Created attachment 1164122 [details] Apache ovirt-engine 4.0 sso.conf Description of problem: The apache sso configuration needs to be updated in 4.0. The sso configuration is not update during setup as apache configuration is managed by admin. The location match needs to be updated to <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)> and the ErrorDcument needs to be set to ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" The attached document shows the sso configuration for 4.0
From https://github.com/modauthgssapi/mod_auth_gssapi : This module has been built as a replacement for the aging mod_auth_kerb. Its aim is to use only GSSAPI calls and be as much as possible agnostic of the actual mechanism used. And indeed if you you have a look at https://sourceforge.net/projects/modauthkerb/files/mod_auth_kerb/ The current version shipped with Centos 7 is 5.4 and it was release in 2008. In the spec log file : * Thu Dec 11 2008 Joe Orton <jorton> 5.4-2 - update to 5.4 At https://www.ovirt.org/blog/2016/04/sso/, there is an example that uses mod_auth_gssapi.
We need to also document how to configure SSO, so /ovirt-engine/api endpoint works with SDKv3 in RHV4: RestAPI negotiation authentication is disabled by default, application should use the new OAuth2 interface in order to acquire a token. This can be reenabled by engine configuration ENGINE_RESTAPI_NEGO and adding |^/ovirtengine/api to LocationMatch of apache configuration. Notice: in most cases this will have negative performance impact due to HTTP renegotiation.
To sum up all the needed steps that I have to done to migrate: - use ovirt-engine-rename and use the virtual host I configured in Apache. I didn't really rename the host, just ovirt. - add ENGINE_HTTPS_PKI_TRUST_STORE=".../mypki.jks" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" To allows ovirt engine to trust himself in oauth SSO. - add ENGINE_RESTAPI_NEGO=true to allows python SDKv3 to still use kerberos for authentication - protect ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth) with CAS to integrate with our SSO. Everything else is left unprotected. Now it's working fine, and I hope even better that before, as I had to clean my Apache configuration and remove useless or redondant things. Thanks every one for the help, even if it was a painful trip.
(In reply to Fabrice Bacchella from comment #6) > To sum up all the needed steps that I have to done to migrate: > > - add > > ENGINE_RESTAPI_NEGO=true > > to allows python SDKv3 to still use kerberos for authentication We have decided to set ENGINE_RESTAPI_NEGO=true by default as a fix for BZ1367513, so users upgrading to 4.0.4+ will not need to do that step. > > - protect > ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth) with > CAS to integrate with our SSO. Everything else is left unprotected. > > Now it's working fine, and I hope even better that before, as I had to clean > my Apache configuration and remove useless or redondant things. > > Thanks every one for the help, even if it was a painful trip. Fabrice, I'm glad that your setup is finally working and thanks a lot for your huge effort!!!
(In reply to Ravi Nori from comment #0) > Created attachment 1164122 [details] > Apache ovirt-engine 4.0 sso.conf > > Description of problem: > > The apache sso configuration needs to be updated in 4.0. The sso > configuration is not update during setup as apache configuration is managed > by admin. > > The location match needs to be updated to > > <LocationMatch > ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)> > > and the ErrorDcument needs to be set to > > ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; > url=/ovirt-engine/sso/login-unauthorized\"/><body><a > href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" > > The attached document shows the sso configuration for 4.0 It should be noted that if user still wants to use kerberos SSO for RESTAPI v3 (includding SDKs v3), than LocationMatch has to be set to: <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api> If users want to use RESTAPI v4 only, then following LocationMatch is sufficient: <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)>
Assigning to Tahlia for review.
* Replaced 'Example 15.5 Example authentication method file' with the content of the attachment * Added a note per comment 8 Will request tech/docs review as a group with other bugs for this section.
Documentation Link: https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/single/administration-guide/#Configuring_LDAP_and_Kerberos_for_Single_Sign-on