Bug 1145234

Summary: [RFE] PYTHON-SDK: Add support for Kerberos authentication
Product: Red Hat Enterprise Virtualization Manager Reporter: Juan Hernández <juan.hernandez>
Component: ovirt-engine-sdk-pythonAssignee: Juan Hernández <juan.hernandez>
Status: CLOSED ERRATA QA Contact: Karolína Hajná <khajna>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.5.0CC: bazulay, gklein, iheim, lsurette, melewis, oramraz, pstehlik, rbalakri, Rhev-m-bugs, yeylon, ykaul
Target Milestone: ovirt-3.6.0-rcKeywords: FutureFeature
Target Release: 3.6.0Flags: sherold: Triaged+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-sdk-python-3.6.0.0-0.1 Doc Type: Enhancement
Doc Text:
Previously, the Python SDK did not support authentication to a RHEV-M server that was configured with Kerberos and only supported authentication with a username and a password. Now, the Python SDK supports authentication using a previously obtained Kerberos ticket that is valid for the realm of the RHEV-M server. To authenticate using a Kerberos ticket first acquire the Kerberos ticket by using the kinit command, or another mechanism, then use the "kerberos=True" option in the constructor of the API object.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-09 19:55:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1145239, 1249485, 1252760    

Description Juan Hernández 2014-09-22 15:25:05 UTC 
The Python SDK should be able to take the credentials from the Kerberos cache and use them to authenticate against a Kerberos protected engine.

The flow will be as follow:

1. The user obtains a ticket granting ticket from the Kerberos realm, using the "kinit" command or any other tool.

2. The user uses the Python SDK, including in the constructor of the API object a parameter that indicates that Kerberos authentication is to be used:

  api = ovirtsdk.api.API(
    url="https://fedora.example.com/ovirt-engine/api",
    kerberos=True,
    ...
  )

3. The Python SDK takes the credentials from the Kerberos cache and uses them to authenticate to the oVirt Engine server.

Note that no user name or password will be provided to the Python SDK in this case, and that obtaining the initial TGT will not be the responsibility of the Python SDK.
Comment 1 Karolína Hajná 2015-07-13 11:50:18 UTC 
Verified on ovirt-engine-sdk-python-3.6.0.0-0.15.20150625.gitfc90daf.fc20.noarch
Comment 5 errata-xmlrpc 2016-03-09 19:55:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0403.html