Closed minefuto closed 6 months ago
sonarcloud[bot]
commented
7 months ago 
Quality Gate passedIssues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code
minefuto
commented
6 months ago @thenodon any feedback? Please let me know if there is anything that needs to be fixed.
thenodon
commented
6 months ago @minefuto sorry. Im currently spammed by github emails due to a customer engagement, so I missed the email notification. Thanks for the PR. I did try to find any api documentation related to version 6, but could not find anything related to the login just for version 4 and "later", https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/all/apic-rest-api-configuration-guide/cisco-apic-rest-api-configuration-guide-42x-and-later/m_using_the_rest_api.html. My concern is that we need to support versions prior to 6.x and that your PR will break backwards compatibility. Did you try your PR on a APIC with a version < 6.x? Version could be part of the configuration for aci-exporter, but the best would be to avoid this. @camrossi do you have any input on the changes done in version 6.x related to the login and the token process?
minefuto
commented
6 months ago Thanks for your feedback! @thenodon
My concern is that we need to support versions prior to 6.x and that your PR will break backwards compatibility. Did you try your PR on a APIC with a version < 6.x?
I checked both 5.2(4) and 6.0(5).It seems my fix codes work normally.
About this issue, I also could not find anything related informations but I found the following behavior.
firstLoginTime was updated every time when I got token by aaaRefresh.1st token by aaaRefresh.
{
"totalCount": "1",
"imdata": [
{
"aaaLogin": {
"attributes": {
"token": "xxxxxxxxxxx",
"siteFingerprint": "xxxxxxxxx",
"refreshTimeoutSeconds": "600",
"maximumLifetimeSeconds": "86400",
"guiIdleTimeoutSeconds": "1200",
"restTimeoutSeconds": "90",
"creationTime": "1715250819",
"firstLoginTime": "1715250819", <-!!
-snip-2nd token by aaaRefresh.
{
"totalCount": "1",
"imdata": [
{
"aaaLogin": {
"attributes": {
"token": "xxxxxxxxxxx",
"siteFingerprint": "xxxxxxxxx",
"refreshTimeoutSeconds": "600",
"maximumLifetimeSeconds": "86400",
"guiIdleTimeoutSeconds": "1200",
"restTimeoutSeconds": "90",
"creationTime": "1715250821",
"firstLoginTime": "1715250821", <-!!
-snip-firstLoginTime was not updated every time when I got token by aaaRefresh.1st token by aaaRefresh.
{
"totalCount": "1",
"imdata": [
{
"aaaLogin": {
"attributes": {
"token": "xxxxxxxxxxx",
"siteFingerprint": "xxxxxxxxx",
"refreshTimeoutSeconds": "600",
"maximumLifetimeSeconds": "86400",
"guiIdleTimeoutSeconds": "1200",
"restTimeoutSeconds": "90",
"creationTime": "1715251100",
"firstLoginTime": "1715251100", <-!!
-snip-2nd token by aaaRefresh.
{
"totalCount": "1",
"imdata": [
{
"aaaLogin": {
"attributes": {
"token": "xxxxxxxxxxx",
"siteFingerprint": "xxxxxxxxx",
"refreshTimeoutSeconds": "600",
"maximumLifetimeSeconds": "86400",
"guiIdleTimeoutSeconds": "1200",
"restTimeoutSeconds": "90",
"creationTime": "1715251173",
"firstLoginTime": "1715251100", <-!!I think ACI cannot detect maximumLifetimeSeconds is exceeded or not because firstLoginTime changes every time in 5.2(4).
I suspect this is fixed to expected behavior in ~6.0(5).
thenodon
commented
6 months ago @minefuto have now been able to verify that maximumLifetimeSeconds is also part of version 4, at least 4.2. I will merge your PR but before a new release I will change the logic for the expiration calculation since the offset of 60 is the same as the typical scrape interval. Thanks for your contribution.
thenodon
commented
6 months ago
The following issue is detected in APIC version 6.0(5).
It seems cannot used and refreshed when
maxLifetimeSecondsis exceeded.Maybe, this behavior was added in some release. This issue does not occur in APIC version 5.2.
I added checking
maxLifetimeSecondsis exceeded or not.