1322940 – [RFE] AAA - Make Kerberos work with Java Authentication Framework

Bug 1322940 - [RFE] AAA - Make Kerberos work with Java Authentication Framework

Summary: [RFE] AAA - Make Kerberos work with Java Authentication Framework

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	3.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-4.0.0-beta
Target Release:	4.0.0
Assignee:	Ondra Machacek
QA Contact:	Gonza
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1327041 1361223
TreeView+	depends on / blocked

Reported:	2016-03-31 17:49 UTC by Anitha Udgiri
Modified:	2019-10-10 11:46 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	To provide a way to configure gssapi using ticket cache for authz pool, a new security domain called 'oVirtKerbAAA' was added to JBoss configuration, which can be customized by using the following variables: AAA_KRB5_CONF_FILE=path_to_krb5_conf Specify the custom krb5.conf file. The default is /etc/ovirt-engine/krb5.conf Java supports only one krb5 configuration, if the user changes this property, then manage-domains will stop working because its configuration is managed in /etc/ovirt-engine/krb5.conf. AAA_JAAS_USE_TICKET_CACHE=true/false Enable or disable using the ticket cache file for authentication. AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify the custom ticket cache file. The default is /tmp/krb5cc_${UID}, where UID is the ID of the ovirt user. AAA_JAAS_USE_KEYTAB=false/true Enable or disable using the keytab file for authentication. AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify the custom keytab file. The default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user. To use one of the features, the user has to create a new configuration file and specify the correct values for those variables, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf. To use the new security domain configuration from aaa-ldap, the user has to specify the correct JAASClientName (default is oVirtKerb). Therefore, to use this new configuration for authz pool, the user has to add following line to aaa-ldap authz configuration: pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA To use it for both authn and authz, the user has to add the following line to aaa-ldap configuration: pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA
Clone Of:
Clones:	1327041 (view as bug list)
Environment:
Last Closed:	2016-08-23 20:59:12 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:
Flags:	lsvaty: testing_plan_complete+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:1749	normal	SHIPPED_LIVE	ovirt-engine-extension-aaa-ldap bug fix and enhancement update for RHV 4.0	2016-09-02 22:17:48 UTC
oVirt gerrit	55791	'None'	MERGED	aaa: add new kerberos configuration to jaas	2020-06-22 13:47:44 UTC
oVirt gerrit	56076	'None'	MERGED	aaa: exttool: use JBoss JAAS configuration by default	2020-06-22 13:47:44 UTC
oVirt gerrit	57360	'None'	MERGED	aaa: fix path of JAAS variables	2020-06-22 13:47:44 UTC

Description Anitha Udgiri 2016-03-31 17:49:00 UTC

Description of problem:
Customer wants to use kerberos ticket cache to
perform authorization via
gssapi.

This RFE is to request to help provide such a means to Customers.

Comment 1 Ondra Machacek 2016-04-07 09:46:40 UTC

In 3.6 the only way is to modify file '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in' and 
add there new security-domain as follows:

<security-domain name="oVirtKerbAAA">
  <authentication>
    <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
      <module-option name="useTicketCache" value="true"/>
      <!-- Specify a path to ticket cache if they don't want use default (default is: '/tmp/krb5cc_{ovirt.uid}') -->
      <module-option name="ticketCache" value="/path/to/ticket_cache"/>
    </login-module>
  </authentication>
</security-domain>

Then configure authz pool as follows:
...
pool.authz.auth.type = gssapi
pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA
...

Important note - file '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in' is overriden when 
engine is upgraded so their changes will be lost after every upgrade.

In 4.0 we will provide new configuration options, so they don't have to change '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in', so their configuration will persist. We prepare predefined secuirty-domain in jboss configuration and they can change specific values, which they need.

The following options can be modified:

# Used to specify if ticket cache should be used to authenticate
AAA_JAAS_USE_TICKET_CACHE=false
# Used to specify special ticket cache file, instead of default (default is /tmp/krb5cc_{ovirt.uid})
AAA_JAAS_TICKET_CACHE=
# Used to specify if key tab file should be used to authenticate
AAA_JAAS_USE_KEYTAB=false
# Used to specify special path to keytab, instead of default (default is {ovirt.home}{file.separator}krb5.keytab)
AAA_JAAS_KEYTAB=
# Used to rewrite default path to krb5.conf (default is /etc/krb5.conf)
AAA_KRB5_CONF=

Authz pool configuration remain same as in 3.6.

Comment 2 Yaniv Kaul 2016-04-07 11:56:23 UTC

(In reply to Ondra Machacek from comment #1)

...
> 
> Important note - file
> '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in' is
> overriden when 
> engine is upgraded so their changes will be lost after every upgrade.
> 
> In 4.0 we will provide new configuration options, so they don't have to
> change '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in',
> so their configuration will persist. We prepare predefined secuirty-domain
> in jboss configuration and they can change specific values, which they need.

So how is the upgrade (migration actually) from 3.6 to 4.0 will looks like?
Or it doesn't matter, because customers were used to getting their config lost on upgrade?

Comment 3 Ondra Machacek 2016-04-07 12:41:15 UTC

If anyone ever modified file '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in', he lost his
modification when updating package 'rhevm-backend'. So yes the modification is lost on upgrade.

This is why this bug is for 4.0 and not for 3.6. In 4.0 no one have to modify ovirt-engine.xml.in in order to 
make gssapi work with ticket cache.

Comment 4 Martin Perina 2016-04-07 14:20:48 UTC

Moving back to post, we need to handle also extension-tool use case

Comment 6 Martin Perina 2016-05-23 12:55:31 UTC

Changes were done only on engine side, so moving to ovirt-engine component

Comment 7 Gonza 2016-07-27 13:43:10 UTC

Verified with:
ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev
rhevm-4.0.2-0.1.rc.el7ev.noarch

# ovirt-engine-extensions-tool aaa search --entity-name=vdcadmin --extension-name=ipa.redhat.com-authz
2016-07-27 13:24:19 INFO    ========================================================================
2016-07-27 13:24:19 INFO    ============================ Initialization ============================
2016-07-27 13:24:19 INFO    ========================================================================
2016-07-27 13:24:20 INFO    Loading extension 'internal-authn'
2016-07-27 13:24:20 INFO    Extension 'internal-authn' loaded
2016-07-27 13:24:20 INFO    Loading extension 'ipa.redhat.com-authn'
2016-07-27 13:24:20 INFO    Extension 'ipa.redhat.com-authn' loaded
2016-07-27 13:24:20 INFO    Loading extension 'internal-authz'
2016-07-27 13:24:20 INFO    Extension 'internal-authz' loaded
2016-07-27 13:24:21 INFO    Loading extension 'ipa.redhat.com-authz'
2016-07-27 13:24:21 INFO    Extension 'ipa.redhat.com-authz' loaded
2016-07-27 13:24:21 INFO    Initializing extension 'internal-authn'
2016-07-27 13:24:22 INFO    Extension 'internal-authn' initialized
2016-07-27 13:24:22 INFO    Initializing extension 'ipa.redhat.com-authn'
2016-07-27 13:24:22 INFO    [ovirt-engine-extension-aaa-ldap.authn::ipa.redhat.com-authn] Creating LDAP pool 'authz'
2016-07-27 13:24:24 INFO    [ovirt-engine-extension-aaa-ldap.authn::ipa.redhat.com-authn] LDAP pool 'authz' information: vendor='389 Project' version='389-Directory/1.2.11.15 B2013.289.33'
2016-07-27 13:24:24 INFO    [ovirt-engine-extension-aaa-ldap.authn::ipa.redhat.com-authn] Creating LDAP pool 'authn'
2016-07-27 13:24:24 INFO    [ovirt-engine-extension-aaa-ldap.authn::ipa.redhat.com-authn] LDAP pool 'authn' information: vendor='389 Project' version='389-Directory/1.2.11.15 B2013.289.33'
2016-07-27 13:24:24 INFO    Extension 'ipa.redhat.com-authn' initialized
2016-07-27 13:24:24 INFO    Initializing extension 'internal-authz'
2016-07-27 13:24:24 INFO    Extension 'internal-authz' initialized
2016-07-27 13:24:24 INFO    Initializing extension 'ipa.redhat.com-authz'
2016-07-27 13:24:24 INFO    [ovirt-engine-extension-aaa-ldap.authz::ipa.redhat.com-authz] Creating LDAP pool 'authz'
2016-07-27 13:24:24 INFO    [ovirt-engine-extension-aaa-ldap.authz::ipa.redhat.com-authz] LDAP pool 'authz' information: vendor='389 Project' version='389-Directory/1.2.11.15 B2013.289.33'
2016-07-27 13:24:24 INFO    [ovirt-engine-extension-aaa-ldap.authz::ipa.redhat.com-authz] Available Namespaces: [dc=ipa,dc=redhat,dc=com]
2016-07-27 13:24:24 INFO    Extension 'ipa.redhat.com-authz' initialized
2016-07-27 13:24:24 INFO    Start of enabled extensions list
2016-07-27 13:24:24 INFO    Instance name: 'internal-authn', Extension name: '"ovirt-engine-extension-aaa-jdbc".authn', Version: '"1.1.0"', Notes: 'Display name: "ovirt-engine-extension-aaa-jdbc"', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/internal-authn.properties', Initialized: 'true'
2016-07-27 13:24:24 INFO    Instance name: 'internal-authz', Extension name: '"ovirt-engine-extension-aaa-jdbc".authz', Version: '"1.1.0"', Notes: 'Display name: "ovirt-engine-extension-aaa-jdbc"', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/internal-authz.properties', Initialized: 'true'
2016-07-27 13:24:24 INFO    Instance name: 'ipa.redhat.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.2.1', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/ipa.redhat.com-authn.properties', Initialized: 'true'
2016-07-27 13:24:24 INFO    Instance name: 'ipa.redhat.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.2.1', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/ipa.redhat.com-authz.properties', Initialized: 'true'
2016-07-27 13:24:24 INFO    End of enabled extensions list
2016-07-27 13:24:24 INFO    ========================================================================
2016-07-27 13:24:24 INFO    ============================== Execution ===============================
2016-07-27 13:24:24 INFO    ========================================================================
2016-07-27 13:24:24 INFO    Iteration: 0
2016-07-27 13:24:25 INFO    --- Begin QueryFilterRecord ---
2016-07-27 13:24:25 INFO    AAA_AUTHZ_QUERY_FILTER_OPERATOR: 102
2016-07-27 13:24:25 INFO    AAA_AUTHZ_QUERY_ENTITY: AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4]
2016-07-27 13:24:25 INFO      --- Begin QueryFilterRecord ---
2016-07-27 13:24:25 INFO      AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0
2016-07-27 13:24:25 INFO      AAA_AUTHZ_QUERY_FILTER_KEY: Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];]
2016-07-27 13:24:25 INFO      AAA_AUTHZ_PRINCIPAL_NAME: vdcadmin
2016-07-27 13:24:25 INFO      --- End QueryFilterRecord ---
2016-07-27 13:24:25 INFO    --- End QueryFilterRecord ---
2016-07-27 13:24:25 INFO    API: -->Authz.InvokeCommands.QUERY_OPEN namespace='dc=ipa,dc=redhat,dc=com'
2016-07-27 13:24:25 INFO    API: <--Authz.InvokeCommands.QUERY_OPEN
2016-07-27 13:24:25 INFO    API: -->Authz.InvokeCommands.QUERY_EXECUTE
2016-07-27 13:24:25 INFO    API: <--Authz.InvokeCommands.QUERY_EXECUTE count=1
2016-07-27 13:24:25 INFO    --- Begin PrincipalRecord ---
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_PRINCIPAL: vdcadmin
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_LAST_NAME: ucet
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_EMAIL: xxx
2016-07-27 13:24:25 INFO    AAA_LDAP_UNBOUNDID_DN: uid=vdcadmin,cn=users,cn=accounts,dc=ipa,dc=redhat,dc=com
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_NAMESPACE: dc=ipa,dc=redhat,dc=com
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_ID: e32a2998-e85b-11e0-ade4-001a4a013f11
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: nas ucet
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_NAME: vdcadmin
2016-07-27 13:24:25 INFO    AAA_AUTHZ_PRINCIPAL_FIRST_NAME: nas
2016-07-27 13:24:25 INFO    --- End   PrincipalRecord ---
2016-07-27 13:24:25 INFO    API: -->Authz.InvokeCommands.QUERY_EXECUTE
2016-07-27 13:24:25 INFO    API: <--Authz.InvokeCommands.QUERY_EXECUTE count=END
2016-07-27 13:24:25 INFO    API: -->Authz.InvokeCommands.QUERY_CLOSE
2016-07-27 13:24:25 INFO    API: <--Authz.InvokeCommands.QUERY_CLOSE

Comment 9 errata-xmlrpc 2016-08-23 20:59:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1749.html

Note You need to log in before you can comment on or make changes to this bug.