Bug 1322940
Summary: | [RFE] AAA - Make Kerberos work with Java Authentication Framework | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Anitha Udgiri <audgiri> | |
Component: | ovirt-engine | Assignee: | Ondra Machacek <omachace> | |
Status: | CLOSED ERRATA | QA Contact: | Gonza <grafuls> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 3.5.0 | CC: | bazulay, bgraveno, gklein, lsurette, lsvaty, mgoldboi, mperina, omachace, oourfali, rbalakri, Rhev-m-bugs, srevivo, ykaul | |
Target Milestone: | ovirt-4.0.0-beta | Keywords: | FutureFeature, ZStream | |
Target Release: | 4.0.0 | Flags: | lsvaty:
testing_plan_complete+
|
|
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Enhancement | ||
Doc Text: |
To provide a way to configure gssapi using ticket cache for authz pool, a new security domain called 'oVirtKerbAAA' was added to JBoss configuration, which can be customized by using the following variables:
AAA_KRB5_CONF_FILE=path_to_krb5_conf
Specify the custom krb5.conf file. The default is /etc/ovirt-engine/krb5.conf
Java supports only one krb5 configuration, if the user changes this property, then manage-domains will stop working because its configuration is managed in /etc/ovirt-engine/krb5.conf.
AAA_JAAS_USE_TICKET_CACHE=true/false
Enable or disable using the ticket cache file for authentication.
AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache
Specify the custom ticket cache file. The default is /tmp/krb5cc_${UID}, where UID is the ID of the ovirt user.
AAA_JAAS_USE_KEYTAB=false/true
Enable or disable using the keytab file for authentication.
AAA_JAAS_KEYTAB_FILE=path_to_keytab_file
Specify the custom keytab file. The default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user.
To use one of the features, the user has to create a new configuration file and specify the correct values for those variables, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf.
To use the new security domain configuration from aaa-ldap, the user has to specify the correct JAASClientName (default is oVirtKerb). Therefore, to use this new configuration for authz pool, the user has to add following line to aaa-ldap authz configuration:
pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA
To use it for both authn and authz, the user has to add the following line to aaa-ldap configuration:
pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA
|
Story Points: | --- | |
Clone Of: | ||||
: | 1327041 (view as bug list) | Environment: | ||
Last Closed: | 2016-08-23 20:59:12 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1327041, 1361223 |
Description
Anitha Udgiri
2016-03-31 17:49:00 UTC
In 3.6 the only way is to modify file '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in' and add there new security-domain as follows: <security-domain name="oVirtKerbAAA"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"> <module-option name="useTicketCache" value="true"/> <!-- Specify a path to ticket cache if they don't want use default (default is: '/tmp/krb5cc_{ovirt.uid}') --> <module-option name="ticketCache" value="/path/to/ticket_cache"/> </login-module> </authentication> </security-domain> Then configure authz pool as follows: ... pool.authz.auth.type = gssapi pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA ... Important note - file '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in' is overriden when engine is upgraded so their changes will be lost after every upgrade. In 4.0 we will provide new configuration options, so they don't have to change '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in', so their configuration will persist. We prepare predefined secuirty-domain in jboss configuration and they can change specific values, which they need. The following options can be modified: # Used to specify if ticket cache should be used to authenticate AAA_JAAS_USE_TICKET_CACHE=false # Used to specify special ticket cache file, instead of default (default is /tmp/krb5cc_{ovirt.uid}) AAA_JAAS_TICKET_CACHE= # Used to specify if key tab file should be used to authenticate AAA_JAAS_USE_KEYTAB=false # Used to specify special path to keytab, instead of default (default is {ovirt.home}{file.separator}krb5.keytab) AAA_JAAS_KEYTAB= # Used to rewrite default path to krb5.conf (default is /etc/krb5.conf) AAA_KRB5_CONF= Authz pool configuration remain same as in 3.6. (In reply to Ondra Machacek from comment #1) ... > > Important note - file > '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in' is > overriden when > engine is upgraded so their changes will be lost after every upgrade. > > In 4.0 we will provide new configuration options, so they don't have to > change '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in', > so their configuration will persist. We prepare predefined secuirty-domain > in jboss configuration and they can change specific values, which they need. So how is the upgrade (migration actually) from 3.6 to 4.0 will looks like? Or it doesn't matter, because customers were used to getting their config lost on upgrade? If anyone ever modified file '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in', he lost his modification when updating package 'rhevm-backend'. So yes the modification is lost on upgrade. This is why this bug is for 4.0 and not for 3.6. In 4.0 no one have to modify ovirt-engine.xml.in in order to make gssapi work with ticket cache. Moving back to post, we need to handle also extension-tool use case Changes were done only on engine side, so moving to ovirt-engine component Verified with: ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev rhevm-4.0.2-0.1.rc.el7ev.noarch # ovirt-engine-extensions-tool aaa search --entity-name=vdcadmin --extension-name=ipa.redhat.com-authz 2016-07-27 13:24:19 INFO ======================================================================== 2016-07-27 13:24:19 INFO ============================ Initialization ============================ 2016-07-27 13:24:19 INFO ======================================================================== 2016-07-27 13:24:20 INFO Loading extension 'internal-authn' 2016-07-27 13:24:20 INFO Extension 'internal-authn' loaded 2016-07-27 13:24:20 INFO Loading extension 'ipa.redhat.com-authn' 2016-07-27 13:24:20 INFO Extension 'ipa.redhat.com-authn' loaded 2016-07-27 13:24:20 INFO Loading extension 'internal-authz' 2016-07-27 13:24:20 INFO Extension 'internal-authz' loaded 2016-07-27 13:24:21 INFO Loading extension 'ipa.redhat.com-authz' 2016-07-27 13:24:21 INFO Extension 'ipa.redhat.com-authz' loaded 2016-07-27 13:24:21 INFO Initializing extension 'internal-authn' 2016-07-27 13:24:22 INFO Extension 'internal-authn' initialized 2016-07-27 13:24:22 INFO Initializing extension 'ipa.redhat.com-authn' 2016-07-27 13:24:22 INFO [ovirt-engine-extension-aaa-ldap.authn::ipa.redhat.com-authn] Creating LDAP pool 'authz' 2016-07-27 13:24:24 INFO [ovirt-engine-extension-aaa-ldap.authn::ipa.redhat.com-authn] LDAP pool 'authz' information: vendor='389 Project' version='389-Directory/1.2.11.15 B2013.289.33' 2016-07-27 13:24:24 INFO [ovirt-engine-extension-aaa-ldap.authn::ipa.redhat.com-authn] Creating LDAP pool 'authn' 2016-07-27 13:24:24 INFO [ovirt-engine-extension-aaa-ldap.authn::ipa.redhat.com-authn] LDAP pool 'authn' information: vendor='389 Project' version='389-Directory/1.2.11.15 B2013.289.33' 2016-07-27 13:24:24 INFO Extension 'ipa.redhat.com-authn' initialized 2016-07-27 13:24:24 INFO Initializing extension 'internal-authz' 2016-07-27 13:24:24 INFO Extension 'internal-authz' initialized 2016-07-27 13:24:24 INFO Initializing extension 'ipa.redhat.com-authz' 2016-07-27 13:24:24 INFO [ovirt-engine-extension-aaa-ldap.authz::ipa.redhat.com-authz] Creating LDAP pool 'authz' 2016-07-27 13:24:24 INFO [ovirt-engine-extension-aaa-ldap.authz::ipa.redhat.com-authz] LDAP pool 'authz' information: vendor='389 Project' version='389-Directory/1.2.11.15 B2013.289.33' 2016-07-27 13:24:24 INFO [ovirt-engine-extension-aaa-ldap.authz::ipa.redhat.com-authz] Available Namespaces: [dc=ipa,dc=redhat,dc=com] 2016-07-27 13:24:24 INFO Extension 'ipa.redhat.com-authz' initialized 2016-07-27 13:24:24 INFO Start of enabled extensions list 2016-07-27 13:24:24 INFO Instance name: 'internal-authn', Extension name: '"ovirt-engine-extension-aaa-jdbc".authn', Version: '"1.1.0"', Notes: 'Display name: "ovirt-engine-extension-aaa-jdbc"', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/internal-authn.properties', Initialized: 'true' 2016-07-27 13:24:24 INFO Instance name: 'internal-authz', Extension name: '"ovirt-engine-extension-aaa-jdbc".authz', Version: '"1.1.0"', Notes: 'Display name: "ovirt-engine-extension-aaa-jdbc"', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/internal-authz.properties', Initialized: 'true' 2016-07-27 13:24:24 INFO Instance name: 'ipa.redhat.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.2.1', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/ipa.redhat.com-authn.properties', Initialized: 'true' 2016-07-27 13:24:24 INFO Instance name: 'ipa.redhat.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.2.1', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/ipa.redhat.com-authz.properties', Initialized: 'true' 2016-07-27 13:24:24 INFO End of enabled extensions list 2016-07-27 13:24:24 INFO ======================================================================== 2016-07-27 13:24:24 INFO ============================== Execution =============================== 2016-07-27 13:24:24 INFO ======================================================================== 2016-07-27 13:24:24 INFO Iteration: 0 2016-07-27 13:24:25 INFO --- Begin QueryFilterRecord --- 2016-07-27 13:24:25 INFO AAA_AUTHZ_QUERY_FILTER_OPERATOR: 102 2016-07-27 13:24:25 INFO AAA_AUTHZ_QUERY_ENTITY: AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4] 2016-07-27 13:24:25 INFO --- Begin QueryFilterRecord --- 2016-07-27 13:24:25 INFO AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0 2016-07-27 13:24:25 INFO AAA_AUTHZ_QUERY_FILTER_KEY: Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];] 2016-07-27 13:24:25 INFO AAA_AUTHZ_PRINCIPAL_NAME: vdcadmin 2016-07-27 13:24:25 INFO --- End QueryFilterRecord --- 2016-07-27 13:24:25 INFO --- End QueryFilterRecord --- 2016-07-27 13:24:25 INFO API: -->Authz.InvokeCommands.QUERY_OPEN namespace='dc=ipa,dc=redhat,dc=com' 2016-07-27 13:24:25 INFO API: <--Authz.InvokeCommands.QUERY_OPEN 2016-07-27 13:24:25 INFO API: -->Authz.InvokeCommands.QUERY_EXECUTE 2016-07-27 13:24:25 INFO API: <--Authz.InvokeCommands.QUERY_EXECUTE count=1 2016-07-27 13:24:25 INFO --- Begin PrincipalRecord --- 2016-07-27 13:24:25 INFO AAA_AUTHZ_PRINCIPAL_PRINCIPAL: vdcadmin 2016-07-27 13:24:25 INFO AAA_AUTHZ_PRINCIPAL_LAST_NAME: ucet 2016-07-27 13:24:25 INFO AAA_AUTHZ_PRINCIPAL_EMAIL: xxx 2016-07-27 13:24:25 INFO AAA_LDAP_UNBOUNDID_DN: uid=vdcadmin,cn=users,cn=accounts,dc=ipa,dc=redhat,dc=com 2016-07-27 13:24:25 INFO AAA_AUTHZ_PRINCIPAL_NAMESPACE: dc=ipa,dc=redhat,dc=com 2016-07-27 13:24:25 INFO AAA_AUTHZ_PRINCIPAL_ID: e32a2998-e85b-11e0-ade4-001a4a013f11 2016-07-27 13:24:25 INFO AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: nas ucet 2016-07-27 13:24:25 INFO AAA_AUTHZ_PRINCIPAL_NAME: vdcadmin 2016-07-27 13:24:25 INFO AAA_AUTHZ_PRINCIPAL_FIRST_NAME: nas 2016-07-27 13:24:25 INFO --- End PrincipalRecord --- 2016-07-27 13:24:25 INFO API: -->Authz.InvokeCommands.QUERY_EXECUTE 2016-07-27 13:24:25 INFO API: <--Authz.InvokeCommands.QUERY_EXECUTE count=END 2016-07-27 13:24:25 INFO API: -->Authz.InvokeCommands.QUERY_CLOSE 2016-07-27 13:24:25 INFO API: <--Authz.InvokeCommands.QUERY_CLOSE Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-1749.html |