This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1459254 - Content-type mix prevent Kerberos authentication
Content-type mix prevent Kerberos authentication
Status: CLOSED CURRENTRELEASE
Product: ovirt-engine-sdk-python
Classification: oVirt
Component: General (Show other bugs)
4.1.4
Unspecified All
unspecified Severity medium (vote)
: ovirt-4.1.3
: 4.1.5
Assigned To: Ondra Machacek
Gonza
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-06 12:01 EDT by Fabrice Bacchella
Modified: 2017-07-06 09:18 EDT (History)
6 users (show)

See Also:
Fixed In Version: python-ovirt-engine-sdk4-4.1.5
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-06 09:18:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑4.1+
pstehlik: testing_ack+


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 77917 master MERGED Ignore unrelated responses from server 2017-06-07 09:10 EDT
oVirt gerrit 77944 sdk_4.1 MERGED Ignore unrelated responses from server 2017-06-07 10:03 EDT
oVirt gerrit 77945 master MERGED Ignore unrelated responses from server 2017-06-09 05:21 EDT
oVirt gerrit 78032 sdk_4.1 MERGED Ignore unrelated responses from server 2017-06-09 05:38 EDT

  None (edit)
Description Fabrice Bacchella 2017-06-06 12:01:52 EDT
I'm using the kerberos authentication from Apache instead of from ovirt. It was working well util the 4.1.4 release.

When I'm debug the request I see:

>  POST /ovirt-engine/sso/oauth/token-http-auth HTTP/1.1
<  HTTP/1.1 401 Unauthorized
<  Content-Type: text/html; charset=iso-8859-1
>  POST /ovirt-engine/sso/oauth/token-http-auth HTTP/1.1
>  Authorization: Negotiate <SPNEGO blob>
<  HTTP/1.1 200 OK
<  Content-Type: application/json

but I get a:
The response content type 'text/html; charset=iso-8859-1' isn't the expected JSON

Indeed, if I print the returned headers in

    def _check_content_type(self, expected_re, expected_name, headers):

I get:
['HTTP/1.1 401 Unauthorized\r', ..., 'Content-Type: text/html; charset=iso-8859-1\r',...'HTTP/1.1 200 OK\r','Content-Type: application/json\r']

The headers array is a merge of both set of headers. So it's all wrong as self._get_header_value(headers, 'content-type') return the first occurence of 'content-type' and so check_json_content_type fails.
Comment 1 Gonza 2017-06-21 10:05:37 EDT
Tried with:
python-ovirt-engine-sdk4-4.2.1-1.a1.20170607gitdec2258.el7.centos.x86_64

Headers are still merged.
[
'HTTP/1.1 401 Unauthorized\r', 
'Date: Wed, 21 Jun 2017 14:00:42 GMT\r', 
'Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0\r', 
'WWW-Authenticate: Negotiate\r', 
'Content-Length: 163\r', 
'Content-Type: text/html; charset=iso-8859-1\r', 
'\r', 
'HTTP/1.1 200 OK\r', 
'Date: Wed, 21 Jun 2017 14:00:42 GMT\r', 
'Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0\r', 
'WWW-Authenticate: Negotiate xxxxxxxxx\r', 
'Set-Cookie: JSESSIONID=xxxxxxxxx; path=/ovirt-engine/sso; secure; HttpOnly\r', 
'Set-Cookie: locale=en_US; path=/; HttpOnly; Max-Age=2147483647; Expires=Mon, 09-Jul-2085 17:14:49 GMT\r', 
'X-XSS-PROTECTION: 1; MODE=BLOCK\r', 
'X-CONTENT-TYPE-OPTIONS: NOSNIFF\r', 
'X-FRAME-OPTIONS: SAMEORIGIN\r', 
'Content-Type: application/json\r', 
'Content-Length: 316\r', 
'Vary: Accept-Encoding\r', 
'\r', 
'']
Comment 2 Red Hat Bugzilla Rules Engine 2017-06-21 10:05:46 EDT
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 3 Ondra Machacek 2017-06-21 10:27:10 EDT
Please try with python-ovirt-engine-sdk4-4.1.5.
python-ovirt-engine-sdk4-4.2.1-1.a1.20170607gitdec2258.el7.centos.x86_64 doesn't contain the fix.
Comment 4 Gonza 2017-06-22 04:36:03 EDT
Verified with:
python-ovirt-engine-sdk4-4.1.5-1.el7ev.x86_64

HEADERS:
[
	'HTTP/1.1 200 OK\r', 
	'Date: Thu, 22 Jun 2017 08:33:45 GMT\r', 
	'Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0\r', 
	'Set-Cookie: locale=en_US; path=/; HttpOnly; Max-Age=2147483647; Expires=Tue, 10-Jul-2085 11:47:52 GMT\r', 
	'X-XSS-PROTECTION: 1; MODE=BLOCK\r', 
	'X-CONTENT-TYPE-OPTIONS: NOSNIFF\r', 
	'X-FRAME-OPTIONS: SAMEORIGIN\r', 
	'Content-Type: application/json\r', 
	'Content-Length: 310\r', 
	'Vary: Accept-Encoding\r',
]

Note You need to log in before you can comment on or make changes to this bug.