Bug 1035279

Summary: [RFE] Allow to disable SSO per VM
Product: [Retired] oVirt Reporter: Frantisek Kobzik <fkobzik>
Component: ovirt-engine-userportalAssignee: Frantisek Kobzik <fkobzik>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Novotny <pnovotny>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 3.4CC: acathrow, avettath, ecohen, fkobzik, iheim, jkt, lpeer, mavital, michal.skrivanek, mkenneth, Rhev-m-bugs, rrajaram, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: 3.4.0   
Hardware: Unspecified   
OS: All   
Whiteboard: virt
Fixed In Version: ovirt-3.4.0-ga Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 758946 Environment:
Last Closed: 2014-03-31 15:04:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 758946    
Attachments:
Description Flags
screen-shot: SSO method none

Description Frantisek Kobzik 2013-11-27 12:48:04 UTC 
Option to enable/disable guest agent SSO.

The feature can be controlled per VM/Template via New/Edit VM/Template popup.
Comment 1 Frantisek Kobzik 2013-11-27 13:19:39 UTC 
Design page:

http://www.ovirt.org/Features/SSO_Method_Control
Comment 2 Itamar Heim 2013-12-01 20:13:41 UTC 
moving back to POST, i don't see a patch handling the REST API for this
Comment 3 Frantisek Kobzik 2013-12-02 12:05:07 UTC 
backend part merged U/S: 4b7438c095b942b969cdc4091944353637101806
frontend part merged U/S: abd645d5af8a5e4f7986bef00f470171a63be823
Comment 4 Michal Skrivanek 2014-01-17 13:40:07 UTC 
patch 21911 needs backport to ovirt-3.4
Comment 5 Einav Cohen 2014-01-26 00:02:53 UTC 
Created attachment 855564 [details]
screen-shot: SSO method
Comment 6 Einav Cohen 2014-01-26 00:43:45 UTC 
ovirt-3.4 test day results:

- New/Edit VM dialog now has a new "Single Sign On method" field (see attachment 855564 [details]). 

- tested a F19 VM with guest agent and a Blank VM with no guest agent. 

- tested web-admin, power-user portal and user portal. 

- results:

  * SSO (VmLogonCommand) was invoked only when all of the following were fulfilled:

    ~ SSO Method was set to 'guest agent'
    ~ VM had an agent installed
    ~ Connection was initiated from the UP or PUP

full results table below:

VM            SSO Method        web-admin      UP            PUP
--            ----------        ---------      --            ---
w/ agent      guest agent       no sso [1]     sso [2]       sso [2]
w/ agent      none              no sso [1]     no sso [1]    no sso [1]
w/o agent     guest agent       no sso [1]     no sso [1]    no sso [1]
w/o agent     none              no sso [1]     no sso [1]    no sso [1]

** due to time constraints, the actual SSO wasn't tested; however, to my understanding, the SSO procedure itself hasn't been changed as part of this feature implementation **

[1] output from engine.log looked like the following:
...
2014-01-24 16:44:34,158 INFO  [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-1) [377925ac] Running command: SetVmTicketCommand internal: false. Entities affected :  ID: b55991ee-e29e-44b1-9bbc-c02fce37aad4 Type: VM
2014-01-24 16:44:34,166 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-1) [377925ac] START, SetVmTicketVDSCommand(HostName = host1-testday, HostId = 06cd23b4-e284-4904-926a-f49791c23db0, vmId=b55991ee-e29e-44b1-9bbc-c02fce37aad4, ticket=DNqAAYwf9HLM, validTime=120,m userName=admin, userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: 4a9534c
2014-01-24 16:44:34,214 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-1) [377925ac] FINISH, SetVmTicketVDSCommand, log id: 4a9534c
2014-01-24 16:44:34,227 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-1) [377925ac] Correlation ID: 377925ac, Call Stack: null, Custom Event ID: -1, Message: user admin initiated console session for VM no-agent
2014-01-24 16:44:45,066 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-54) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal is connected to VM no-agent.
...

[2] output from engine.log looked like the following:
...
2014-01-24 16:46:08,509 INFO  [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-1) [6840f287] Running command: SetVmTicketCommand internal: false. Entities affected :  ID: e635b41a-a4f5-4e35-84fd-a6954036e221 Type: VM
2014-01-24 16:46:08,519 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-1) [6840f287] START, SetVmTicketVDSCommand(HostName = host1-testday, HostId = 06cd23b4-e284-4904-926a-f49791c23db0, vmId=e635b41a-a4f5-4e35-84fd-a6954036e221, ticket=/dMZXjgsMnoK, validTime=120,m userName=admin, userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: 9170ba7
2014-01-24 16:46:08,568 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-1) [6840f287] FINISH, SetVmTicketVDSCommand, log id: 9170ba7
2014-01-24 16:46:08,583 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-1) [6840f287] Correlation ID: 6840f287, Call Stack: null, Custom Event ID: -1, Message: user admin initiated console session for VM fedora19-vm
2014-01-24 16:46:08,654 WARN  [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (ajp--127.0.0.1-8702-1) [4730c340] The message key VmLogon is missing from bundles/ExecutionMessages
2014-01-24 16:46:08,670 INFO  [org.ovirt.engine.core.bll.VmLogonCommand] (ajp--127.0.0.1-8702-1) [4730c340] Running command: VmLogonCommand internal: false. Entities affected :  ID: e635b41a-a4f5-4e35-84fd-a6954036e221 Type: VM
2014-01-24 16:46:08,677 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (ajp--127.0.0.1-8702-1) [4730c340] START, VmLogonVDSCommand(HostName = host1-testday, HostId = 06cd23b4-e284-4904-926a-f49791c23db0, vmId=e635b41a-a4f5-4e35-84fd-a6954036e221, domain=internal, password=******, userName=admin), log id: 172f6ea8
2014-01-24 16:46:08,713 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (ajp--127.0.0.1-8702-1) [4730c340] FINISH, VmLogonVDSCommand, log id: 172f6ea8
2014-01-24 16:46:16,598 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-56) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal is connected to VM fedora19-vm.
...
Comment 7 Einav Cohen 2014-01-26 01:11:40 UTC 
Franta - one note: In the engine.log, right before the VmLogonCommand invocation message, I see the following WARN message: 

2014-01-24 16:46:08,654 WARN  [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (ajp--127.0.0.1-8702-1) [4730c340] The message key VmLogon is missing from bundles/ExecutionMessages

not sure what it means - maybe worth looking into it. 

Thanks.
Comment 8 Frantisek Kobzik 2014-01-28 08:20:22 UTC 
Hi Einav,

thanks for very detailed information. The results are correct (the fact sso didn't work in webadmin is intended as we don't provide this feature for webadmin).

An for the WARN message, it shouldn't have anything to do with the patch. IIUC it's only saying we don't have sane message describing VmLogon action name in logs (and we simply print "VmLogon" instead). Maybe it could be worth it to add some message to the bundle...
Comment 9 Sandro Bonazzola 2014-03-31 15:04:28 UTC 
This is an automated message: moving to Closed CURRENT_RELEASE since oVirt 3.4.0 has been released.