Bug 1322940

Summary: [RFE] AAA - Make Kerberos work with Java Authentication Framework
Product: Red Hat Enterprise Virtualization Manager Reporter: Anitha Udgiri <audgiri>
Component: ovirt-engineAssignee: Ondra Machacek <omachace>
Status: CLOSED ERRATA QA Contact: Gonza <grafuls>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.5.0CC: bazulay, bgraveno, gklein, lsurette, lsvaty, mgoldboi, mperina, omachace, oourfali, rbalakri, Rhev-m-bugs, srevivo, ykaul
Target Milestone: ovirt-4.0.0-betaKeywords: FutureFeature, ZStream
Target Release: 4.0.0Flags: lsvaty: testing_plan_complete+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
To provide a way to configure gssapi using ticket cache for authz pool, a new security domain called 'oVirtKerbAAA' was added to JBoss configuration, which can be customized by using the following variables: AAA_KRB5_CONF_FILE=path_to_krb5_conf Specify the custom krb5.conf file. The default is /etc/ovirt-engine/krb5.conf Java supports only one krb5 configuration, if the user changes this property, then manage-domains will stop working because its configuration is managed in /etc/ovirt-engine/krb5.conf. AAA_JAAS_USE_TICKET_CACHE=true/false Enable or disable using the ticket cache file for authentication. AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify the custom ticket cache file. The default is /tmp/krb5cc_${UID}, where UID is the ID of the ovirt user. AAA_JAAS_USE_KEYTAB=false/true Enable or disable using the keytab file for authentication. AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify the custom keytab file. The default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user. To use one of the features, the user has to create a new configuration file and specify the correct values for those variables, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. To use the new security domain configuration from aaa-ldap, the user has to specify the correct JAASClientName (default is oVirtKerb). Therefore, to use this new configuration for authz pool, the user has to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA To use it for both authn and authz, the user has to add the following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA
 Story Points: ---
Clone Of:
: 1327041 (view as bug list) Environment:
Last Closed: 2016-08-23 20:59:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1327041, 1361223    

Description Anitha Udgiri 2016-03-31 17:49:00 UTC 
Description of problem:
Customer wants to use kerberos ticket cache to
perform authorization via
gssapi.

This RFE is to request to help provide such a means to Customers.
Comment 1 Ondra Machacek 2016-04-07 09:46:40 UTC 
In 3.6 the only way is to modify file '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in' and 
add there new security-domain as follows:

<security-domain name="oVirtKerbAAA">
  <authentication>
    <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
      <module-option name="useTicketCache" value="true"/>
      <!-- Specify a path to ticket cache if they don't want use default (default is: '/tmp/krb5cc_{ovirt.uid}') -->
      <module-option name="ticketCache" value="/path/to/ticket_cache"/>
    </login-module>
  </authentication>
</security-domain>

Then configure authz pool as follows:
...
pool.authz.auth.type = gssapi
pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA
...

Important note - file '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in' is overriden when 
engine is upgraded so their changes will be lost after every upgrade.

In 4.0 we will provide new configuration options, so they don't have to change '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in', so their configuration will persist. We prepare predefined secuirty-domain in jboss configuration and they can change specific values, which they need.

The following options can be modified:

# Used to specify if ticket cache should be used to authenticate
AAA_JAAS_USE_TICKET_CACHE=false
# Used to specify special ticket cache file, instead of default (default is /tmp/krb5cc_{ovirt.uid})
AAA_JAAS_TICKET_CACHE=
# Used to specify if key tab file should be used to authenticate
AAA_JAAS_USE_KEYTAB=false
# Used to specify special path to keytab, instead of default (default is {ovirt.home}{file.separator}krb5.keytab)
AAA_JAAS_KEYTAB=
# Used to rewrite default path to krb5.conf (default is /etc/krb5.conf)
AAA_KRB5_CONF=

Authz pool configuration remain same as in 3.6.
Comment 2 Yaniv Kaul 2016-04-07 11:56:23 UTC 
(In reply to Ondra Machacek from comment #1)

...
> 
> Important note - file
> '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in' is
> overriden when 
> engine is upgraded so their changes will be lost after every upgrade.
> 
> In 4.0 we will provide new configuration options, so they don't have to
> change '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in',
> so their configuration will persist. We prepare predefined secuirty-domain
> in jboss configuration and they can change specific values, which they need.

So how is the upgrade (migration actually) from 3.6 to 4.0 will looks like?
Or it doesn't matter, because customers were used to getting their config lost on upgrade?
Comment 3 Ondra Machacek 2016-04-07 12:41:15 UTC 
If anyone ever modified file '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in', he lost his
modification when updating package 'rhevm-backend'. So yes the modification is lost on upgrade.

This is why this bug is for 4.0 and not for 3.6. In 4.0 no one have to modify ovirt-engine.xml.in in order to 
make gssapi work with ticket cache.
Comment 4 Martin Perina 2016-04-07 14:20:48 UTC 
Moving back to post, we need to handle also extension-tool use case
Comment 6 Martin Perina 2016-05-23 12:55:31 UTC 
Changes were done only on engine side, so moving to ovirt-engine component
Comment 7 Gonza 2016-07-27 13:43:10 UTC 
Verified with:
ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev
rhevm-4.0.2-0.1.rc.el7ev.noarch

# ovirt-engine-extensions-tool aaa search --entity-name=vdcadmin --extension-name=ipa.redhat.com-authz
2016-07-27 13:24:19 INFO    ========================================================================
2016-07-27 13:24:19 INFO    ============================ Initialization ============================
2016-07-27 13:24:19 INFO    ========================================================================
2016-07-27 13:24:20 INFO    Loading extension 'internal-authn'
2016-07-27 13:24:20 INFO    Extension 'internal-authn' loaded
2016-07-27 13:24:20 INFO    Loading extension 'ipa.redhat.com-authn'
2016-07-27 13:24:20 INFO    Extension 'ipa.redhat.com-authn' loaded
2016-07-27 13:24:20 INFO    Loading extension 'internal-authz'
2016-07-27 13:24:20 INFO    Extension 'internal-authz' loaded
2016-07-27 13:24:21 INFO    Loading extension 'ipa.redhat.com-authz'
2016-07-27 13:24:21 INFO    Extension 'ipa.redhat.com-authz' loaded
2016-07-27 13:24:21 INFO    Initializing extension 'internal-authn'
2016-07-27 13:24:22 INFO    Extension 'internal-authn' initialized
2016-07-27 13:24:22 INFO    Initializing extension 'ipa.redhat.com-authn'
2016-07-27 13:24:22 INFO    [ovirt-engine-extension-aaa-ldap.authn::ipa.redhat.com-authn] Creating LDAP pool 'authz'
2016-07-27 13:24:24 INFO    [ovirt-engine-extension-aaa-ldap.authn::ipa.redhat.com-authn] LDAP pool 'authz' information: vendor='389 Project' version='389-Directory/1.2.11.15 B2013.289.33'
2016-07-27 13:24:24 INFO    [ovirt-engine-extension-aaa-ldap.authn::ipa.redhat.com-authn] Creating LDAP pool 'authn'
2016-07-27 13:24:24 INFO    [ovirt-engine-extension-aaa-ldap.authn::ipa.redhat.com-authn] LDAP pool 'authn' information: vendor='389 Project' version='389-Directory/1.2.11.15 B2013.289.33'
2016-07-27 13:24:24 INFO    Extension 'ipa.redhat.com-authn' initialized
2016-07-27 13:24:24 INFO    Initializing extension 'internal-authz'
2016-07-27 13:24:24 INFO    Extension 'internal-authz' initialized
2016-07-27 13:24:24 INFO    Initializing extension 'ipa.redhat.com-authz'
2016-07-27 13:24:24 INFO    [ovirt-engine-extension-aaa-ldap.authz::ipa.redhat.com-authz] Creating LDAP pool 'authz'
2016-07-27 13:24:24 INFO    [ovirt-engine-extension-aaa-ldap.authz::ipa.redhat.com-authz] LDAP pool 'authz' information: vendor='389 Project' version='389-Directory/1.2.11.15 B2013.289.33'
2016-07-27 13:24:24 INFO    [ovirt-engine-extension-aaa-ldap.authz::ipa.redhat.com-authz] Available Namespaces: [dc=ipa,dc=redhat,dc=com]
2016-07-27 13:24:24 INFO    Extension 'ipa.redhat.com-authz' initialized
2016-07-27 13:24:24 INFO    Start of enabled extensions list
2016-07-27 13:24:24 INFO    Instance name: 'internal-authn', Extension name: '"ovirt-engine-extension-aaa-jdbc".authn', Version: '"1.1.0"', Notes: 'Display name: "ovirt-engine-extension-aaa-jdbc"', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/internal-authn.properties', Initialized: 'true'
2016-07-27 13:24:24 INFO    Instance name: 'internal-authz', Extension name: '"ovirt-engine-extension-aaa-jdbc".authz', Version: '"1.1.0"', Notes: 'Display name: "ovirt-engine-extension-aaa-jdbc"', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/internal-authz.properties', Initialized: 'true'
2016-07-27 13:24:24 INFO    Instance name: 'ipa.redhat.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.2.1', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/ipa.redhat.com-authn.properties', Initialized: 'true'
2016-07-27 13:24:24 INFO    Instance name: 'ipa.redhat.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.2.1', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/ipa.redhat.com-authz.properties', Initialized: 'true'
2016-07-27 13:24:24 INFO    End of enabled extensions list
2016-07-27 13:24:24 INFO    ========================================================================
2016-07-27 13:24:24 INFO    ============================== Execution ===============================
2016-07-27 13:24:24 INFO    ========================================================================
2016-07-27 13:24:24 INFO    Iteration: 0
2016-07-27 13:24:25 INFO    --- Begin QueryFilterRecord ---
2016-07-27 13:24:25 INFO    AAA_AUTHZ_QUERY_FILTER_OPERATOR: 102
2016-07-27 13:24:25 INFO    AAA_AUTHZ_QUERY_ENTITY: AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4]
2016-07-27 13:24:25 INFO      --- Begin QueryFilterRecord ---
2016-07-27 13:24:25 INFO      AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0
2016-07-27 13:24:25 INFO      AAA_AUTHZ_QUERY_FILTER_KEY: Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];]
2016-07-27 13:24:25 INFO      AAA_AUTHZ_PRINCIPAL_NAME: vdcadmin
2016-07-27 13:24:25 INFO      --- End QueryFilterRecord ---
2016-07-27 13:24:25 INFO    --- End QueryFilterRecord ---
2016-07-27 13:24:25 INFO    API: -->Authz.InvokeCommands.QUERY_OPEN namespace='dc=ipa,dc=redhat,dc=com'
2016-07-27 13:24:25 INFO    API: <--Authz.InvokeCommands.QUERY_OPEN
2016-07-27 13:24:25 INFO    API: -->Authz.InvokeCommands.QUERY_EXECUTE
2016-07-27 13:24:25 INFO    API: <--Authz.InvokeCommands.QUERY_EXECUTE count=1
2016-07-27 13:24:25 INFO    --- Begin PrincipalRecord ---
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_PRINCIPAL: vdcadmin
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_LAST_NAME: ucet
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_EMAIL: xxx
2016-07-27 13:24:25 INFO    AAA_LDAP_UNBOUNDID_DN: uid=vdcadmin,cn=users,cn=accounts,dc=ipa,dc=redhat,dc=com
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_NAMESPACE: dc=ipa,dc=redhat,dc=com
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_ID: e32a2998-e85b-11e0-ade4-001a4a013f11
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: nas ucet
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_NAME: vdcadmin
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_FIRST_NAME: nas
2016-07-27 13:24:25 INFO    --- End   PrincipalRecord ---
2016-07-27 13:24:25 INFO    API: -->Authz.InvokeCommands.QUERY_EXECUTE
2016-07-27 13:24:25 INFO    API: <--Authz.InvokeCommands.QUERY_EXECUTE count=END
2016-07-27 13:24:25 INFO    API: -->Authz.InvokeCommands.QUERY_CLOSE
2016-07-27 13:24:25 INFO    API: <--Authz.InvokeCommands.QUERY_CLOSE
Comment 9 errata-xmlrpc 2016-08-23 20:59:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1749.html