:2:8929
Invalid chrome URI: /
Invalid chrome URI: /
Use of getPreventDefault() is deprecated.  Use defaultPrevented instead.  lib-4910db4b2e.js:2:8929
Use of getAttributeNode() is deprecated. Use getAttribute() instead.  lib-4910db4b2e.js:1:2487
Firefox can鈥檛 establish a connection to the server at wss://miq02.example.com/ws/notifications.  lib-4910db4b2e.js:54:19809
tooltip-popup is now deprecated. Use uib-tooltip-popup instead.  lib-4910db4b2e.js:5
Firefox can鈥檛 establish a connection to the server at wss://miq02.example.com/ws/notifications.  lib-4910db4b2e.js:54:19809
``````

I see related error from log/production.log:

INFO -- : Started GET "/ws/notifications" [WebSocket] for 127.0.0.1 at 2017-04-04 13:07:27 +0300
INFO -- : Successfully upgraded to WebSocket (REQUEST_METHOD: GET, HTTP_CONNECTION: Upgrade, HTTP_UPGRADE: WebSocket)
ERROR -- : An unauthorized connection attempt was rejected
ERROR -- : Failed to upgrade to WebSocket (REQUEST_METHOD: GET, HTTP_CONNECTION: Upgrade, HTTP_UPGRADE: WebSocket)
INFO -- : Finished "/ws/notifications" [WebSocket] for 127.0.0.1 at 2017-04-04 13:07:27 +0300
``````

Than if I login to https://miq02.example.com/api I can see related notification in SSUI and logs like this:

INFO -- : Started GET "/api/auth?requester_type=ws" for 127.0.0.1 at 2017-04-04 13:07:30 +0300
INFO -- : Processing by Api::AuthController#show as JSON
INFO -- :   Parameters: {"requester_type"=>"ws"}
INFO -- : Completed 200 OK in 19ms (Views: 0.2ms | ActiveRecord: 3.1ms)
INFO -- : Started GET "/ws/notifications" [WebSocket] for 127.0.0.1 at 2017-04-04 13:07:42 +0300
INFO -- : Successfully upgraded to WebSocket (REQUEST_METHOD: GET, HTTP_CONNECTION: Upgrade, HTTP_UPGRADE: WebSocket)
INFO -- : Registered connection (Z2lkOi8vdm1kYi9Vc2VyLzY)
INFO -- : NotificationChannel is transmitting the subscription confirmation
INFO -- : NotificationChannel is streaming from notifications_6
``````

But for vm console I get the another error "Access Forbidden":

INFO -- : Started POST "/api/vms/254" for 127.0.0.1 at 2017-04-04 13:17:23 +0300
INFO -- : Processing by Api::VmsController#update as JSON
INFO -- : Parameters: {"resource"=>{"protocol"=>"html5"}, "c_id"=>"254", "vm"=>{}}
INFO -- : Completed 200 OK in 48ms (Views: 0.2ms | ActiveRecord: 10.8ms)

INFO -- : Started GET "/api/tasks/846?attributes=task_results" for 127.0.0.1 at 2017-04-04 13:17:24 +0300
INFO -- : Processing by Api::TasksController#show as JSON
INFO -- : Parameters: {"attributes"=>"task_results", "c_id"=>"846"}
INFO -- : Completed 403 Forbidden in 27ms (Views: 0.3ms | ActiveRecord: 4.5ms)
``````

And for this task (/api/tasks/846?attributes=task_results) I see the error:

```
{"error":{"kind":"forbidden","message":"Use of the read action is forbidden","klass":"Api::ForbiddenError"}}
``````

I use euwe-2 but I add some changes related to https://github.com/ManageIQ/manageiq/issues/14573

bug

Most helpful comment

Seems like all is "working", just an issue with role settings. That said, @AllenBW is going to take a look and make sure.

All 17 comments

Hello,

Just wondering, does it work with any other browser (Chrome, etc)?

@chalettu can you take a look here?

@chriskacerguis
This happens in all browsers. I found that the user can receive notification and get into the console of the virtual machine only if it is a member of the role "super_administrator". My previous test and logs was for a user in the "administrator" role. May be there is a some role configuration issue, but I want to give that feature (console access and may be cockpit access) to a user with limited privileges.

Seems like all is "working", just an issue with role settings. That said, @AllenBW is going to take a look and make sure.

Hi @ITD27M01 :wave:

OK so I gotttaaaaaa few questions for ya... off the bat, this does indeed appear to be missing product feature, so first thing we should investigate is the product features associated with the role assigned to the current group of the user in question, for the sake of thoroughness can you confirm "Access Rules for all Virtual Machines" is selected?

Hi @AllenBW
I have not changed the default settings of the roles. And for the boxed EvmRole roles these settings are read-only.
image

bahahhahahahaha @ITD27M01 YOU PUT THE IN THE TIME TO ROLL YOUR OWN SMILELY <3 <3 <3

Soooooo that the arrow product feature, can you ensure its selected for the active group of the user you want to give limited privileges to? (and report back, as this should result in the desired behavior)

The 403 you reported is the tell here, indicating this isn't so much a ui issue.

This is the configuration for the group of limited users and I can't open the virtual machine console. I am in this group and that one group, which is now on appliance:
image

Are you able to open the virtual machine console with that user via classic ui? @ITD27M01 :thinking:

@AllenBW Yeah, I forgot to report it. I can open the console in the classic UI.

In sui, is both html and console methods failing? or just console?

@AllenBW Currently I use only Openstack backend and have only html5 novnc console for vms. I think that if Super-Administrator have access to consoles then this role have some check box that can allow access for limited user.

@AllenBW
Double check and found that this check box is Tasks checkbox. This box for some reason not very well marked for the role of administrator. Although all nested elements marked:
image

If I create new role from this builtin role and uncheck then check this Tasks item, everything is working I can access to html5 console.

I found another issue with console buttons from SUI that prevent me to fast troubleshoot the issue and confused me. Pop-up text prevents the console button from being pressed.
image
At the beginning of the creation of this issue I thought I don't get the message/notifications at the click of a button. Now I realize that I just could not click that button.

It turns out that there are two issues that forced me to create a current:

  1. Not very well marked checkbox Tasks in the role EvmRole-administrator.
  2. The pop-up text, which prevents pressing the console access.
    I need to create two of these issues or can I leave through this issue?

@ITD27M01 oh snap, learning about new product features every day! So the issue of the tooltip getting in the way is something I can handle, totally an sui thing, the issue of product feature clustering would be a here issue (miq) and and if you could create a new, clean, laser focused message of "hey, product features are confusing sometimes, maybe they should be revamed" referencing this issue, that would go a LONG way, adding steam to an already boiling pot... I'll followup once an issue of is created for the sui thing!

@AllenBW Ok, in this case, I'm waiting for your help at the "tooltip" and create a corresponding issue related to the first point.

@ITD27M01 https://bugzilla.redhat.com/show_bug.cgi?id=1439319

bug made for the tooltip issue, thanks!

Looks like things are working (less the BZ). Going to close this.

@miq-bot close_issue

Was this page helpful?
0 / 5 - 0 ratings