Bug 1374311

Summary: Kerberos SSO setup enabling API v3 compatibility must not break API v4 functionality
Product: [oVirt] ovirt-engine Reporter: Gonza <grafuls>
Component: AAAAssignee: Ravi Nori <rnori>
Status: CLOSED CURRENTRELEASE QA Contact: Gonza <grafuls>
Severity: high Docs Contact:
Priority: high    
Version: 4.0.0CC: bugs, grafuls, juan.hernandez, lsvaty, mgoldboi, mperina, omachace, oourfali
Target Milestone: ovirt-4.0.5Flags: rule-engine: ovirt-4.0.z+
mgoldboi: planning_ack+
mperina: devel_ack+
rule-engine: testing_ack+
Target Release: 4.0.5   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
For v3 and v4 api compatibility the location match for api in apache config file should be conditionally applied for requests that do not have bearer or basic authorization headers. <LocationMatch ^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on .... </If> </LocationMatch>
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-18 07:39:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
image-uploader log none

Description Gonza 2016-09-08 12:26:29 UTC 
Description of problem:
engine-image-uploader returns 401 unathorized when using kerberos

Version-Release number of selected component (if applicable):
rhevm-4.0.3-0.1.el7ev.noarch
ovirt-engine-sdk-python-3.6.8.0-1.el7ev.noarch
python-ovirt-engine-sdk4-4.0.0-1.el7ev.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Configure SSO integration with IdM as outlined in the documentation
2. Test and configure users
3. kinit on the rhevm host
4. Configure appropriate exports storage domain
5. try to upload image

Actual results:
# engine-image-uploader --with-kerberos -e gr01 upload Tiny\ Linux\ VM.ova 
WARNING: ovirt-image-uploader is deprecated in 4.0 and will be removed in 4.1
ERROR: Unable to connect to REST API at https://10-34-60-90.rhev.lab.eng.brq.redhat.com:443/ovirt-engine/api due to SDK error
Message: HTTP response code is 401.

# curl -v --negotiate -u : -X GET -H "Accept: application/xml" -k https://10-34-60-90.rhev.lab.eng.brq.redhat.com/ovirt-engine/api
* About to connect() to 10-34-60-90.rhev.lab.eng.brq.redhat.com port 443 (#0)
*   Trying 10.34.60.90...
* Connected to 10-34-60-90.rhev.lab.eng.brq.redhat.com (10.34.60.90) port 443 (#0)

...

< Vary: Accept-Encoding
< 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<api>
    ...
</api>
* Closing connection 0

# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: vdcadmin

Valid starting       Expires              Service principal
09/08/2016 06:47:26  09/09/2016 06:47:21  HTTP/10-34-60-XX.com
	renew until 09/15/2016 06:47:21
09/08/2016 06:47:26  09/09/2016 06:47:21  HTTP/10-34-60-XX.com@
	renew until 09/15/2016 06:47:21
09/08/2016 06:47:23  09/09/2016 06:47:21  krbtgt/MY-IPA.COM
	renew until 09/15/2016 06:47:21


Expected results: 
engine-image-uploader -e exports --insecure upload cfme-rhevm-5.5.3.4-1.x86_64.rhevm.ova 
Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort): 
Uploading: [########################################] 100%


Additional info:
Curl is able to use kerberos authentication. Logs attached.
Comment 1 Gonza 2016-09-08 12:29:18 UTC 
Created attachment 1199058 [details]
image-uploader log
Comment 2 Ondra Machacek 2016-09-12 08:39:54 UTC 
I've checked out the configuration of the machine and debug the queries and the problem was configured '/ovirt-engine/api' endpoint to support gssapi authentication, when removed that, image-uploader worked fine. Can you please re-check?
Comment 3 Ondra Machacek 2016-09-12 08:42:33 UTC 
Just a note that SDK v4 obtain the SSO token at {url}/ovirt-engine/sso/oauth/token-http-auth, and then uses this token to access '/ovirt-engine/api', so that endpoint shouldn't be set to support gssapi auth in case of SDK v 4.
Comment 4 Martin Perina 2016-09-12 09:19:11 UTC 
Ravi, please take a look, we need to be able to support kerberos SSO for both v3 and v4 API at the same time.
Comment 5 Ondra Machacek 2016-09-12 10:16:18 UTC 
One of the simple solution (WA) is to add '/ovirt-engine/api/v4' to the location match and use always /v4 suffix with v4 SDKs.
Comment 6 Ravi Nori 2016-09-13 12:51:46 UTC 
Conditionally applying the LocationMatch to take effect only if the requests do not contain Bearer or Basic authentication resolves the issue.
Comment 9 Gonza 2016-10-18 14:51:07 UTC 
Verified with:
rhevm-4.0.5-0.1.el7ev.noarch

# engine-image-uploader --with-kerberos -e gr05 upload rhevm-appliance-20160922.0-1.x86_64.rhevm.ova

# cat /etc/ovirt-engine/aaa/ovirt-sso.conf 
<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
  <If "req('Authorization') !~ /^(Bearer|Basic)/i">
    RewriteEngine on
    RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
    RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
    RequestHeader set X-Remote-User %{REMOTE_USER}s

    AuthType Kerberos
    AuthName "Kerberos Login"

    Krb5Keytab /etc/httpd/httpd.keytab
    KrbAuthRealms IPA-FQDN.COM
   
    Require valid-user
    ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
  </If>
</LocationMatch>