Bug 1650583
Summary: | [RFE] Move Openshift build from module mod_auth_kerb to mod_auth_gssapi | ||
---|---|---|---|
Product: | Red Hat CloudForms Management Engine | Reporter: | Joe Vlcek <jvlcek> |
Component: | cfme-openshift-httpd | Assignee: | Joe Vlcek <jvlcek> |
Status: | CLOSED ERRATA | QA Contact: | Ievgen Zapolskyi <izapolsk> |
Severity: | medium | Docs Contact: | Red Hat CloudForms Documentation <cloudforms-docs> |
Priority: | unspecified | ||
Version: | 5.10.0 | CC: | abellott, bmidwood, dmetzger, izapolsk, jvlcek, lavenel, obarenbo, simaishi, smallamp |
Target Milestone: | GA | Keywords: | FutureFeature |
Target Release: | 5.10.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | 5.10.0.25 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-02-07 22:45:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | Container Management | Target Upstream Version: | |
Embargoed: |
Description
Joe Vlcek
2018-11-16 14:42:09 UTC
Please assess the impact of this issue and update the severity accordingly. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition. If it's something like a tracker bug where it doesn't matter, please set the severity to Low. New commit detected on ManageIQ/manageiq-pods/master: https://github.com/ManageIQ/manageiq-pods/commit/ec00ca1d830edac8791d1d6b83b7c409b56bdf9e commit ec00ca1d830edac8791d1d6b83b7c409b56bdf9e Author: Joe VLcek <jvlcek> AuthorDate: Fri Nov 16 10:41:42 2018 -0500 Commit: Joe VLcek <jvlcek> CommitDate: Fri Nov 16 10:41:42 2018 -0500 https://www.pivotaltracker.com/n/projects/1610127/stories/160297262 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1650583 templates/miq-template-ext-db.yaml | 26 +- templates/miq-template.yaml | 26 +- 2 files changed, 20 insertions(+), 32 deletions(-) New commit detected on ManageIQ/manageiq-pods/hammer: https://github.com/ManageIQ/manageiq-pods/commit/b85250e9a1ff1f370dc4b2761640bdcc5043c700 commit b85250e9a1ff1f370dc4b2761640bdcc5043c700 Author: Nick Carboni <ncarboni> AuthorDate: Fri Nov 16 11:47:19 2018 -0500 Commit: Nick Carboni <ncarboni> CommitDate: Fri Nov 16 11:47:19 2018 -0500 Merge pull request #314 from jvlcek/mod_auth_gssapi_master Move from apache module mod_auth_kerb to mod_auth_gssap (cherry picked from commit 16fa6d6f84174ae8743ea666e190076bb49a2538) https://bugzilla.redhat.com/show_bug.cgi?id=1650583 templates/miq-template-ext-db.yaml | 26 +- templates/miq-template.yaml | 26 +- 2 files changed, 20 insertions(+), 32 deletions(-) Hello Joe, is it enough to just check that IPA auth isn't broken after this change ? Could you advice necessary use cases otherwise ? (In reply to Ievgen Zapolskyi from comment #10) > Hello Joe, > > is it enough to just check that IPA auth isn't broken after this change ? > Could you advice necessary use cases otherwise ? Ievgen, You need to test Single Sign On. You can use IPA but you must enable SSO on the appliance Authentication page. - There are 3 moving parts when doing SSO: -- 1 the server, e.g. IPA Server, AD Server -- 2 the client, e.g. MiQ Configured as an IPA Client or AD client -- 3 The host running the browser, e.g. your laptop Set up a /etc/krb5.conf on your laptop. Get a kerberos ticket by running kinit on your laptop. Note: SSO is DNS centric so do not user IP Addresses, You must configure a hostname for your Cloudforms appliance and the IPA server. Also make sure the time on all three machines is synced. You will also need to exit chrome and restart it with --auth-server-whitelist and --auth-negotitate-delegate-whitelist. I'll PM you the command I use. Many Thanks Joe for extended reply. It works as expected. Verified in 5.10.0.29 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0213 |