Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1145239 - [RFE] CLI: Add support for Kerberos authentication
[RFE] CLI: Add support for Kerberos authentication
Status: CLOSED ERRATA
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-cli (Show other bugs)
3.5.0
Unspecified Unspecified
unspecified Severity unspecified
: ovirt-3.6.0-rc
: 3.6.0
Assigned To: Juan Hernández
Jiri Belka
: FutureFeature
Depends On: 1145234
Blocks: 1252761
  Show dependency treegraph
 
Reported: 2014-09-22 11:35 EDT by Juan Hernández
Modified: 2016-03-09 14:54 EST (History)
11 users (show)

See Also:
Fixed In Version: ovirt-engine-cli-3.6.0.0-0.1
Doc Type: Enhancement
Doc Text:
Previously, the CLI did not support authentication to a RHEV-M server that was configured with Kerberos and only supported authentication using a username and password. Now, the CLI supports authentication using a previously obtained Kerberos ticket by specifying the --kerberos command line option.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-09 14:54:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
sherold: Triaged+

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 33417 master MERGED cli: Add support for Kerberos authentication Never
Red Hat Product Errata RHEA-2016:0406 normal SHIPPED_LIVE rhevm-cli bug fix and enhancement update 2016-03-09 19:04:32 EST

  None (edit)
Description Juan Hernández 2014-09-22 11:35:10 EDT 
The CLI should be able to take the credentials from the Kerberos cache and use them to authenticate against a Kerberos protected engine.

The flow will be as follows:

1. The user obtains a ticket granting ticket from the Kerberos realm, using the "kinit" command or any other tool.

2. The user uses the CLI including in the command line or in the configuration file an option indicating that Kerberos should be used:

  $ ovirt-shell --kerberos ...

3. The CLI takes the credentials from the Kerberos cache and uses them to authenticate to the oVirt Engine server.

Note that no user name or password will be provided to the CLI in this case, and that obtaining the initial TGT will not be the responsibility of the CLI.
Comment 1 Jiri Belka 2015-08-04 04:42:31 EDT 
ok, ovirt-engine-cli-3.6.0.0-0.2.20150518.gite3609e3.el6.noarch

[jirib@om-ovirt36 ~]$ ovirt-shell --kerberos -l https://`hostname`/api -c -A /etc/pki/ovirt-engine/ca.pem -E "list vms"
[oVirt shell (connected)]# list vms

id         : 0ad991ea-ebe7-4f5d-b46e-a6c70f178836
name       : vm

[jirib@om-ovirt36 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: vdcadmin@BRQ-OPENLDAP.RHEV.LAB.ENG.BRQ.REDHAT.COM

Valid starting     Expires            Service principal
08/04/15 10:12:25  08/05/15 10:12:25  krbtgt/BRQ-OPENLDAP.RHEV.LAB.ENG.BRQ.REDHAT.COM@BRQ-OPENLDAP.RHEV.LAB.ENG.BRQ.REDHAT.COM
        renew until 08/04/15 10:12:25
08/04/15 10:12:34  08/05/15 10:12:25  HTTP/om-ovirt36.rhev.lab.eng.brq.redhat.com@
        renew until 08/04/15 10:12:25
08/04/15 10:12:34  08/05/15 10:12:25  HTTP/om-ovirt36.rhev.lab.eng.brq.redhat.com@BRQ-OPENLDAP.RHEV.LAB.ENG.BRQ.REDHAT.COM
        renew until 08/04/15 10:12:25

[jirib@om-ovirt36 ~]$ awk '$NF != "False" && !/^#/ { print }' .ovirtshellrc 
[cli]
autoconnect = True
[ovirt-shell]
timeout = None
url = https://om-ovirt36.rhev.lab.eng.brq.redhat.com/ovirt-engine/api
kerberos = True
session_timeout = None
ca_file = /etc/pki/ovirt-engine/ca.pem
key_file = None
cert_file = None
[jirib@om-ovirt36 ~]$ ovirt-shell -E "list vms"
[oVirt shell (connected)]# list vms

id         : 0ad991ea-ebe7-4f5d-b46e-a6c70f178836
name       : vm

[jirib@om-ovirt36 ~]$ ovirt-shell --help 2>&1 | grep kerberos
  --kerberos            use Kerberos authentication

https://polarion.engineering.redhat.com/polarion/#/project/RHEVM3/testrun?id=jbelka_ovirtcli_krb5
Comment 3 errata-xmlrpc 2016-03-09 14:54:26 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0406.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.