Bug 1285889

Summary: [AAA][RestAPI] Remove support of SPNEGO directly to RestAPI
Product: [oVirt] ovirt-engine Reporter: Alon Bar-Lev <alonbl>
Component: RestAPIAssignee: Ravi Nori <rnori>
Status: CLOSED DEFERRED QA Contact: Lukas Svaty <lsvaty>
Severity: medium Docs Contact:
Priority: unspecified    
Version: ---CC: bugs, juan.hernandez, lsvaty, mperina
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-12 16:25:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1455534    

Description Alon Bar-Lev 2015-11-26 21:15:22 UTC
Since 3.5 we support direct SPNEGO to RestAPI.
In 4.0 we have SSO service that among other supports SNEGO.
As a result there is no need to support any authentication method but Basic and Bearer within our webapp.
Removing other authentication methods will enable us to remove all Authn/Authz extensions from BLL space, and stop using the login-on-behalf of SSO, removing this sensitive privilege from RestAPI client.

Juan, once this is ACKed, rnori can remove the necessary code.

Comment 1 Red Hat Bugzilla Rules Engine 2015-11-27 06:06:45 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 2 Red Hat Bugzilla Rules Engine 2015-11-30 22:37:40 UTC
Bug tickets must have version flags set prior to targeting them to a release. Please ask maintainer to set the correct version flags and only then set the target milestone.

Comment 4 Juan Hernández 2016-04-06 11:17:52 UTC
This support can't be removed from the engine before we remove the support for version 3 of the API, and that won't happen before 4.1, so I'm re-targeting.

Comment 5 Ravi Nori 2019-03-12 16:25:58 UTC
We have decided to keep the support of SPNEGO directly to RestAPI as a convenience feature