I was using kerberos to authenticate users with the sdkv3, as explained in documentation. Now it don't work any more, as the new SSO broke it, with debug on, I get: > GET /ovirt-engine/api HTTP/1.1 > Host: ovirt.mydomain.com > Authorization: Negotiate <lots of stuff> > User-Agent: PycURL/7.43.0 libcurl/7.50.1 OpenSSL/1.0.2h zlib/1.2.8 c-ares/1.10.0 libidn/1.32 libssh2/1.7.0 > Version: 3 > Content-Type: application/xml > Accept: application/xml > Filter: False > Prefer: persistent-auth > Content-Length: 0 * ? < HTTP/1.1 401 Unauthorized < Date: Tue, 16 Aug 2016 15:16:33 GMT < Server: Apache < WWW-Authenticate: Negotiate <other stuff> * Replaced cookie ovirt_gssapi_session="" for domain ovirt.mydomain.com, path /ovirt-engine/api, expire 1471360593 < Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/ovirt-engine/api;HttpOnly;secure; < WWW-Authenticate: Basic realm="RESTAPI" < Content-Type: text/html;charset=UTF-8 < Content-Length: 71 < Cache-Control: no-cache * Replaced cookie ovirt_gssapi_session="" for domain ovirt.prod.exalead.com, path /ovirt-engine/api, expire 1471360593 < Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/ovirt-engine/api;HttpOnly;secure; SDKv3 has no knowledg of oauth and sso end point. Who can it manage to authenticate ? Is it already deprecated ?
I noticed in your write-up about authentication [1] with CAS that you are adding the X-Remote-User header for requests to /api, but not to /ovirt-engine/api: <LocationMatch ^/api($|/)> ... </LocationMatch> In version 4 of the engine /api doesn't work, it has been removed. Did you update it to use /ovirt-engine/api? Version 3 of the SDK is deprecated, but still supported. Support will probably be removed in version 4.1 of the engine. [1] https://www.ovirt.org/blog/2016/04/sso
Yes that was changed, the 404 not found was rather obvious to correct. In the exchange you see the kerberos part, with: > Authorization: Negotiate <lots of stuff> < WWW-Authenticate: Negotiate <other stuff> I forgot to attach engine.log : 2016-08-16 17:45:50,445 DEBUG [org.ovirt.engine.core.aaa.filters.SsoRestApiAuthFilter] (default task-5) [] Entered SsoRestApiAuthFilter 2016-08-16 17:45:50,445 DEBUG [org.ovirt.engine.core.aaa.filters.SsoRestApiAuthFilter] (default task-5) [] SsoRestApiAuthFilter authenticating with sso 2016-08-16 17:45:50,448 DEBUG [org.ovirt.engine.core.aaa.filters.SsoRestApiNegotiationFilter] (default task-5) [] Entered SsoRestApiNegotiationFilter 2016-08-16 17:45:50,448 DEBUG [org.ovirt.engine.core.aaa.filters.SsoRestApiNegotiationFilter] (default task-5) [] SsoRestApiNegotiationFilter Not performing Negotiate Auth
I have verified that with a simple Kerberos setup the authentication of the SDK works correctly, so I'm moving the bug to the AAA component of the engine.
Please add a conf file with ENGINE_RESTAPI_NEGO=true and let me know if it works
It works perfectly, even with kerberos.
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Please share with us also configureation of apache and extensions, thanks.
Also please make sure your user 'admin' has permissions to login. And also make sure in '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.conf' there is indeed 'ENGINE_RESTAPI_NEGO=true'.
Verified with: RHEVM 4.0.3