Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1340963

Summary: configuring SSO integration cause API failure in engine-image-uploader
Product: Red Hat Enterprise Virtualization Manager Reporter: Paul Armstrong <parmstro>
Component: ovirt-image-uploaderAssignee: Rafael Martins <rmartins>
Status: CLOSED ERRATA QA Contact: Gonza <grafuls>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.6.5CC: gklein, grafuls, juan.hernandez, lsurette, lsvaty, melewis, mperina, rbalakri, Rhev-m-bugs, rmartins, sbonazzo, srevivo, ykaul, ylavi
Target Milestone: ovirt-4.0.4Keywords: ZStream
Target Release: 4.0.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
With this update, the authentication and image upload to ovirt-engine instances with Kerberos SSO enabled has been fixed.
 Story Points: ---
Clone Of:
: 1364471 (view as bug list) Environment:
Last Closed: 2016-09-28 22:17:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1364471, 1371477    

Description Paul Armstrong 2016-05-31 01:17:24 UTC 
Description of problem: When rhevm is configured for IPA/IdM integration with kerberos SSO image-uploader fails with 401 Unauthorized


Version-Release number of selected component (if applicable):
rhevm appliance with 3.6.5.x

How reproducible:
always


Steps to Reproduce:
1. Configure SSO integration with IdM as outlined in the documentation
2. Test and configure users
3. kinit on the rhevm host
4. Configure appropriate exports storage domain
5. try to upload image

Actual results:
engine-image-uploader -e exports --insecure upload cfme-rhevm-5.5.3.4-1.x86_64.rhevm.ova 
Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort): 
ERROR: Unable to connect to REST API at https://rhevm.parmstro.redhat.com:443/api
Host returned a 401 Unauthorized error.
Please check the provided username and password.


Expected results:
engine-image-uploader -e exports --insecure upload cfme-rhevm-5.5.3.4-1.x86_64.rhevm.ova 
Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort): 
Uploading: [########################################] 100%


Additional info:
Modifying the /etc/ovirt-engine/aaa/ovirt-sso.conf file to remove api from the Location element corrects the problem. Image upload (and ISO upload) now succeed.
Comment 1 Paul Armstrong 2016-05-31 01:25:10 UTC 
The expected behaviour should be that:

1) Depending on the configuration of the system:
  a) if allow only kerberos authenticated users 
    i) the user should not be prompted for admin@internal password
    ii) if the user executing engine-image-uploader is not authorized the user should get an error that kerberos authentication failed.

  b) if allowing both kerberos and internal login
    i) if the user executing the engine-image-uploader is not authorized
       a) if the commandline has -u user@domain - prompt for password
       b) if the commandline does not specify -u - prompt for admin@internal password

My $0.02 CAD :-)
Comment 2 Yaniv Lavi 2016-06-27 12:31:38 UTC 
Please provide a work estimation to fix this issue.
Comment 3 Yaniv Lavi 2016-06-30 08:51:58 UTC 
If this is not fixed for 3.6 we will be closing this since this tool is being deprecated in 4.0 for the UI\API image uploader.
Comment 4 Yaniv Kaul 2016-07-11 10:55:19 UTC 
(In reply to Yaniv Dary from comment #3)
> If this is not fixed for 3.6 we will be closing this since this tool is
> being deprecated in 4.0 for the UI\API image uploader.

Sandro? Please decide or close-wontfix please.
Comment 5 Yaniv Lavi 2016-07-14 08:22:58 UTC 
What will happen if we remove the API reference from the ovirt-sso.conf?
Comment 6 Martin Perina 2016-07-14 08:53:09 UTC 
(In reply to Yaniv Dary from comment #5)
> What will happen if we remove the API reference from the ovirt-sso.conf?

I don't follow, what do you mean by removing API reference? What's ovirt-sso.conf?
Comment 7 Yaniv Lavi 2016-07-14 09:10:20 UTC 
(In reply to Martin Perina from comment #6)
> (In reply to Yaniv Dary from comment #5)
> > What will happen if we remove the API reference from the ovirt-sso.conf?
> 
> I don't follow, what do you mean by removing API reference? What's
> ovirt-sso.conf?

Please read the description of the issue.
Comment 8 Martin Perina 2016-07-14 11:29:28 UTC 
Sorry, I completely missed that "Additional info" part. Here are my notes to that:

1. If you remove /api from Location, then kerberos SSO will definitely not work for RESTAPI. Please also bear in mind that doing that was not tested at all and also other part might be affected.

2. AFAIK engine-image-uploader is using Python SDK and version 3.6 of the SDK should definitely support kerberos. So in theory following changes are needed to be done in engine-image-uploader to use kerberos:

  a. Add --use-kerberos command line parameters
  b. If --use-kerberos is present, then don't ask for username/password
  c. If --use-kerberos is present, then you need to pass "kerberos=True" during API initialization

Above should be enough to fix the issue. Juan, am I right?
Comment 9 Juan Hernández 2016-07-14 15:43:24 UTC 
Yes, the changes that Martin suggests should solve the problem, version 3.6 of the SDK supports Kerberos, assuming that the engine is configured properly.
Comment 10 Yaniv Lavi 2016-07-17 12:22:52 UTC 
Will it work to create a kerberos ticket prior to using the tool?
Comment 11 Martin Perina 2016-07-18 07:48:09 UTC 
You need to obtain kerberos ticket and you also need to pass "kerberos=True" when initializing API, otherwise API will not use kerberos to connect to engine.
Comment 14 Gonza 2016-09-15 11:29:22 UTC 
Verified with:
rhevm-4.0.4.2-0.1.el7ev.noarch

# engine-image-uploader --with-kerberos -e gr06 upload rhevm-appliance-20160831.0-1.x86_64.rhevm.ova 
WARNING: ovirt-image-uploader is deprecated in 4.0 and will be removed in 4.1
Uploading: [########################################] 100%
Comment 16 errata-xmlrpc 2016-09-28 22:17:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1951.html