Bug 1399479 - [SSO][Regression] SSO failure when LoginOnBehalf is called
Summary: [SSO][Regression] SSO failure when LoginOnBehalf is called
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: AAA
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ovirt-4.1.0-alpha
: 4.1.0.2
Assignee: Ravi Nori
QA Contact: Gonza
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-29 06:57 UTC by Gonza
Modified: 2017-02-15 15:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-15 15:07:02 UTC
oVirt Team: Infra
Embargoed:
rule-engine: ovirt-4.1+
rule-engine: blocker+


Attachments (Terms of Use)
relevant logs (15.71 KB, text/plain)
2016-11-29 06:57 UTC, Gonza
no flags Details


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 67543 0 master MERGED aaa: SSO failure when LoginOnBehalf is called 2016-12-02 14:13:45 UTC

Description Gonza 2016-11-29 06:57:32 UTC
Created attachment 1225651 [details]
relevant logs

Description of problem:
Regression introduced by [1]
Introduction of custom serializers for Map and List like collections has raised a conflict with serialization of ExtMap.
[1] https://gerrit.ovirt.org/#/c/64061/

Version-Release number of selected component (if applicable):
ovirt-engine-4.1.0-0.0.master.20161125091311.gitd47134a.el7.centos.noarch

How reproducible:
100%

Steps to Reproduce:
1. Configure SSO
2. Curl to engine api

Actual results:
401 unauthorized

Expected results:
200 OK

Additional info:
Relevant logs attached.

Comment 1 Gonza 2017-02-03 15:05:20 UTC
Verified with:
ovirt-engine-4.1.0-0.2.master.20161213122836.git2cd5587.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.3.1-0.0.master.20170115190508.gitda48d9d.el7.noarch

# curl -v -k --negotiate -u : https://example.com/ovirt-engine/api
* About to connect() to example.com port 443 (#0)
*   Trying {IP}...
* Connected to example.com ({IP}) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: CN=example.com,O=rhev.lab.eng.brq.redhat.com,C=US
* 	start date: Nov 28 08:51:11 2016 GMT
* 	expire date: Nov 03 08:51:11 2021 GMT
* 	common name: example.com
* 	issuer: CN=example.com.41406,O=rhev.lab.eng.brq.redhat.com,C=US
> GET /ovirt-engine/api HTTP/1.1
> User-Agent: curl/7.29.0
> Host: example.com
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Fri, 03 Feb 2017 15:00:30 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0
< Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/private;httponly;secure;
< WWW-Authenticate: Negotiate
< Cache-Control: no-cache
< Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/private;httponly;secure;
< Content-Length: 163
< Content-Type: text/html; charset=iso-8859-1
< 
* Ignoring the response-body
* Connection #0 to host example.com left intact
* Issue another request to this URL: 'https://example.com/ovirt-engine/api'
* Found bundle for host example.com: 0x11eef20
* Re-using existing connection! (#0) with host example.com
* Connected to example.com ({IP}) port 443 (#0)
* Server auth using GSS-Negotiate with user ''
> GET /ovirt-engine/api HTTP/1.1
> Authorization: Negotiate ...
> User-Agent: curl/7.29.0
> Host: example.com
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 03 Feb 2017 15:00:31 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0
< WWW-Authenticate: Negotiate ...
< Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/private;httponly;secure;
< Content-Type: application/xml
< Content-Length: 4120
< Correlation-Id: 7ebfaa40-89d8-45e3-a2ab-856b17e7d93b
< Link: ...
< Vary: Accept-Encoding
< Cache-Control: no-cache
< Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/private;httponly;secure;
< 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<api>
...
</api>
* Closing connection 0


Note You need to log in before you can comment on or make changes to this bug.