Red Hat Bugzilla – Bug 1340963
configuring SSO integration cause API failure in engine-image-uploader
Last modified: 2016-09-28 18:17:45 EDT
Description of problem: When rhevm is configured for IPA/IdM integration with kerberos SSO image-uploader fails with 401 Unauthorized Version-Release number of selected component (if applicable): rhevm appliance with 3.6.5.x How reproducible: always Steps to Reproduce: 1. Configure SSO integration with IdM as outlined in the documentation 2. Test and configure users 3. kinit on the rhevm host 4. Configure appropriate exports storage domain 5. try to upload image Actual results: engine-image-uploader -e exports --insecure upload cfme-rhevm-5.5.3.4-1.x86_64.rhevm.ova Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort): ERROR: Unable to connect to REST API at https://rhevm.parmstro.redhat.com:443/api Host returned a 401 Unauthorized error. Please check the provided username and password. Expected results: engine-image-uploader -e exports --insecure upload cfme-rhevm-5.5.3.4-1.x86_64.rhevm.ova Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort): Uploading: [########################################] 100% Additional info: Modifying the /etc/ovirt-engine/aaa/ovirt-sso.conf file to remove api from the Location element corrects the problem. Image upload (and ISO upload) now succeed.
The expected behaviour should be that: 1) Depending on the configuration of the system: a) if allow only kerberos authenticated users i) the user should not be prompted for admin@internal password ii) if the user executing engine-image-uploader is not authorized the user should get an error that kerberos authentication failed. b) if allowing both kerberos and internal login i) if the user executing the engine-image-uploader is not authorized a) if the commandline has -u user@domain - prompt for password b) if the commandline does not specify -u - prompt for admin@internal password My $0.02 CAD :-)
Please provide a work estimation to fix this issue.
If this is not fixed for 3.6 we will be closing this since this tool is being deprecated in 4.0 for the UI\API image uploader.
(In reply to Yaniv Dary from comment #3) > If this is not fixed for 3.6 we will be closing this since this tool is > being deprecated in 4.0 for the UI\API image uploader. Sandro? Please decide or close-wontfix please.
What will happen if we remove the API reference from the ovirt-sso.conf?
(In reply to Yaniv Dary from comment #5) > What will happen if we remove the API reference from the ovirt-sso.conf? I don't follow, what do you mean by removing API reference? What's ovirt-sso.conf?
(In reply to Martin Perina from comment #6) > (In reply to Yaniv Dary from comment #5) > > What will happen if we remove the API reference from the ovirt-sso.conf? > > I don't follow, what do you mean by removing API reference? What's > ovirt-sso.conf? Please read the description of the issue.
Sorry, I completely missed that "Additional info" part. Here are my notes to that: 1. If you remove /api from Location, then kerberos SSO will definitely not work for RESTAPI. Please also bear in mind that doing that was not tested at all and also other part might be affected. 2. AFAIK engine-image-uploader is using Python SDK and version 3.6 of the SDK should definitely support kerberos. So in theory following changes are needed to be done in engine-image-uploader to use kerberos: a. Add --use-kerberos command line parameters b. If --use-kerberos is present, then don't ask for username/password c. If --use-kerberos is present, then you need to pass "kerberos=True" during API initialization Above should be enough to fix the issue. Juan, am I right?
Yes, the changes that Martin suggests should solve the problem, version 3.6 of the SDK supports Kerberos, assuming that the engine is configured properly.
Will it work to create a kerberos ticket prior to using the tool?
You need to obtain kerberos ticket and you also need to pass "kerberos=True" when initializing API, otherwise API will not use kerberos to connect to engine.
Verified with: rhevm-4.0.4.2-0.1.el7ev.noarch # engine-image-uploader --with-kerberos -e gr06 upload rhevm-appliance-20160831.0-1.x86_64.rhevm.ova WARNING: ovirt-image-uploader is deprecated in 4.0 and will be removed in 4.1 Uploading: [########################################] 100%
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-1951.html