Bug 962438

Summary: Support LDAP users for authenticating in the rest-api
Product: [JBoss] JBoss Operations Network Reporter: Heiko W. Rupp <hrupp>
Component: RESTAssignee: Heiko W. Rupp <hrupp>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: urgent    
Version: JON 3.1.2CC: lzoubek, mfoley, myarboro, skondkar
Target Milestone: ER01   
Target Release: JON 3.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 961656 Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 961656    
Bug Blocks:    

Description Heiko W. Rupp 2013-05-13 09:47:51 EDT
+++ This bug was initially created as a clone of Bug #961656 +++

The authentication in the REST api currently only supports local users, but no LDAP users.

We need to fix that.

--- Additional comment from Heiko W. Rupp on 2013-05-13 05:37:30 EDT ---

The simplest way to support LDAP would be to switch to the "RHQUserSecurityDomain", which fails as RHQ is removing / re-adding the domain on each start. 
EAP sees this and complains that the removal would leave the rhq-rest.war in an illegal state (with a referenced but not provided security-domain) -- see below

I currently see three possible options:
1) add the logic to add/remove LDAP support to the RHQRESTSecurityDomain
2) Fix the RHQUserSecurityDomain setup in the CustomJaasDeploymentService to
not touch the security-domain on each restart and to only add/remove the LDAP module when requested (and perhaps change flags on the other modules.
3) Check if the remove/re-add can be done in Transaction (A EAP-composite operation), so that other services only see the end result. 



11:26:28,758 INFO  [org.rhq.enterprise.server.core.CustomJaasDeploymentService] (EJB default - 1) Security domain [RHQUserSecurityDomain] already exists, it will be replaced.
11:26:28,804 INFO  [org.jboss.web] (ServerService Thread Pool -- 82) JBAS018224: Unregister web context: /rest
11:26:28,806 INFO  [org.rhq.helpers.rtfilter.filter.RtFilter] (ServerService Thread Pool -- 82) -- Filter destroy: 0 requests processed (hashCode=226618607).
11:26:28,813 INFO  [org.jboss.web] (ServerService Thread Pool -- 82) JBAS018210: Register web context: /rest
11:26:28,820 INFO  [org.rhq.helpers.rtfilter.filter.RtFilter] (ServerService Thread Pool -- 82) Initialized response-time filter for webapp with context root 'rest'.
11:26:28,823 ERROR [org.rhq.enterprise.server.core.CustomJaasDeploymentService] (EJB default - 1) Error deploying JAAS login modules: java.lang.Exception: Error registering RHQ JAAS modules
	at org.rhq.enterprise.server.core.CustomJaasDeploymentService.registerJaasModules(CustomJaasDeploymentService.java:176) [rhq-enterprise-server-ejb3.jar:4.8.0-SNAPSHOT]
	at org.rhq.enterprise.server.core.CustomJaasDeploymentService.installJaasModules(CustomJaasDeploymentService.java:76) [rhq-enterprise-server-ejb3.jar:4.8.0-SNAPSHOT]
Caused by: org.rhq.common.jbossas.client.controller.FailureException: Failed to remove security domain [RHQUserSecurityDomain]: JBAS014762: Removing services has lead to unsatisfied dependencies:
Service jboss.security.security-domain.RHQUserSecurityDomain was depended upon by service jboss.web.deployment.default-host./rest.realm
	at org.rhq.common.jbossas.client.controller.SecurityDomainJBossASClient.removeSecurityDomain(SecurityDomainJBossASClient.java:256)

--- Additional comment from Heiko W. Rupp on 2013-05-13 07:07:57 EDT ---

I think doing option 2) got just easier with the use of EAP6.1, as this now allows to individually address login modules:

[standalone@localhost:6999 authentication=classic] ./login-module=org.rhq.enterprise.server.core.jaas.

org.rhq.enterprise.server.core.jaas.JDBCLoginModule                 org.rhq.enterprise.server.core.jaas.JDBCPrincipalCheckLoginModule
org.rhq.enterprise.server.core.jaas.LdapLoginModule
[standalone@localhost:6999 authentication=classic] ./login-module=org.rhq.enterprise.server.core.jaas.LdapLoginModule:

add                          read-attribute               read-children-names          read-children-resources
read-children-types          read-operation-description   read-operation-names         read-resource
read-resource-description    remove                       undefine-attribute           whoami
write-attribute
[standalone@localhost:6999 authentication=classic] ./login-module=org.rhq.enterprise.server.core.jaas.LdapLoginModule:
Comment 1 Charles Crouch 2013-05-14 11:48:47 EDT
The REST api needs to authenticate users in exactly the same manner as CLI/UI
Comment 8 Heiko W. Rupp 2013-05-17 08:29:13 EDT
( as written in the linked BZ : master ba97ade9666a )
Comment 9 Mike Foley 2013-09-13 18:16:05 EDT
QE has automation running nightly with LDAP authentication and REST API.  This is working.