Back to bug 1322940
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Anitha Udgiri | 2016-03-31 17:49:51 UTC | Summary | [RFE] Make Kerberos work with Java Authentication Framework | [RFE] AAA - Make Kerberos work with Java Authentication Framework |
| Yaniv Kaul | 2016-04-03 10:17:21 UTC | Keywords | FutureFeature | |
| Severity | unspecified | medium | ||
| Red Hat Bugzilla | 2016-04-03 10:17:21 UTC | Doc Type | Bug Fix | Enhancement |
| Martin Perina | 2016-04-07 08:01:07 UTC | Link ID | oVirt gerrit 55791 | |
| Assignee | mperina | omachace | ||
| Target Milestone | --- | ovirt-4.0.0 | ||
| QA Contact | omachace | pstehlik | ||
| Yaniv Kaul | 2016-04-07 11:56:23 UTC | CC | omachace | |
| Flags | needinfo?(omachace) | |||
| Ondra Machacek | 2016-04-07 12:41:15 UTC | Flags | needinfo?(omachace) | |
| Martin Perina | 2016-04-07 13:36:13 UTC | Status | NEW | MODIFIED |
| Target Release | --- | 4.0.0 | ||
| CC | mperina | |||
| Martin Perina | 2016-04-07 14:20:48 UTC | Status | MODIFIED | POST |
| Target Release | 4.0.0 | --- | ||
| Moran Goldboim | 2016-04-10 07:36:28 UTC | CC | mgoldboi | |
| Martin Perina | 2016-04-13 12:05:26 UTC | Link ID | oVirt gerrit 56076 | |
| Status | POST | MODIFIED | ||
| Target Release | --- | 4.0.0 | ||
| oVirt Team | Integration | Infra | ||
| Ondra Machacek | 2016-04-13 13:19:53 UTC | Doc Text | Feature: Reason: Provide a way how to configure gssapi using ticket cache for authz pool. Result: We added new security domain called 'oVirtKerbAAA' into JBoss configuration, which is customizable by following config variables: AAA_JAAS_USE_TICKET_CACHE=true/false Enable/disable usage of ticket cache file for authentication AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify custom ticket cache file (if empty the default is /tmp/krb5cc_${UID} where UID if used id of ovirt user) AAA_JAAS_USE_KEYTAB=false/true Enable/disable usage of keytab file for authentication AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify custom keytab file (if empty the default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user) In order to use one of the following features user have to create a new configuration file, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. Where he need to specify correct values for those variables. In order to use this new security domain configuration from aaa-ldap, user have to specify correct JAASClientName(default is oVirtKerb). So in order to use this new configuration for authz pool, user have to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA In order to use it for both authn and authz, user have to add following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA |
|
| Martin Perina | 2016-04-14 06:50:47 UTC | Keywords | ZStream | |
| Pavel Stehlik | 2016-04-14 06:55:05 UTC | QA Contact | pstehlik | grafuls |
| Ondra Machacek | 2016-04-14 08:04:19 UTC | Blocks | 1327041 | |
| Link ID | oVirt gerrit 56120 | |||
| Link ID | oVirt gerrit 56121 | |||
| Link ID | oVirt gerrit 56121 oVirt gerrit 56120 | |||
| Ondra Machacek | 2016-05-11 15:54:03 UTC | Status | MODIFIED | POST |
| Ondra Machacek | 2016-05-12 10:03:07 UTC | Doc Text | Feature: Reason: Provide a way how to configure gssapi using ticket cache for authz pool. Result: We added new security domain called 'oVirtKerbAAA' into JBoss configuration, which is customizable by following config variables: AAA_JAAS_USE_TICKET_CACHE=true/false Enable/disable usage of ticket cache file for authentication AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify custom ticket cache file (if empty the default is /tmp/krb5cc_${UID} where UID if used id of ovirt user) AAA_JAAS_USE_KEYTAB=false/true Enable/disable usage of keytab file for authentication AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify custom keytab file (if empty the default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user) In order to use one of the following features user have to create a new configuration file, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. Where he need to specify correct values for those variables. In order to use this new security domain configuration from aaa-ldap, user have to specify correct JAASClientName(default is oVirtKerb). So in order to use this new configuration for authz pool, user have to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA In order to use it for both authn and authz, user have to add following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA | Feature: Reason: Provide a way how to configure gssapi using ticket cache for authz pool. Result: We added new security domain called 'oVirtKerbAAA' into JBoss configuration, which is customizable by following config variables: AAA_KRB5_CONF_FILE=path_to_krb5_conf Specify custom krb5.conf file (if empty the default is /etc/krb5.conf) AAA_JAAS_USE_TICKET_CACHE=true/false Enable/disable usage of ticket cache file for authentication AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify custom ticket cache file (if empty the default is /tmp/krb5cc_${UID} where UID if used id of ovirt user) AAA_JAAS_USE_KEYTAB=false/true Enable/disable usage of keytab file for authentication AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify custom keytab file (if empty the default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user) In order to use one of the following features user have to create a new configuration file, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. Where he need to specify correct values for those variables. In order to use this new security domain configuration from aaa-ldap, user have to specify correct JAASClientName(default is oVirtKerb). So in order to use this new configuration for authz pool, user have to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA In order to use it for both authn and authz, user have to add following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA |
| Martin Perina | 2016-05-12 10:38:08 UTC | Link ID | oVirt gerrit 57360 | |
| Martin Perina | 2016-05-12 10:38:49 UTC | Target Milestone | ovirt-4.0.0-alpha | ovirt-4.0.0-beta |
| Martin Perina | 2016-05-12 10:39:54 UTC | Status | POST | MODIFIED |
| Martin Perina | 2016-05-23 12:55:31 UTC | CC | rbalakri, srevivo | |
| Component | ovirt-engine-extension-aaa-ldap | ovirt-engine | ||
| Oved Ourfali | 2016-05-29 05:32:45 UTC | Status | MODIFIED | ON_QA |
| Byron Gravenorst | 2016-07-22 05:28:54 UTC | CC | bgraveno | |
| Doc Text | Feature: Reason: Provide a way how to configure gssapi using ticket cache for authz pool. Result: We added new security domain called 'oVirtKerbAAA' into JBoss configuration, which is customizable by following config variables: AAA_KRB5_CONF_FILE=path_to_krb5_conf Specify custom krb5.conf file (if empty the default is /etc/krb5.conf) AAA_JAAS_USE_TICKET_CACHE=true/false Enable/disable usage of ticket cache file for authentication AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify custom ticket cache file (if empty the default is /tmp/krb5cc_${UID} where UID if used id of ovirt user) AAA_JAAS_USE_KEYTAB=false/true Enable/disable usage of keytab file for authentication AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify custom keytab file (if empty the default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user) In order to use one of the following features user have to create a new configuration file, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. Where he need to specify correct values for those variables. In order to use this new security domain configuration from aaa-ldap, user have to specify correct JAASClientName(default is oVirtKerb). So in order to use this new configuration for authz pool, user have to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA In order to use it for both authn and authz, user have to add following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA | To provide a way to configure gssapi using ticket cache for authz pool, a new security domain called 'oVirtKerbAAA' was added to JBoss configuration, which can be customized by using the following variables: AAA_KRB5_CONF_FILE=path_to_krb5_conf Specify the custom krb5.conf file. The default is /etc/ovirt-engine/krb5.conf Java supports only one krb5 configuration, if the user changes this property, then manage-domains will stop working because its configuration is managed in /etc/ovirt-engine/krb5.conf. AAA_JAAS_USE_TICKET_CACHE=true/false Enable or disable using the ticket cache file for authentication. AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify the custom ticket cache file. The default is /tmp/krb5cc_${UID}, where UID is the ID of the ovirt user. AAA_JAAS_USE_KEYTAB=false/true Enable or disable using the keytab file for authentication. AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify the custom keytab file. The default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user. To use one of the features, the user has to create a new configuration file and specify the correct values for those variables, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. To use the new security domain configuration from aaa-ldap, the user has to specify the correct JAASClientName (default is oVirtKerb). Therefore, to use this new configuration for authz pool, the user has to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA To use it for both authn and authz, the user has to add the following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA |
||
| Lukas Svaty | 2016-07-27 12:17:31 UTC | CC | lsvaty | |
| Flags | testing_plan_complete+ | |||
| Gonza | 2016-07-27 13:43:10 UTC | Status | ON_QA | VERIFIED |
| errata-xmlrpc | 2016-08-23 02:16:15 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2016-08-23 20:59:12 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2016-08-23 16:59:12 UTC | |||
| Martin Perina | 2017-02-13 12:37:36 UTC | Blocks | 1361223 |
Back to bug 1322940