Bug 1035279 - [RFE] Allow to disable SSO per VM
Summary: [RFE] Allow to disable SSO per VM
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-userportal
Version: 3.4
Hardware: Unspecified
OS: All
medium
unspecified
Target Milestone: ---
: 3.4.0
Assignee: Frantisek Kobzik
QA Contact: Pavel Novotny
URL:
Whiteboard: virt
Depends On:
Blocks: 758946
TreeView+ depends on / blocked
 
Reported: 2013-11-27 12:48 UTC by Frantisek Kobzik
Modified: 2014-03-31 15:04 UTC (History)
13 users (show)

Fixed In Version: ovirt-3.4.0-ga
Doc Type: Enhancement
Doc Text:
Clone Of: 758946
Environment:
Last Closed: 2014-03-31 15:04:28 UTC
oVirt Team: ---

Attachments (Terms of Use)
screen-shot: SSO method (45.88 KB, image/png)
2014-01-26 00:02 UTC, Einav Cohen 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 19619 0 None None None Never
oVirt gerrit 19620 0 None None None Never
oVirt gerrit 21911 0 None None None Never
oVirt gerrit 23142 0 None None None Never
oVirt gerrit 23383 0 None None None Never

Description Frantisek Kobzik 2013-11-27 12:48:04 UTC 
Option to enable/disable guest agent SSO.

The feature can be controlled per VM/Template via New/Edit VM/Template popup.
Comment 1 Frantisek Kobzik 2013-11-27 13:19:39 UTC 
Design page:

http://www.ovirt.org/Features/SSO_Method_Control
Comment 2 Itamar Heim 2013-12-01 20:13:41 UTC 
moving back to POST, i don't see a patch handling the REST API for this
Comment 3 Frantisek Kobzik 2013-12-02 12:05:07 UTC 
backend part merged U/S: 4b7438c095b942b969cdc4091944353637101806
frontend part merged U/S: abd645d5af8a5e4f7986bef00f470171a63be823
Comment 4 Michal Skrivanek 2014-01-17 13:40:07 UTC 
patch 21911 needs backport to ovirt-3.4
Comment 5 Einav Cohen 2014-01-26 00:02:53 UTC 
Created attachment 855564 [details]
screen-shot: SSO method
Comment 6 Einav Cohen 2014-01-26 00:43:45 UTC 
ovirt-3.4 test day results:

- New/Edit VM dialog now has a new "Single Sign On method" field (see attachment 855564 [details]). 

- tested a F19 VM with guest agent and a Blank VM with no guest agent. 

- tested web-admin, power-user portal and user portal. 

- results:

  * SSO (VmLogonCommand) was invoked only when all of the following were fulfilled:

    ~ SSO Method was set to 'guest agent'
    ~ VM had an agent installed
    ~ Connection was initiated from the UP or PUP

full results table below:

VM            SSO Method        web-admin      UP            PUP
--            ----------        ---------      --            ---
w/ agent      guest agent       no sso [1]     sso [2]       sso [2]
w/ agent      none              no sso [1]     no sso [1]    no sso [1]
w/o agent     guest agent       no sso [1]     no sso [1]    no sso [1]
w/o agent     none              no sso [1]     no sso [1]    no sso [1]

** due to time constraints, the actual SSO wasn't tested; however, to my understanding, the SSO procedure itself hasn't been changed as part of this feature implementation **

[1] output from engine.log looked like the following:
...
2014-01-24 16:44:34,158 INFO  [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-1) [377925ac] Running command: SetVmTicketCommand internal: false. Entities affected :  ID: b55991ee-e29e-44b1-9bbc-c02fce37aad4 Type: VM
2014-01-24 16:44:34,166 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-1) [377925ac] START, SetVmTicketVDSCommand(HostName = host1-testday, HostId = 06cd23b4-e284-4904-926a-f49791c23db0, vmId=b55991ee-e29e-44b1-9bbc-c02fce37aad4, ticket=DNqAAYwf9HLM, validTime=120,m userName=admin, userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: 4a9534c
2014-01-24 16:44:34,214 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-1) [377925ac] FINISH, SetVmTicketVDSCommand, log id: 4a9534c
2014-01-24 16:44:34,227 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-1) [377925ac] Correlation ID: 377925ac, Call Stack: null, Custom Event ID: -1, Message: user admin initiated console session for VM no-agent
2014-01-24 16:44:45,066 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-54) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal is connected to VM no-agent.
...

[2] output from engine.log looked like the following:
...
2014-01-24 16:46:08,509 INFO  [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-1) [6840f287] Running command: SetVmTicketCommand internal: false. Entities affected :  ID: e635b41a-a4f5-4e35-84fd-a6954036e221 Type: VM
2014-01-24 16:46:08,519 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-1) [6840f287] START, SetVmTicketVDSCommand(HostName = host1-testday, HostId = 06cd23b4-e284-4904-926a-f49791c23db0, vmId=e635b41a-a4f5-4e35-84fd-a6954036e221, ticket=/dMZXjgsMnoK, validTime=120,m userName=admin, userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: 9170ba7
2014-01-24 16:46:08,568 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-1) [6840f287] FINISH, SetVmTicketVDSCommand, log id: 9170ba7
2014-01-24 16:46:08,583 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-1) [6840f287] Correlation ID: 6840f287, Call Stack: null, Custom Event ID: -1, Message: user admin initiated console session for VM fedora19-vm
2014-01-24 16:46:08,654 WARN  [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (ajp--127.0.0.1-8702-1) [4730c340] The message key VmLogon is missing from bundles/ExecutionMessages
2014-01-24 16:46:08,670 INFO  [org.ovirt.engine.core.bll.VmLogonCommand] (ajp--127.0.0.1-8702-1) [4730c340] Running command: VmLogonCommand internal: false. Entities affected :  ID: e635b41a-a4f5-4e35-84fd-a6954036e221 Type: VM
2014-01-24 16:46:08,677 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (ajp--127.0.0.1-8702-1) [4730c340] START, VmLogonVDSCommand(HostName = host1-testday, HostId = 06cd23b4-e284-4904-926a-f49791c23db0, vmId=e635b41a-a4f5-4e35-84fd-a6954036e221, domain=internal, password=******, userName=admin), log id: 172f6ea8
2014-01-24 16:46:08,713 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (ajp--127.0.0.1-8702-1) [4730c340] FINISH, VmLogonVDSCommand, log id: 172f6ea8
2014-01-24 16:46:16,598 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-56) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal is connected to VM fedora19-vm.
...
Comment 7 Einav Cohen 2014-01-26 01:11:40 UTC 
Franta - one note: In the engine.log, right before the VmLogonCommand invocation message, I see the following WARN message: 

2014-01-24 16:46:08,654 WARN  [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (ajp--127.0.0.1-8702-1) [4730c340] The message key VmLogon is missing from bundles/ExecutionMessages

not sure what it means - maybe worth looking into it. 

Thanks.
Comment 8 Frantisek Kobzik 2014-01-28 08:20:22 UTC 
Hi Einav,

thanks for very detailed information. The results are correct (the fact sso didn't work in webadmin is intended as we don't provide this feature for webadmin).

An for the WARN message, it shouldn't have anything to do with the patch. IIUC it's only saying we don't have sane message describing VmLogon action name in logs (and we simply print "VmLogon" instead). Maybe it could be worth it to add some message to the bundle...
Comment 9 Sandro Bonazzola 2014-03-31 15:04:28 UTC 
This is an automated message: moving to Closed CURRENT_RELEASE since oVirt 3.4.0 has been released.
Note You need to log in before you can comment on or make changes to this bug.