The Java SDK should be able to take the credentials from the Kerberos cache and use them to authenticate against a Kerberos protected engine. The flow will be as follow: 1. The user obtains a ticket granting ticket from the Kerberos realm, using the "kinit" command or any other tool. 2. The user uses the Python SDK, including in the constructor of the Api object a parameter that indicates that Kerberos authentication is to be used: Api api = new Api( "https://fedora.example.com/ovirt-engine/api", ... ); api.setUseKerberos(true); 3. The Java SDK takes the credentials from the Kerberos cache and uses them to authenticate to the oVirt Engine server. Note that no user name or password will be provided to the Java SDK in this case, and that obtaining the initial TGT will not be the responsibility of the Java SDK.
It seems the authentication doesn't work. While using: Api api = new ApiBuilder() .url("https://engine_url:443/api") .user("user@domain") .password("password") .noHostVerification(true) .build(); System.out.println("Authentication successful"); api.shutdown(); for engine without set kerberos auth work perfectly fine, following code for engine with kerberos auth causes an error: Api api = new ApiBuilder() .url("https://engine_url:443/api") .kerberos(true) .noHostVerification(true) .build(); System.out.println("Authentication successful"); api.shutdown(); The error: Exception in thread "main" java.lang.NullPointerException at org.apache.http.impl.auth.BasicScheme.authenticate(BasicScheme.java:161) at org.apache.http.client.protocol.RequestAuthenticationBase.authenticate(RequestAuthenticationBase.java:120) at org.apache.http.client.protocol.RequestAuthenticationBase.process(RequestAuthenticationBase.java:83) at org.apache.http.client.protocol.RequestTargetAuthentication.process(RequestTargetAuthentication.java:80) at org.apache.http.protocol.ImmutableHttpProcessor.process(ImmutableHttpProcessor.java:131) at org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:165) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:485) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) at org.ovirt.engine.sdk.web.ConnectionsPool.execute(ConnectionsPool.java:96) at org.ovirt.engine.sdk.web.HttpProxy.execute(HttpProxy.java:114) at org.ovirt.engine.sdk.web.HttpProxyBroker.get(HttpProxyBroker.java:415) at org.ovirt.engine.sdk.web.HttpProxyBroker.get(HttpProxyBroker.java:394) at org.ovirt.engine.sdk.Api.getEntryPoint(Api.java:656) at org.ovirt.engine.sdk.Api.initResources(Api.java:668) at org.ovirt.engine.sdk.Api.<init>(Api.java:615) at org.ovirt.engine.sdk.ApiBuilder.build(ApiBuilder.java:228) at rhev.RHEV.main(RHEV.java:29)
Was the environment configured as described in the commit message of the change that added the Kerberos support: sdk: Add support for Kerberos authentication https://gerrit.ovirt.org/33504 I'm reproducing the instructions here, just in case: ---8<--- Note that the Kerberos environment has to be configured correctly before calling the SDK and that the creditials cache has to be already populated, using the "kinit" command, for example. In order to configure the environment two files are needed: the Kerberos configuration file and the JAAS configuration file. The Kerberos configuration file will usually existin "/etc/krb5.conf". The JAAS configuration file won't probably exist. It needs to be created with content similar to this: com.sun.security.jgss.login { com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=true; }; com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=true; }; com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=true; }; The location of this file isn't relevant, it just needs to be readable by the JVM, it can be, for example, located in "/etc/jaas.conf". In addition to these files the following system properties have to be added to the JVM: -Djava.security.auth.login.config=/etc/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false --->8---
The environment I'm testing this on is configured correctly. The kerberos authentication works in browser and Python SDK. I created the jaas.conf file and filled it with content mentioned in the RFE description. Both jaas.conf and krb5.conf files are world readable. In NetBeans I added the system properties to project->properties->run->VM options. With this configuration running code from comment 1 causes an exception.
Created attachment 1051820 [details] Test script I'm attaching a test script that should help in determining why authentication isn't working. Please adjust it for your environment, modifying the first few lines: url="https://engine36.example.com:443/ovirt-engine/api" realm="ENGINE36.EXAMPLE.COM" kdc="engine36.example.com" Then run it and attach the resulting "test.log" file: $ sh test.sh &> test.log
Created attachment 1051833 [details] test log Here is the requested log.
Apparently in your environment the default Java compiler is Java 8, but the default Java virtual machine is less than 8, thus you get the following result when running the test: Exception in thread "main" java.lang.UnsupportedClassVersionError: Test : Unsupported major.minor version 52.0 This makes part of the results useless, as the Java program didn't actually run. Please make sure that your default Java compiler and virtual machine are the same, and preferably Java 7, as oVirt doesn't support Java 8 yet. You may need use the "alternatives" command (as root) and select the right version: # alternatives --config java # alternatives --config javac Check then that both the javac and java commands report the right version: $ javac -version $ java -version Once this is fixed run the test again, and report the results. By the way, I forgot to add the "-ex" option, please add it: $ sh -ex test.sh &> test.log
Created attachment 1051865 [details] test log I fixed the version settings and update the log.
According to the latest log the Kerberos authentication worked correctly. So there must be something in the environment used in comment 1 and the environment created by the test script. Can you compare the krb5.conf and jass.conf files that you are using with the ones generated by the test script? Also please try to enable the debug mode in your environment (adding .debug(true) when building the Api object) and repeat your test.
Created attachment 1051872 [details] debug log The .conf files I use are the same as the generated ones.
The latest attached log file shows successful Kerberos authentication. Should we move the bug to VERIFIED then?
I created bug 1243337 and I'm leaving this on ON_QA until it's solved.
Removed the "com.sun.security.jgss.accept" entry from the example "jaas.conf" configuration file, as that is needed only for servers accepting connections.
Verified on rhevm-sdk-java-javadoc-3.6.0.0-0.15.20150623gite9a4212.el6ev.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0405.html