Bug 1472747

Summary: Error while trying to authenticate ovirt-provider-ovn against Active Directory
Product: [oVirt] ovirt-provider-ovn Reporter: Mor <mkalfon>
Component: providerAssignee: Dominik Holler <dholler>
Status: CLOSED CURRENTRELEASE QA Contact: Mor <mkalfon>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0.4CC: bugs, danken, dholler, myakove, trichard, ylavi
Target Milestone: ovirt-4.2.0Flags: rule-engine: ovirt-4.2+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
You can authenticate ovirt-provider-ovn against Active Directory. To authenticate via user/password set ovirt-admin-user-name=<admin_username> in /etc/ovirt-provider-ovn/conf.d and use <admin_username>@<ad_domain>@<auth_profile> when defining the external provider in the Manager. To authenticate with an active directory group, set the following in /etc/ovirt-provider-ovn/conf.d: [AUTH] auth-plugin=auth.plugins.ovirt:AuthorizationByGroup [OVIRT] ovirt-admin-role-id=def00005-0000-0000-0000-def000000005 ovirt-admin-group-attribute-name=AAA_AUTHZ_GROUP_NAME;java.lang.String;0eebe54f-b429-44f3-aa80-4704cbb16835 and use <admin_username>@<ad_domain>@<auth_profile> when defining the external provider in the Manager.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-20 11:44:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1445172, 1539551    
Attachments:
Description Flags
logs and authentication configs none

Description Mor 2017-07-19 10:39:20 UTC 
Created attachment 1300961 [details]
logs and authentication configs


Description of problem:
I am unable to configure ovirt-provider-ovn to work with the default ovirt-engine-extension-aaa-ldap-setup wizard 
configuration for Active Directory.

Version-Release number of selected component (if applicable):
oVirt Engine Version: 4.2.0-0.0.master.20170716152706.gitf7bf90f.el7.centos

How reproducible:
100%

Steps to Reproduce:
1. Run ovirt-engine-extension-aaa-ldap-setup.
2. Choose 'Active Directory' for LDAP implementation.
3. Input the AD FQDN server address.
4. Input the user DN in the search user DN question.
5. Choose "Login" action to test the connection and make sure it passes successfully.
6. Configure the relevant settings on ovirt-provider-ovn.conf configuration:
[AUTH]
auth-plugin=auth.plugins.ovirt:AuthorizationByGroup

[OVIRT]
ovirt-admin-role-id=def00005-0000-0000-0000-def000000005
ovirt-admin-group-attribute-name=AAA_AUTHZ_GROUP_NAME;java.lang.String;0eebe54f-b429-44f3-aa80-4704cbb16835
ovirt-admin-group-attribute-value=<AD group name>

Actual results:
ovirt-provider-ovn throws a 'Forbidden' exception in the log:
2017-07-18 14:54:03,178   Starting new HTTPS connection (1): network-ge-2.scl.lab.tlv.redhat.com
2017-07-18 14:54:03,732   "POST /ovirt-engine/sso/oauth/token HTTP/1.1" 200 236
2017-07-18 14:54:03,736   Response code: 200
2017-07-18 14:54:03,736   Response body: {"access": {"token": {"id": "btoka97bF1H5FfA_W7jI6Ha1Fh02IDB0h7f_6bAgzl4N1jsIiCoKGR2wntC4ZcXUNnCy8sfdWi2pRDfg16kA6w"}, "serviceCatalog": [{"endpoints_links": [], "endpoin
ts": [{"adminURL": "http://localhost:9696/v2.0/networks", "region": "RegionOne", "id": "00000000000000000000000000000001", "internalURL": "http://localhost:9696/v2.0/networks", "publicURL": "http://localhost:969
6/v2.0/networks"}], "type": "network", "name": "neutron"}, {"endpoints_links": [], "endpoints": [{"adminURL": "http://localhost:35357/v2.0/tokens", "region": "RegionOne", "publicURL": "http://localhost:35357/v2.
0/tokens", "internalURL": "http://localhost:35357/v2.0/tokens", "id": "00000000000000000000000000000002"}], "type": "identity", "name": "keystone"}]}}
2017-07-18 14:54:03,799   Request: GET : /v2.0/
2017-07-18 14:54:03,802   Starting new HTTPS connection (1): network-ge-2.scl.lab.tlv.redhat.com
2017-07-18 14:54:03,851   "POST /ovirt-engine/sso/oauth/token-info HTTP/1.1" 200 386
2017-07-18 14:54:03,854   token_info: {u'user_id': u'ovn_admin.lab.eng.brq.redhat.com@ovn-auth-test', u'client_id': None, u'token_type': u'bearer', u'exp': u'9223372036854775807', u'active': True
, u'scope': u'ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access', u'ovirt': [u'java.util.HashMap', {u'first_na
me': u'ovn_admin', u'last_name': None, u'version': u'0', u'namespace': u'DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com', u'principal_id': u'+xDgGJUUGkOx3cnyfgg3OA==', u'group_ids': [u'java.util.Arr
ayList', []], u'capability_credentials_change': False, u'email': None}]}
2017-07-18 14:54:03,854   
Traceback (most recent call last):
  File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 108, in _handle_request
    method, key, id, content)
  File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 53, in handle_request
    self._get_response_handler(method, key), content, id
  File "/usr/share/ovirt-provider-ovn/handlers/neutron.py", line 40, in call_response_handler
    raise Forbidden()
Forbidden

Expected results:
Should work as exepcted.
Comment 1 Dan Kenigsberg 2017-07-27 09:11:54 UTC 
authentication via username/password works.

authentication via group membership still needs to be understood.
Comment 2 Mor 2017-07-30 10:20:10 UTC 
I found authentication via group to be working correctly.

The username format was wrong. For Active Directory we need to use the following username format: <admin_username>@<ad_domain>@<auth_profile> when saving the settings in the provider window.

I used the following ovirt-provider-ovn.conf settings:

[AUTH]
auth-plugin=auth.plugins.ovirt:AuthorizationByGroup

[OVIRT]
ovirt-admin-role-id=def00005-0000-0000-0000-def000000005
ovirt-admin-group-attribute-name=AAA_AUTHZ_GROUP_NAME;java.lang.String;0eebe54f-b429-44f3-aa80-4704cbb16835
ovirt-admin-group-attribute-value=ovn_admins

This scenario needs to be documented. I think that it is better to add additional setting for authentication profile in the conf file, so username <user>@<domain> will be accepted.
Comment 3 Mor 2017-08-17 13:23:09 UTC 
Patch is not merged it.
Comment 4 Mor 2017-08-17 13:23:29 UTC 
Patch is not merged yet
Comment 5 Mor 2017-09-05 10:16:09 UTC 
Verified on:
ovirt-provider-ovn-1.1-2.20170901074127.gitaaaa5fa.el7.centos.noarch
Comment 6 Sandro Bonazzola 2017-12-20 11:44:45 UTC 
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.