Bug 1327041
| Summary: | [RFE] [z-stream clone - 3.6.7] AAA - Make Kerberos work with Java Authentication Framework | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | rhev-integ |
| Component: | ovirt-engine | Assignee: | Ondra Machacek <omachace> |
| Status: | CLOSED ERRATA | QA Contact: | Gonza <grafuls> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 3.5.0 | CC: | bazulay, bgraveno, gklein, lsurette, mgoldboi, mperina, omachace, oourfali, pstehlik, rbalakri, Rhev-m-bugs, srevivo, ykaul |
| Target Milestone: | ovirt-3.6.7 | Keywords: | FutureFeature, ZStream |
| Target Release: | 3.6.7 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: |
To provide a way to configure gssapi using ticket cache for authz pool, a new security domain called 'oVirtKerbAAA' was added to JBoss configuration, which can be customized by using the following variables:
AAA_KRB5_CONF_FILE=path_to_krb5_conf
Specify the custom krb5.conf file. The default is /etc/ovirt-engine/krb5.conf
Java supports only one krb5 configuration, if the user changes this property, then manage-domains will stop working because its configuration is managed in /etc/ovirt-engine/krb5.conf.
AAA_JAAS_USE_TICKET_CACHE=true/false
Enable or disable using the ticket cache file for authentication.
AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache
Specify the custom ticket cache file. The default is /tmp/krb5cc_${UID}, where UID is the ID of the ovirt user.
AAA_JAAS_USE_KEYTAB=false/true
Enable or disable using the keytab file for authentication.
AAA_JAAS_KEYTAB_FILE=path_to_keytab_file
Specify the custom keytab file. The default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user.
To use one of the features, the user has to create a new configuration file and specify the correct values for those variables, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf.
To use the new security domain configuration from aaa-ldap, the user has to specify the correct JAASClientName (default is oVirtKerb). Therefore, to use this new configuration for authz pool, the user has to add following line to aaa-ldap authz configuration:
pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA
To use it for both authn and authz, the user has to add the following line to aaa-ldap configuration:
pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA
|
Story Points: | --- |
| Clone Of: | 1322940 | Environment: | |
| Last Closed: | 2016-06-29 16:19:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1322940 | ||
| Bug Blocks: | |||
|
Comment 1
Martin Perina
2016-04-14 07:20:37 UTC
One of the patches would introduce regression to manage domains, adding back to POST, until fixed. Changes were done only on engine side, so moving to ovirt-engine component Verified with: rhevm-3.6.7.2-0.1.el6.noarch ovirt-engine-extension-aaa-ldap-1.1.4-1.el6ev.noarch # ovirt-engine-extensions-tool aaa search --entity-name=vdcadmin --extension-name=ipa-authz 2016-06-13 18:33:09 INFO ======================================================================== 2016-06-13 18:33:09 INFO ============================ Initialization ============================ 2016-06-13 18:33:09 INFO ======================================================================== 2016-06-13 18:33:09 INFO Loading extension 'ipa-authz' 2016-06-13 18:33:09 INFO Extension 'ipa-authz' loaded 2016-06-13 18:33:09 INFO Loading extension 'ipa-authn' 2016-06-13 18:33:10 INFO Extension 'ipa-authn' loaded 2016-06-13 18:33:10 INFO Initializing extension 'ipa-authz' 2016-06-13 18:33:10 INFO [ovirt-engine-extension-aaa-ldap.authz::ipa-authz] Creating LDAP pool 'authz' 2016-06-13 18:33:10 INFO [ovirt-engine-extension-aaa-ldap.authz::ipa-authz] LDAP pool 'authz' information: vendor='389 Project' version='389-Directory/1.2.11.15 B2013.289.33' 2016-06-13 18:33:10 INFO [ovirt-engine-extension-aaa-ldap.authz::ipa-authz] Available Namespaces: [dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com] 2016-06-13 18:33:10 INFO Extension 'ipa-authz' initialized 2016-06-13 18:33:20 INFO Initializing extension 'ipa-authn' 2016-06-13 18:33:20 INFO [ovirt-engine-extension-aaa-ldap.authn::ipa-authn] Creating LDAP pool 'authz' 2016-06-13 18:33:20 INFO [ovirt-engine-extension-aaa-ldap.authn::ipa-authn] LDAP pool 'authz' information: vendor='389 Project' version='389-Directory/1.2.11.15 B2013.289.33' 2016-06-13 18:33:20 INFO [ovirt-engine-extension-aaa-ldap.authn::ipa-authn] Creating LDAP pool 'authn' 2016-06-13 18:33:20 INFO [ovirt-engine-extension-aaa-ldap.authn::ipa-authn] LDAP pool 'authn' information: vendor='389 Project' version='389-Directory/1.2.11.15 B2013.289.33' 2016-06-13 18:33:20 INFO Extension 'ipa-authn' initialized 2016-06-13 18:33:20 INFO Start of enabled extensions list 2016-06-13 18:33:20 INFO Instance name: 'ipa-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.1.4', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.4-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/ipa-authn.properties', Initialized: 'true' 2016-06-13 18:33:20 INFO Instance name: 'ipa-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.1.4', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.4-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/ipa-authz.properties', Initialized: 'true' 2016-06-13 18:33:20 INFO End of enabled extensions list 2016-06-13 18:33:20 INFO ======================================================================== 2016-06-13 18:33:20 INFO ============================== Execution =============================== 2016-06-13 18:33:20 INFO ======================================================================== 2016-06-13 18:33:20 INFO --- Begin QueryFilterRecord --- 2016-06-13 18:33:20 INFO AAA_AUTHZ_QUERY_ENTITY: AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4] 2016-06-13 18:33:20 INFO AAA_AUTHZ_QUERY_FILTER_OPERATOR: 102 2016-06-13 18:33:20 INFO --- Begin QueryFilterRecord --- 2016-06-13 18:33:20 INFO AAA_AUTHZ_PRINCIPAL_NAME: vdcadmin 2016-06-13 18:33:20 INFO AAA_AUTHZ_QUERY_FILTER_KEY: Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];] 2016-06-13 18:33:20 INFO AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0 2016-06-13 18:33:20 INFO --- End QueryFilterRecord --- 2016-06-13 18:33:20 INFO --- End QueryFilterRecord --- 2016-06-13 18:33:20 INFO API: -->Authz.InvokeCommands.QUERY_OPEN namespace='dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' 2016-06-13 18:33:20 INFO API: <--Authz.InvokeCommands.QUERY_OPEN 2016-06-13 18:33:20 INFO API: -->Authz.InvokeCommands.QUERY_EXECUTE 2016-06-13 18:33:20 INFO API: <--Authz.InvokeCommands.QUERY_EXECUTE count=1 2016-06-13 18:33:20 INFO --- Begin PrincipalRecord --- 2016-06-13 18:33:20 INFO AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: nas ucet 2016-06-13 18:33:20 INFO AAA_AUTHZ_PRINCIPAL_EMAIL: xxx 2016-06-13 18:33:20 INFO AAA_AUTHZ_PRINCIPAL_LAST_NAME: ucet 2016-06-13 18:33:20 INFO AAA_AUTHZ_PRINCIPAL_PRINCIPAL: vdcadmin 2016-06-13 18:33:20 INFO AAA_LDAP_UNBOUNDID_DN: uid=vdcadmin,cn=users,cn=accounts,dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com 2016-06-13 18:33:20 INFO AAA_AUTHZ_PRINCIPAL_ID: e32a2998-e85b-11e0-ade4-001a4a013f11 2016-06-13 18:33:20 INFO AAA_AUTHZ_PRINCIPAL_NAME: vdcadmin 2016-06-13 18:33:20 INFO AAA_AUTHZ_PRINCIPAL_FIRST_NAME: nas 2016-06-13 18:33:20 INFO AAA_AUTHZ_PRINCIPAL_NAMESPACE: dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com 2016-06-13 18:33:20 INFO --- End PrincipalRecord --- 2016-06-13 18:33:20 INFO API: -->Authz.InvokeCommands.QUERY_EXECUTE 2016-06-13 18:33:20 INFO API: <--Authz.InvokeCommands.QUERY_EXECUTE count=END 2016-06-13 18:33:20 INFO API: -->Authz.InvokeCommands.QUERY_CLOSE 2016-06-13 18:33:20 INFO API: <--Authz.InvokeCommands.QUERY_CLOSE Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1364 |