Back to bug 1327041
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Martin Perina | 2016-04-14 07:20:37 UTC | Depends On | 1322940 | |
| Target Milestone | --- | ovirt-3.6.6 | ||
| Link ID | oVirt gerrit 56076 | |||
| Link ID | oVirt gerrit 55791 | |||
| Target Milestone | ovirt-3.6.6 | ovirt-3.6.7 | ||
| Pavel Stehlik | 2016-04-14 07:21:08 UTC | CC | pstehlik | |
| Martin Perina | 2016-04-14 07:22:21 UTC | Summary | [z-stream clone - 3.6.6] [RFE] AAA - Make Kerberos work with Java Authentication Framework | [z-stream clone - 3.6.7] [RFE] AAA - Make Kerberos work with Java Authentication Framework |
| Yaniv Kaul | 2016-04-17 04:49:57 UTC | Link ID | oVirt gerrit 56120 | |
| Status | NEW | POST | ||
| Link ID | oVirt gerrit 56121 | |||
| Summary | [z-stream clone - 3.6.7] [RFE] AAA - Make Kerberos work with Java Authentication Framework | [RFE] [z-stream clone - 3.6.7] AAA - Make Kerberos work with Java Authentication Framework | ||
| Martin Perina | 2016-05-05 11:22:27 UTC | Status | POST | MODIFIED |
| Target Release | --- | 3.6.7 | ||
| Doc Text | Feature: Reason: Provide a way how to configure gssapi using ticket cache for authz pool. Result: We added new security domain called 'oVirtKerbAAA' into JBoss configuration, which is customizable by following config variables: AAA_JAAS_USE_TICKET_CACHE=true/false Enable/disable usage of ticket cache file for authentication AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify custom ticket cache file (if empty the default is /tmp/krb5cc_${UID} where UID if used id of ovirt user) AAA_JAAS_USE_KEYTAB=false/true Enable/disable usage of keytab file for authentication AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify custom keytab file (if empty the default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user) In order to use one of the following features user have to create a new configuration file, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. Where he need to specify correct values for those variables. In order to use this new security domain configuration from aaa-ldap, user have to specify correct JAASClientName(default is oVirtKerb). So in order to use this new configuration for authz pool, user have to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA In order to use it for both authn and authz, user have to add following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA |
|||
| Ondra Machacek | 2016-05-11 15:54:07 UTC | Status | MODIFIED | POST |
| Ondra Machacek | 2016-05-12 10:02:26 UTC | Doc Text | Feature: Reason: Provide a way how to configure gssapi using ticket cache for authz pool. Result: We added new security domain called 'oVirtKerbAAA' into JBoss configuration, which is customizable by following config variables: AAA_JAAS_USE_TICKET_CACHE=true/false Enable/disable usage of ticket cache file for authentication AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify custom ticket cache file (if empty the default is /tmp/krb5cc_${UID} where UID if used id of ovirt user) AAA_JAAS_USE_KEYTAB=false/true Enable/disable usage of keytab file for authentication AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify custom keytab file (if empty the default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user) In order to use one of the following features user have to create a new configuration file, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. Where he need to specify correct values for those variables. In order to use this new security domain configuration from aaa-ldap, user have to specify correct JAASClientName(default is oVirtKerb). So in order to use this new configuration for authz pool, user have to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA In order to use it for both authn and authz, user have to add following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA | Feature: Reason: Provide a way how to configure gssapi using ticket cache for authz pool. Result: We added new security domain called 'oVirtKerbAAA' into JBoss configuration, which is customizable by following config variables: AAA_KRB5_CONF_FILE=path_to_krb5_conf Specify custom krb5.conf file (if empty the default is /etc/krb5.conf) Please remember that java supports only one krb5 configuration, so if you change this property manage-domains stops to work as it has it's configuration in /etc/ovirt-engine/krb5.conf. AAA_JAAS_USE_TICKET_CACHE=true/false Enable/disable usage of ticket cache file for authentication AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify custom ticket cache file (if empty the default is /tmp/krb5cc_${UID} where UID if used id of ovirt user) AAA_JAAS_USE_KEYTAB=false/true Enable/disable usage of keytab file for authentication AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify custom keytab file (if empty the default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user) In order to use one of the following features user have to create a new configuration file, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. Where he need to specify correct values for those variables. In order to use this new security domain configuration from aaa-ldap, user have to specify correct JAASClientName(default is oVirtKerb). So in order to use this new configuration for authz pool, user have to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA In order to use it for both authn and authz, user have to add following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA |
| Ondra Machacek | 2016-05-12 10:03:28 UTC | Doc Text | Feature: Reason: Provide a way how to configure gssapi using ticket cache for authz pool. Result: We added new security domain called 'oVirtKerbAAA' into JBoss configuration, which is customizable by following config variables: AAA_KRB5_CONF_FILE=path_to_krb5_conf Specify custom krb5.conf file (if empty the default is /etc/krb5.conf) Please remember that java supports only one krb5 configuration, so if you change this property manage-domains stops to work as it has it's configuration in /etc/ovirt-engine/krb5.conf. AAA_JAAS_USE_TICKET_CACHE=true/false Enable/disable usage of ticket cache file for authentication AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify custom ticket cache file (if empty the default is /tmp/krb5cc_${UID} where UID if used id of ovirt user) AAA_JAAS_USE_KEYTAB=false/true Enable/disable usage of keytab file for authentication AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify custom keytab file (if empty the default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user) In order to use one of the following features user have to create a new configuration file, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. Where he need to specify correct values for those variables. In order to use this new security domain configuration from aaa-ldap, user have to specify correct JAASClientName(default is oVirtKerb). So in order to use this new configuration for authz pool, user have to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA In order to use it for both authn and authz, user have to add following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA | Feature: Reason: Provide a way how to configure gssapi using ticket cache for authz pool. Result: We added new security domain called 'oVirtKerbAAA' into JBoss configuration, which is customizable by following config variables: AAA_KRB5_CONF_FILE=path_to_krb5_conf Specify custom krb5.conf file (if empty the default is /etc/ovirt-engine/krb5.conf) Please remember that java supports only one krb5 configuration, so if you change this property manage-domains stops to work as it has it's configuration in /etc/ovirt-engine/krb5.conf. AAA_JAAS_USE_TICKET_CACHE=true/false Enable/disable usage of ticket cache file for authentication AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify custom ticket cache file (if empty the default is /tmp/krb5cc_${UID} where UID if used id of ovirt user) AAA_JAAS_USE_KEYTAB=false/true Enable/disable usage of keytab file for authentication AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify custom keytab file (if empty the default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user) In order to use one of the following features user have to create a new configuration file, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. Where he need to specify correct values for those variables. In order to use this new security domain configuration from aaa-ldap, user have to specify correct JAASClientName(default is oVirtKerb). So in order to use this new configuration for authz pool, user have to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA In order to use it for both authn and authz, user have to add following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA |
| Martin Perina | 2016-05-16 08:39:47 UTC | Link ID | oVirt gerrit 57358 | |
| Status | POST | MODIFIED | ||
| Moran Goldboim | 2016-05-16 12:14:29 UTC | Priority | unspecified | high |
| Martin Perina | 2016-05-23 12:54:10 UTC | CC | rbalakri, srevivo | |
| Component | ovirt-engine-extension-aaa-ldap | ovirt-engine | ||
| Gonza | 2016-06-13 18:21:26 UTC | Status | MODIFIED | ON_QA |
| Status | ON_QA | VERIFIED | ||
| Byron Gravenorst | 2016-06-16 05:31:33 UTC | CC | bgraveno | |
| Doc Text | Feature: Reason: Provide a way how to configure gssapi using ticket cache for authz pool. Result: We added new security domain called 'oVirtKerbAAA' into JBoss configuration, which is customizable by following config variables: AAA_KRB5_CONF_FILE=path_to_krb5_conf Specify custom krb5.conf file (if empty the default is /etc/ovirt-engine/krb5.conf) Please remember that java supports only one krb5 configuration, so if you change this property manage-domains stops to work as it has it's configuration in /etc/ovirt-engine/krb5.conf. AAA_JAAS_USE_TICKET_CACHE=true/false Enable/disable usage of ticket cache file for authentication AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify custom ticket cache file (if empty the default is /tmp/krb5cc_${UID} where UID if used id of ovirt user) AAA_JAAS_USE_KEYTAB=false/true Enable/disable usage of keytab file for authentication AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify custom keytab file (if empty the default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user) In order to use one of the following features user have to create a new configuration file, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. Where he need to specify correct values for those variables. In order to use this new security domain configuration from aaa-ldap, user have to specify correct JAASClientName(default is oVirtKerb). So in order to use this new configuration for authz pool, user have to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA In order to use it for both authn and authz, user have to add following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA | To provide a way how to configure gssapi using ticket cache for authz pool, a new security domain called 'oVirtKerbAAA' was added to JBoss configuration, which can be customized by using the following variables: AAA_KRB5_CONF_FILE=path_to_krb5_conf Specify the custom krb5.conf file. The default is /etc/ovirt-engine/krb5.conf Java supports only one krb5 configuration, if the user changes this property, then manage-domains will stop working because its configuration is managed in /etc/ovirt-engine/krb5.conf. AAA_JAAS_USE_TICKET_CACHE=true/false Enable or disable using the ticket cache file for authentication. AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify the custom ticket cache file. The default is /tmp/krb5cc_${UID}, where UID is the ID of the ovirt user. AAA_JAAS_USE_KEYTAB=false/true Enable or disable using the keytab file for authentication. AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify the custom keytab file. The default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user. To use one of the features, the user has to create a new configuration file and specify the correct values for those variables, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. To use the new security domain configuration from aaa-ldap, the user has to specify the correct JAASClientName (default is oVirtKerb). Therefore, to use this new configuration for authz pool, the user has to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA To use it for both authn and authz, the user has to add the following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA |
||
| Byron Gravenorst | 2016-06-19 23:27:11 UTC | Doc Text | To provide a way how to configure gssapi using ticket cache for authz pool, a new security domain called 'oVirtKerbAAA' was added to JBoss configuration, which can be customized by using the following variables: AAA_KRB5_CONF_FILE=path_to_krb5_conf Specify the custom krb5.conf file. The default is /etc/ovirt-engine/krb5.conf Java supports only one krb5 configuration, if the user changes this property, then manage-domains will stop working because its configuration is managed in /etc/ovirt-engine/krb5.conf. AAA_JAAS_USE_TICKET_CACHE=true/false Enable or disable using the ticket cache file for authentication. AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify the custom ticket cache file. The default is /tmp/krb5cc_${UID}, where UID is the ID of the ovirt user. AAA_JAAS_USE_KEYTAB=false/true Enable or disable using the keytab file for authentication. AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify the custom keytab file. The default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user. To use one of the features, the user has to create a new configuration file and specify the correct values for those variables, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. To use the new security domain configuration from aaa-ldap, the user has to specify the correct JAASClientName (default is oVirtKerb). Therefore, to use this new configuration for authz pool, the user has to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA To use it for both authn and authz, the user has to add the following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA | To provide a way to configure gssapi using ticket cache for authz pool, a new security domain called 'oVirtKerbAAA' was added to JBoss configuration, which can be customized by using the following variables: AAA_KRB5_CONF_FILE=path_to_krb5_conf Specify the custom krb5.conf file. The default is /etc/ovirt-engine/krb5.conf Java supports only one krb5 configuration, if the user changes this property, then manage-domains will stop working because its configuration is managed in /etc/ovirt-engine/krb5.conf. AAA_JAAS_USE_TICKET_CACHE=true/false Enable or disable using the ticket cache file for authentication. AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify the custom ticket cache file. The default is /tmp/krb5cc_${UID}, where UID is the ID of the ovirt user. AAA_JAAS_USE_KEYTAB=false/true Enable or disable using the keytab file for authentication. AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify the custom keytab file. The default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user. To use one of the features, the user has to create a new configuration file and specify the correct values for those variables, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. To use the new security domain configuration from aaa-ldap, the user has to specify the correct JAASClientName (default is oVirtKerb). Therefore, to use this new configuration for authz pool, the user has to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA To use it for both authn and authz, the user has to add the following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA |
| errata-xmlrpc | 2016-06-29 08:43:26 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2016-06-29 16:19:49 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2016-06-29 12:19:49 UTC |
Back to bug 1327041