Bug 1468878 - multiple http.AuthnExtension fails
Summary: multiple http.AuthnExtension fails
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: AAA
Version: 4.1.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ovirt-4.2.2
: ---
Assignee: Ondra Machacek
QA Contact: Petr Matyáš
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-09 09:29 UTC by Fabrice Bacchella
Modified: 2018-03-29 11:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-29 11:10:15 UTC
oVirt Team: Infra
Embargoed:
rule-engine: ovirt-4.2+

Attachments (Terms of Use)
relevant engine log (39.99 KB, text/plain)
2018-01-30 21:01 UTC, Gonza 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 79280 0 master MERGED core: aaa: Fix multiple misc.authn checking 2020-05-29 12:27:24 UTC

Description Fabrice Bacchella 2017-07-09 09:29:43 UTC 
I have two kerberos realm. The first one is a Active Directory, the second a MIT. I need kerberos authentication in both real. So I want two profile. Both will use org.ovirt.engineextensions.aaa.misc.http.AuthnExtension for authentication. The first one will use a LDAP authz.plugin. I plan to put my MIT users in a JDBC auhtz.plugin.

But oVirt don't like that setup. As the authn part always success (Kerberos authentication is done in Apache), when the first authz to be tried fails, everything fails.
AD users are fine, I can log in in the UI with kerberos, AD users are resolved. But when I try with a MIT user (rexecutor in my case), it fails.

I activated debug and got:

2017-07-04 17:50:25,711+02 DEBUG [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (default task-2) [] Exception: java.lang.RuntimeException: Cannot resolve principal 'rexecutor'
       at org.ovirt.engineextensions.aaa.ldap.AuthzExtension.doFetchPrincipalRecord(AuthzExtension.java:579) [ovirt-engine-extension-aaa-ldap.jar:]
       at org.ovirt.engineextensions.aaa.ldap.AuthzExtension.invoke(AuthzExtension.java:478) [ovirt-engine-extension-aaa-ldap.jar:]
       at org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:49)
       at org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:73)
       at org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:109)
       at org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:122)
       at org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:68)
       at org.ovirt.engine.core.sso.utils.NonInteractiveAuth$2.doAuth(NonInteractiveAuth.java:51)
       at org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.issueTokenUsingHttpHeaders(OAuthTokenServlet.java:183)
       at org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.service(OAuthTokenServlet.java:72)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
       at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
       at org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:66)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at org.ovirt.engine.core.utils.servlet.HeaderFilter.doFilter(HeaderFilter.java:94)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
       at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
       at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
       at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
       at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
       at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
       at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
       at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
       at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
       at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
       at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
       at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
       at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
       at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
       at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
       at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
       at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
       at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
       at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
       at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
       at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
       at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
       at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
       at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
       at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
       at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_121]
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_121]
       at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]

Right after that, I see in the log:
2017-07-04 17:50:25,718+02 ERROR [org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-2) [] External Authentication Failed: Cannot resolve principal 'rexecutor'
Comment 1 Gonza 2018-01-30 21:01:15 UTC 
Created attachment 1388641 [details]
relevant engine log
Comment 2 Gonza 2018-01-30 21:05:18 UTC 
Tried with:
ovirt-engine-4.2.1.4-0.1.el7.noarch

The multiple authn extension scenario is now working when accessing webadmin but issue is still present via REST like:
curl --negotiate -v -u : -X GET -H "Accept: application/xml" -k https://engine.com/ovirt-engine/api/vms

Relevant logs for this call are already attached to this ticket.
Comment 3 Red Hat Bugzilla Rules Engine 2018-01-30 21:05:23 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 4 Ondra Machacek 2018-02-22 10:52:49 UTC 
Please don't verify with /api/vms it isn't supported anymore. Test with new sso endpoint[1] for kerberos auth to test API and test also with webadmin.


[1] POST /ovirt-engine/sso/oauth/token-http-auth HTTP/1.1
    scope=ovirt-app-api&grant_type=urn%3Aovirt%3Aparams%3Aoauth%3Agrant-type%3Ahttp
Comment 5 Petr Matyáš 2018-03-16 11:25:00 UTC 
Verified on ovirt-engine-4.2.2.2-0.1.el7.noarch
Comment 6 Sandro Bonazzola 2018-03-29 11:10:15 UTC 
This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.