Bug 1285889 - [AAA][RestAPI] Remove support of SPNEGO directly to RestAPI
[AAA][RestAPI] Remove support of SPNEGO directly to RestAPI
Status: NEW
Product: ovirt-engine
Classification: oVirt
Component: RestAPI (Show other bugs)
Unspecified Unspecified
unspecified Severity medium (vote)
: ovirt-4.4.0
: ---
Assigned To: Ravi Nori
Depends On:
Blocks: 1455534
  Show dependency treegraph
Reported: 2015-11-26 16:15 EST by Alon Bar-Lev
Modified: 2018-01-04 09:01 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mperina: ovirt‑4.4?
rule-engine: planning_ack?
rule-engine: devel_ack?
lsvaty: testing_ack+

Attachments (Terms of Use)

  None (edit)
Description Alon Bar-Lev 2015-11-26 16:15:22 EST
Since 3.5 we support direct SPNEGO to RestAPI.
In 4.0 we have SSO service that among other supports SNEGO.
As a result there is no need to support any authentication method but Basic and Bearer within our webapp.
Removing other authentication methods will enable us to remove all Authn/Authz extensions from BLL space, and stop using the login-on-behalf of SSO, removing this sensitive privilege from RestAPI client.

Juan, once this is ACKed, rnori can remove the necessary code.
Comment 1 Red Hat Bugzilla Rules Engine 2015-11-27 01:06:45 EST
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 2 Red Hat Bugzilla Rules Engine 2015-11-30 17:37:40 EST
Bug tickets must have version flags set prior to targeting them to a release. Please ask maintainer to set the correct version flags and only then set the target milestone.
Comment 4 Juan Hernández 2016-04-06 07:17:52 EDT
This support can't be removed from the engine before we remove the support for version 3 of the API, and that won't happen before 4.1, so I'm re-targeting.

Note You need to log in before you can comment on or make changes to this bug.