Bug 1118251

Summary: [AAA] When no trusted certificate is found in truststore, ignore that extension configuration
Product: [oVirt] ovirt-engine-extension-aaa-ldap Reporter: Ondra Machacek <omachace>
Component: RFEsAssignee: Alon Bar-Lev <alonbl>
Status: CLOSED WONTFIX QA Contact: Ondra Machacek <omachace>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: alonbl, bazulay, bugs, iheim, omachace, oourfali, pstehlik, s.kieske, yzaslavs
Target Milestone: ---Keywords: FutureFeature, Reopened, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-14 11:54:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1063095    
Attachments:
Description Flags
engine.log none

Description Ondra Machacek 2014-07-10 09:46:30 UTC 
Created attachment 917033 [details]
engine.log

Description of problem:


Version-Release number of selected component (if applicable):
ovirt-engine-extension-aaa-ldap-0.0.0-0.0.master.el6_5.noarch
ovirt-engine-extensions-api-impl-3.5.0-0.0.master.20140629172257.git0b16ed7.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. create trustore with invalid certificate for domain
   and set it as for ad trustore
pool.default.ssl.truststore.file = /tmp/ad.ts

Actual results:
extension is added but is not working[see attachment engine.log]

Expected results:
1) extension is ignored with proper log message why it's ignored
or
2) extension is added and proper messege is showed for user why not working 

if 2) then connected with bug 1106435


Additional info:

2014-07-10 11:26:01,370 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-2) Cannot initialize LDAP framework, deferring initialization. Error: The connection reader was unable to successfully complete TLS negotiation:  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found caused by sun.security.validator.ValidatorException: No trusted certificate found
Comment 1 Alon Bar-Lev 2014-07-10 10:07:48 UTC 
I do not understand the problem.

If untrusted SSL connection is found extension should not permit ldap usage.
Comment 2 Ondra Machacek 2014-07-10 10:15:33 UTC 
Well, then ignore that extension configuration.
Current situation is that it can be used, with NPE in log.
Comment 3 Alon Bar-Lev 2014-07-10 10:18:24 UTC 
(In reply to Ondra Machacek from comment #2)
> Well, then ignore that extension configuration.
> Current situation is that it can be used, with NPE in log.

if there is NPE exception in engine log, please open separate bug on engine.

extension cannot be disabled, as problem may be temporary.

please close this bug if the extension behaves as designed.
Comment 4 Oved Ourfali 2014-07-13 08:18:29 UTC 
Marking it as 3.5.0, if a fix is needed.
If not, please close this bug.
Comment 5 Ondra Machacek 2014-07-14 19:14:19 UTC 
Closing, as this is engine bug.
Comment 6 Sven Kieske 2014-07-15 07:27:43 UTC 
then please don't close as "not a bug" but reassign to the correct component?
or if there is already a bug open for this on engine side close as duplicate?
Thanks.
Comment 7 Alon Bar-Lev 2014-07-15 08:17:35 UTC 
(In reply to Sven Kieske from comment #6)
> then please don't close as "not a bug" but reassign to the correct component?
> or if there is already a bug open for this on engine side close as duplicate?
> Thanks.

the behavior request is to be closed.

a new specific bug can be opened with proper description.

moving around bugs with long history that is not entirely relevant is confusing.
Comment 8 Pavel Stehlik 2014-08-06 11:26:42 UTC 
(In reply to Alon Bar-Lev from comment #7)
> (In reply to Sven Kieske from comment #6)
> > then please don't close as "not a bug" but reassign to the correct component?
> > or if there is already a bug open for this on engine side close as duplicate?
> > Thanks.
> 
> the behavior request is to be closed.
> 
> a new specific bug can be opened with proper description.
> 
> moving around bugs with long history that is not entirely relevant is
> confusing.

For sure this is BZ, thus can't be closed as NOTABUG.

*** This bug has been marked as a duplicate of bug 1117488 ***
Comment 9 Alon Bar-Lev 2014-08-06 11:31:03 UTC 
I am sorry, but reclosing as notabug, as ignoring truststore/disable extension is not to be done, nor duplicate of bug#1117488

please ping me if you disagree, and we discuss.
Comment 10 Pavel Stehlik 2014-08-14 08:15:11 UTC 
Feel free to explain here, why you insist on NOTABUG solution. 
Based on above, feel free either WONTFIX or keep in standard workflow - thus for tjis tome ASSIGNED.
Comment 11 Alon Bar-Lev 2014-08-14 11:54:28 UTC 
whatever needed in order to keep this closed.