Bug 1367513 - Kerberos negotiation for RESTAPI should be enabled by default to maintain SDK v3 compatibility
Summary: Kerberos negotiation for RESTAPI should be enabled by default to maintain SDK...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: AAA
Version: 4.0.2.6
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ovirt-4.0.3
: 4.0.3
Assignee: Ravi Nori
QA Contact: Gonza
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-16 15:20 UTC by Fabrice Bacchella
Modified: 2016-09-15 08:05 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
ENGINE_RESTAPI_NEGO config variable enables or disables the restapi negotiate authentication. If all restapi clients are RESTAPI/SDK v4 then this can be set to false. It is required to be set to true only for compatibility with RESTAPI/SDK v3.6 clients. By default the variable is set to true to maintain compatibility with v3.6 clients.
Clone Of:
Environment:
Last Closed: 2016-09-15 08:05:59 UTC
oVirt Team: Infra
Embargoed:
rule-engine: ovirt-4.0.z+
rule-engine: blocker+
mgoldboi: planning_ack+
mperina: devel_ack+
pstehlik: testing_ack+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1342192 0 unspecified CLOSED Apache SSO Configuration needs to be updated 2021-02-22 00:41:40 UTC
oVirt gerrit 62469 0 master MERGED aaa: Kerberos negotiation for RESTAPI should be enabled by default to maintain SDK v3 compatibility 2016-08-18 07:35:17 UTC
oVirt gerrit 62474 0 ovirt-engine-4.0 MERGED aaa: Kerberos negotiation for RESTAPI should be enabled by default to maintain SDK v3 compatibility 2016-08-18 08:21:08 UTC
oVirt gerrit 62479 0 ovirt-engine-4.0.2 MERGED aaa: Kerberos negotiation for RESTAPI should be enabled by default to maintain SDK v3 compatibility 2016-08-18 10:22:01 UTC
oVirt gerrit 62535 0 ovirt-engine-4.0.3 MERGED aaa: Kerberos negotiation for RESTAPI should be enabled by default to maintain SDK v3 compatibility 2016-08-19 08:22:55 UTC

Internal Links: 1342192

Description Fabrice Bacchella 2016-08-16 15:20:09 UTC
I was using kerberos to authenticate users with the sdkv3, as explained in documentation.

Now it don't work any more, as the new SSO broke it, with debug on, I get:

> GET /ovirt-engine/api HTTP/1.1
> Host: ovirt.mydomain.com
> Authorization: Negotiate <lots of stuff>
> User-Agent: PycURL/7.43.0 libcurl/7.50.1 OpenSSL/1.0.2h zlib/1.2.8 c-ares/1.10.0 libidn/1.32 libssh2/1.7.0
> Version: 3
> Content-Type: application/xml
> Accept: application/xml
> Filter: False
> Prefer: persistent-auth
> Content-Length: 0
* ?
< HTTP/1.1 401 Unauthorized
< Date: Tue, 16 Aug 2016 15:16:33 GMT
< Server: Apache
< WWW-Authenticate: Negotiate <other stuff>
* Replaced cookie ovirt_gssapi_session="" for domain ovirt.mydomain.com, path /ovirt-engine/api, expire 1471360593
< Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/ovirt-engine/api;HttpOnly;secure;
< WWW-Authenticate: Basic realm="RESTAPI"
< Content-Type: text/html;charset=UTF-8
< Content-Length: 71
< Cache-Control: no-cache
* Replaced cookie ovirt_gssapi_session="" for domain ovirt.prod.exalead.com, path /ovirt-engine/api, expire 1471360593
< Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/ovirt-engine/api;HttpOnly;secure;

SDKv3 has no knowledg of oauth and sso end point. Who can it manage to authenticate ? Is it already deprecated ?

Comment 1 Juan Hernández 2016-08-16 15:39:02 UTC
I noticed in your write-up about authentication [1] with CAS that you are adding the X-Remote-User header for requests to /api, but not to /ovirt-engine/api:

  <LocationMatch ^/api($|/)>
    ...
  </LocationMatch>

In version 4 of the engine /api doesn't work, it has been removed. Did you update it to use /ovirt-engine/api?

Version 3 of the SDK is deprecated, but still supported. Support will probably be removed in version 4.1 of the engine.

[1] https://www.ovirt.org/blog/2016/04/sso

Comment 2 Fabrice Bacchella 2016-08-16 15:46:54 UTC
Yes that was changed, the 404 not found was rather obvious to correct.

In the exchange you see the kerberos part, with:
> Authorization: Negotiate <lots of stuff>
< WWW-Authenticate: Negotiate <other stuff>

I forgot to attach engine.log :

2016-08-16 17:45:50,445 DEBUG [org.ovirt.engine.core.aaa.filters.SsoRestApiAuthFilter] (default task-5) [] Entered SsoRestApiAuthFilter
2016-08-16 17:45:50,445 DEBUG [org.ovirt.engine.core.aaa.filters.SsoRestApiAuthFilter] (default task-5) [] SsoRestApiAuthFilter authenticating with sso
2016-08-16 17:45:50,448 DEBUG [org.ovirt.engine.core.aaa.filters.SsoRestApiNegotiationFilter] (default task-5) [] Entered SsoRestApiNegotiationFilter
2016-08-16 17:45:50,448 DEBUG [org.ovirt.engine.core.aaa.filters.SsoRestApiNegotiationFilter] (default task-5) [] SsoRestApiNegotiationFilter Not performing Negotiate Auth

Comment 3 Juan Hernández 2016-08-16 17:29:49 UTC
I have verified that with a simple Kerberos setup the authentication of the SDK works correctly, so I'm moving the bug to the AAA component of the engine.

Comment 4 Ravi Nori 2016-08-17 02:21:41 UTC
Please add a conf file with ENGINE_RESTAPI_NEGO=true

and let me know if it works

Comment 5 Fabrice Bacchella 2016-08-17 08:34:05 UTC
It works perfectly, even with kerberos.

Comment 9 Red Hat Bugzilla Rules Engine 2016-08-31 18:12:50 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 10 Ondra Machacek 2016-08-31 18:18:11 UTC
Please share with us also configureation of apache and extensions, thanks.

Comment 11 Ondra Machacek 2016-08-31 18:28:16 UTC
Also please make sure your user 'admin' has permissions to login. And also make sure in '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.conf' there is indeed 'ENGINE_RESTAPI_NEGO=true'.

Comment 12 Gonza 2016-09-01 15:07:09 UTC
Verified with:
RHEVM 4.0.3


Note You need to log in before you can comment on or make changes to this bug.