1340963 – configuring SSO integration cause API failure in engine-image-uploader

Bug 1340963 - configuring SSO integration cause API failure in engine-image-uploader

Summary: configuring SSO integration cause API failure in engine-image-uploader

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-image-uploader
Sub Component:
Version:	3.6.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ovirt-4.0.4
Target Release:	4.0.4
Assignee:	Rafael Martins
QA Contact:	Gonza
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1364471 1371477
TreeView+	depends on / blocked

Reported:	2016-05-31 01:17 UTC by Paul Armstrong
Modified:	2016-09-28 22:17 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	With this update, the authentication and image upload to ovirt-engine instances with Kerberos SSO enabled has been fixed.
Clone Of:
Clones:	1364471 (view as bug list)
Environment:
Last Closed:	2016-09-28 22:17:45 UTC
oVirt Team:	Integration
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1951	normal	SHIPPED_LIVE	ovirt-image-uploader bug fix update for RHV 4.0.4	2016-09-29 01:21:58 UTC
oVirt gerrit	61324	master	MERGED	ovirt-image-uploader: added --with-kerberos engine option	2020-07-15 11:05:03 UTC
oVirt gerrit	61909	ovirt-image-uploader-4.0	MERGED	ovirt-image-uploader: added --with-kerberos engine option	2020-07-15 11:05:03 UTC

Description Paul Armstrong 2016-05-31 01:17:24 UTC

Description of problem: When rhevm is configured for IPA/IdM integration with kerberos SSO image-uploader fails with 401 Unauthorized


Version-Release number of selected component (if applicable):
rhevm appliance with 3.6.5.x

How reproducible:
always


Steps to Reproduce:
1. Configure SSO integration with IdM as outlined in the documentation
2. Test and configure users
3. kinit on the rhevm host
4. Configure appropriate exports storage domain
5. try to upload image

Actual results:
engine-image-uploader -e exports --insecure upload cfme-rhevm-5.5.3.4-1.x86_64.rhevm.ova 
Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort): 
ERROR: Unable to connect to REST API at https://rhevm.parmstro.redhat.com:443/api
Host returned a 401 Unauthorized error.
Please check the provided username and password.


Expected results:
engine-image-uploader -e exports --insecure upload cfme-rhevm-5.5.3.4-1.x86_64.rhevm.ova 
Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort): 
Uploading: [########################################] 100%


Additional info:
Modifying the /etc/ovirt-engine/aaa/ovirt-sso.conf file to remove api from the Location element corrects the problem. Image upload (and ISO upload) now succeed.

Comment 1 Paul Armstrong 2016-05-31 01:25:10 UTC

The expected behaviour should be that:

1) Depending on the configuration of the system:
  a) if allow only kerberos authenticated users 
    i) the user should not be prompted for admin@internal password
    ii) if the user executing engine-image-uploader is not authorized the user should get an error that kerberos authentication failed.

  b) if allowing both kerberos and internal login
    i) if the user executing the engine-image-uploader is not authorized
       a) if the commandline has -u user@domain - prompt for password
       b) if the commandline does not specify -u - prompt for admin@internal password

My $0.02 CAD :-)

Comment 2 Yaniv Lavi 2016-06-27 12:31:38 UTC

Please provide a work estimation to fix this issue.

Comment 3 Yaniv Lavi 2016-06-30 08:51:58 UTC

If this is not fixed for 3.6 we will be closing this since this tool is being deprecated in 4.0 for the UI\API image uploader.

Comment 4 Yaniv Kaul 2016-07-11 10:55:19 UTC

(In reply to Yaniv Dary from comment #3)
> If this is not fixed for 3.6 we will be closing this since this tool is
> being deprecated in 4.0 for the UI\API image uploader.

Sandro? Please decide or close-wontfix please.

Comment 5 Yaniv Lavi 2016-07-14 08:22:58 UTC

What will happen if we remove the API reference from the ovirt-sso.conf?

Comment 6 Martin Perina 2016-07-14 08:53:09 UTC

(In reply to Yaniv Dary from comment #5)
> What will happen if we remove the API reference from the ovirt-sso.conf?

I don't follow, what do you mean by removing API reference? What's ovirt-sso.conf?

Comment 7 Yaniv Lavi 2016-07-14 09:10:20 UTC

(In reply to Martin Perina from comment #6)
> (In reply to Yaniv Dary from comment #5)
> > What will happen if we remove the API reference from the ovirt-sso.conf?
> 
> I don't follow, what do you mean by removing API reference? What's
> ovirt-sso.conf?

Please read the description of the issue.

Comment 8 Martin Perina 2016-07-14 11:29:28 UTC

Sorry, I completely missed that "Additional info" part. Here are my notes to that:

1. If you remove /api from Location, then kerberos SSO will definitely not work for RESTAPI. Please also bear in mind that doing that was not tested at all and also other part might be affected.

2. AFAIK engine-image-uploader is using Python SDK and version 3.6 of the SDK should definitely support kerberos. So in theory following changes are needed to be done in engine-image-uploader to use kerberos:

  a. Add --use-kerberos command line parameters
  b. If --use-kerberos is present, then don't ask for username/password
  c. If --use-kerberos is present, then you need to pass "kerberos=True" during API initialization

Above should be enough to fix the issue. Juan, am I right?

Comment 9 Juan Hernández 2016-07-14 15:43:24 UTC

Yes, the changes that Martin suggests should solve the problem, version 3.6 of the SDK supports Kerberos, assuming that the engine is configured properly.

Comment 10 Yaniv Lavi 2016-07-17 12:22:52 UTC

Will it work to create a kerberos ticket prior to using the tool?

Comment 11 Martin Perina 2016-07-18 07:48:09 UTC

You need to obtain kerberos ticket and you also need to pass "kerberos=True" when initializing API, otherwise API will not use kerberos to connect to engine.

Comment 14 Gonza 2016-09-15 11:29:22 UTC

Verified with:
rhevm-4.0.4.2-0.1.el7ev.noarch

# engine-image-uploader --with-kerberos -e gr06 upload rhevm-appliance-20160831.0-1.x86_64.rhevm.ova 
WARNING: ovirt-image-uploader is deprecated in 4.0 and will be removed in 4.1
Uploading: [########################################] 100%

Comment 16 errata-xmlrpc 2016-09-28 22:17:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1951.html

Note You need to log in before you can comment on or make changes to this bug.