Hide Forgot
Description of problem: engine-image-uploader returns 401 unathorized when using kerberos Version-Release number of selected component (if applicable): rhevm-4.0.3-0.1.el7ev.noarch ovirt-engine-sdk-python-3.6.8.0-1.el7ev.noarch python-ovirt-engine-sdk4-4.0.0-1.el7ev.x86_64 How reproducible: 100% Steps to Reproduce: 1. Configure SSO integration with IdM as outlined in the documentation 2. Test and configure users 3. kinit on the rhevm host 4. Configure appropriate exports storage domain 5. try to upload image Actual results: # engine-image-uploader --with-kerberos -e gr01 upload Tiny\ Linux\ VM.ova WARNING: ovirt-image-uploader is deprecated in 4.0 and will be removed in 4.1 ERROR: Unable to connect to REST API at https://10-34-60-90.rhev.lab.eng.brq.redhat.com:443/ovirt-engine/api due to SDK error Message: HTTP response code is 401. # curl -v --negotiate -u : -X GET -H "Accept: application/xml" -k https://10-34-60-90.rhev.lab.eng.brq.redhat.com/ovirt-engine/api * About to connect() to 10-34-60-90.rhev.lab.eng.brq.redhat.com port 443 (#0) * Trying 10.34.60.90... * Connected to 10-34-60-90.rhev.lab.eng.brq.redhat.com (10.34.60.90) port 443 (#0) ... < Vary: Accept-Encoding < <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <api> ... </api> * Closing connection 0 # klist Ticket cache: KEYRING:persistent:0:0 Default principal: vdcadmin Valid starting Expires Service principal 09/08/2016 06:47:26 09/09/2016 06:47:21 HTTP/10-34-60-XX.com renew until 09/15/2016 06:47:21 09/08/2016 06:47:26 09/09/2016 06:47:21 HTTP/10-34-60-XX.com@ renew until 09/15/2016 06:47:21 09/08/2016 06:47:23 09/09/2016 06:47:21 krbtgt/MY-IPA.COM renew until 09/15/2016 06:47:21 Expected results: engine-image-uploader -e exports --insecure upload cfme-rhevm-5.5.3.4-1.x86_64.rhevm.ova Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort): Uploading: [########################################] 100% Additional info: Curl is able to use kerberos authentication. Logs attached.
Created attachment 1199058 [details] image-uploader log
I've checked out the configuration of the machine and debug the queries and the problem was configured '/ovirt-engine/api' endpoint to support gssapi authentication, when removed that, image-uploader worked fine. Can you please re-check?
Just a note that SDK v4 obtain the SSO token at {url}/ovirt-engine/sso/oauth/token-http-auth, and then uses this token to access '/ovirt-engine/api', so that endpoint shouldn't be set to support gssapi auth in case of SDK v 4.
Ravi, please take a look, we need to be able to support kerberos SSO for both v3 and v4 API at the same time.
One of the simple solution (WA) is to add '/ovirt-engine/api/v4' to the location match and use always /v4 suffix with v4 SDKs.
Conditionally applying the LocationMatch to take effect only if the requests do not contain Bearer or Basic authentication resolves the issue.
Verified with: rhevm-4.0.5-0.1.el7ev.noarch # engine-image-uploader --with-kerberos -e gr05 upload rhevm-appliance-20160922.0-1.x86_64.rhevm.ova # cat /etc/ovirt-engine/aaa/ovirt-sso.conf <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/httpd.keytab KrbAuthRealms IPA-FQDN.COM Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" </If> </LocationMatch>