Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1367513

Summary: Kerberos negotiation for RESTAPI should be enabled by default to maintain SDK v3 compatibility
Product: [oVirt] ovirt-engine Reporter: Fabrice Bacchella <fabrice.bacchella>
Component: AAAAssignee: Ravi Nori <rnori>
Status: CLOSED CURRENTRELEASE QA Contact: Gonza <grafuls>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.0.2.6CC: bugs, fabrice.bacchella, grafuls, juan.hernandez, mgoldboi, mperina, omachace, pstehlik, sbonazzo
Target Milestone: ovirt-4.0.3Keywords: Regression
Target Release: 4.0.3Flags: rule-engine: ovirt-4.0.z+
rule-engine: blocker+
mgoldboi: planning_ack+
mperina: devel_ack+
pstehlik: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
ENGINE_RESTAPI_NEGO config variable enables or disables the restapi negotiate authentication. If all restapi clients are RESTAPI/SDK v4 then this can be set to false. It is required to be set to true only for compatibility with RESTAPI/SDK v3.6 clients. By default the variable is set to true to maintain compatibility with v3.6 clients.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-15 08:05:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fabrice Bacchella 2016-08-16 15:20:09 UTC 
I was using kerberos to authenticate users with the sdkv3, as explained in documentation.

Now it don't work any more, as the new SSO broke it, with debug on, I get:

> GET /ovirt-engine/api HTTP/1.1
> Host: ovirt.mydomain.com
> Authorization: Negotiate <lots of stuff>
> User-Agent: PycURL/7.43.0 libcurl/7.50.1 OpenSSL/1.0.2h zlib/1.2.8 c-ares/1.10.0 libidn/1.32 libssh2/1.7.0
> Version: 3
> Content-Type: application/xml
> Accept: application/xml
> Filter: False
> Prefer: persistent-auth
> Content-Length: 0
* ?
< HTTP/1.1 401 Unauthorized
< Date: Tue, 16 Aug 2016 15:16:33 GMT
< Server: Apache
< WWW-Authenticate: Negotiate <other stuff>
* Replaced cookie ovirt_gssapi_session="" for domain ovirt.mydomain.com, path /ovirt-engine/api, expire 1471360593
< Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/ovirt-engine/api;HttpOnly;secure;
< WWW-Authenticate: Basic realm="RESTAPI"
< Content-Type: text/html;charset=UTF-8
< Content-Length: 71
< Cache-Control: no-cache
* Replaced cookie ovirt_gssapi_session="" for domain ovirt.prod.exalead.com, path /ovirt-engine/api, expire 1471360593
< Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/ovirt-engine/api;HttpOnly;secure;

SDKv3 has no knowledg of oauth and sso end point. Who can it manage to authenticate ? Is it already deprecated ?
Comment 1 Juan Hernández 2016-08-16 15:39:02 UTC 
I noticed in your write-up about authentication [1] with CAS that you are adding the X-Remote-User header for requests to /api, but not to /ovirt-engine/api:

  <LocationMatch ^/api($|/)>
    ...
  </LocationMatch>

In version 4 of the engine /api doesn't work, it has been removed. Did you update it to use /ovirt-engine/api?

Version 3 of the SDK is deprecated, but still supported. Support will probably be removed in version 4.1 of the engine.

[1] https://www.ovirt.org/blog/2016/04/sso
Comment 2 Fabrice Bacchella 2016-08-16 15:46:54 UTC 
Yes that was changed, the 404 not found was rather obvious to correct.

In the exchange you see the kerberos part, with:
> Authorization: Negotiate <lots of stuff>
< WWW-Authenticate: Negotiate <other stuff>

I forgot to attach engine.log :

2016-08-16 17:45:50,445 DEBUG [org.ovirt.engine.core.aaa.filters.SsoRestApiAuthFilter] (default task-5) [] Entered SsoRestApiAuthFilter
2016-08-16 17:45:50,445 DEBUG [org.ovirt.engine.core.aaa.filters.SsoRestApiAuthFilter] (default task-5) [] SsoRestApiAuthFilter authenticating with sso
2016-08-16 17:45:50,448 DEBUG [org.ovirt.engine.core.aaa.filters.SsoRestApiNegotiationFilter] (default task-5) [] Entered SsoRestApiNegotiationFilter
2016-08-16 17:45:50,448 DEBUG [org.ovirt.engine.core.aaa.filters.SsoRestApiNegotiationFilter] (default task-5) [] SsoRestApiNegotiationFilter Not performing Negotiate Auth
Comment 3 Juan Hernández 2016-08-16 17:29:49 UTC 
I have verified that with a simple Kerberos setup the authentication of the SDK works correctly, so I'm moving the bug to the AAA component of the engine.
Comment 4 Ravi Nori 2016-08-17 02:21:41 UTC 
Please add a conf file with ENGINE_RESTAPI_NEGO=true

and let me know if it works
Comment 5 Fabrice Bacchella 2016-08-17 08:34:05 UTC 
It works perfectly, even with kerberos.
Comment 9 Red Hat Bugzilla Rules Engine 2016-08-31 18:12:50 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 10 Ondra Machacek 2016-08-31 18:18:11 UTC 
Please share with us also configureation of apache and extensions, thanks.
Comment 11 Ondra Machacek 2016-08-31 18:28:16 UTC 
Also please make sure your user 'admin' has permissions to login. And also make sure in '/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.conf' there is indeed 'ENGINE_RESTAPI_NEGO=true'.
Comment 12 Gonza 2016-09-01 15:07:09 UTC 
Verified with:
RHEVM 4.0.3