Bug 1468878

Summary: multiple http.AuthnExtension fails
Product: [oVirt] ovirt-engine Reporter: Fabrice Bacchella <fabrice.bacchella>
Component: AAAAssignee: Ondra Machacek <omachace>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Matyáš <pmatyas>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.1.2CC: bugs, lsvaty, mperina
Target Milestone: ovirt-4.2.2Flags: rule-engine: ovirt-4.2+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-29 11:10:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
relevant engine log none

Description Fabrice Bacchella 2017-07-09 09:29:43 UTC 
I have two kerberos realm. The first one is a Active Directory, the second a MIT. I need kerberos authentication in both real. So I want two profile. Both will use org.ovirt.engineextensions.aaa.misc.http.AuthnExtension for authentication. The first one will use a LDAP authz.plugin. I plan to put my MIT users in a JDBC auhtz.plugin.

But oVirt don't like that setup. As the authn part always success (Kerberos authentication is done in Apache), when the first authz to be tried fails, everything fails.
AD users are fine, I can log in in the UI with kerberos, AD users are resolved. But when I try with a MIT user (rexecutor in my case), it fails.

I activated debug and got:

2017-07-04 17:50:25,711+02 DEBUG [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (default task-2) [] Exception: java.lang.RuntimeException: Cannot resolve principal 'rexecutor'
       at org.ovirt.engineextensions.aaa.ldap.AuthzExtension.doFetchPrincipalRecord(AuthzExtension.java:579) [ovirt-engine-extension-aaa-ldap.jar:]
       at org.ovirt.engineextensions.aaa.ldap.AuthzExtension.invoke(AuthzExtension.java:478) [ovirt-engine-extension-aaa-ldap.jar:]
       at org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:49)
       at org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:73)
       at org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:109)
       at org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:122)
       at org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:68)
       at org.ovirt.engine.core.sso.utils.NonInteractiveAuth$2.doAuth(NonInteractiveAuth.java:51)
       at org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.issueTokenUsingHttpHeaders(OAuthTokenServlet.java:183)
       at org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.service(OAuthTokenServlet.java:72)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
       at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
       at org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:66)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at org.ovirt.engine.core.utils.servlet.HeaderFilter.doFilter(HeaderFilter.java:94)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
       at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
       at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
       at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
       at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
       at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
       at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
       at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
       at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
       at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
       at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
       at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
       at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
       at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
       at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
       at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
       at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
       at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
       at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
       at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
       at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
       at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
       at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
       at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
       at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
       at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_121]
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_121]
       at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]

Right after that, I see in the log:
2017-07-04 17:50:25,718+02 ERROR [org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-2) [] External Authentication Failed: Cannot resolve principal 'rexecutor'
Comment 1 Gonza 2018-01-30 21:01:15 UTC 
Created attachment 1388641 [details]
relevant engine log
Comment 2 Gonza 2018-01-30 21:05:18 UTC 
Tried with:
ovirt-engine-4.2.1.4-0.1.el7.noarch

The multiple authn extension scenario is now working when accessing webadmin but issue is still present via REST like:
curl --negotiate -v -u : -X GET -H "Accept: application/xml" -k https://engine.com/ovirt-engine/api/vms

Relevant logs for this call are already attached to this ticket.
Comment 3 Red Hat Bugzilla Rules Engine 2018-01-30 21:05:23 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 4 Ondra Machacek 2018-02-22 10:52:49 UTC 
Please don't verify with /api/vms it isn't supported anymore. Test with new sso endpoint[1] for kerberos auth to test API and test also with webadmin.


[1] POST /ovirt-engine/sso/oauth/token-http-auth HTTP/1.1
    scope=ovirt-app-api&grant_type=urn%3Aovirt%3Aparams%3Aoauth%3Agrant-type%3Ahttp
Comment 5 Petr Matyáš 2018-03-16 11:25:00 UTC 
Verified on ovirt-engine-4.2.2.2-0.1.el7.noarch
Comment 6 Sandro Bonazzola 2018-03-29 11:10:15 UTC 
This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.