Bug 1468878 - multiple http.AuthnExtension fails
multiple http.AuthnExtension fails
Status: ON_QA
Product: ovirt-engine
Classification: oVirt
Component: AAA (Show other bugs)
4.1.2
Unspecified Unspecified
unspecified Severity medium (vote)
: ovirt-4.2.0
: 4.2.0
Assigned To: Ondra Machacek
Gonza
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-09 05:29 EDT by Fabrice Bacchella
Modified: 2017-09-28 06:19 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑4.2+


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 79280 master MERGED core: aaa: Fix multiple misc.authn checking 2017-07-18 07:57 EDT

  None (edit)
Description Fabrice Bacchella 2017-07-09 05:29:43 EDT
I have two kerberos realm. The first one is a Active Directory, the second a MIT. I need kerberos authentication in both real. So I want two profile. Both will use org.ovirt.engineextensions.aaa.misc.http.AuthnExtension for authentication. The first one will use a LDAP authz.plugin. I plan to put my MIT users in a JDBC auhtz.plugin.

But oVirt don't like that setup. As the authn part always success (Kerberos authentication is done in Apache), when the first authz to be tried fails, everything fails.
AD users are fine, I can log in in the UI with kerberos, AD users are resolved. But when I try with a MIT user (rexecutor in my case), it fails.

I activated debug and got:

2017-07-04 17:50:25,711+02 DEBUG [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (default task-2) [] Exception: java.lang.RuntimeException: Cannot resolve principal 'rexecutor'
       at org.ovirt.engineextensions.aaa.ldap.AuthzExtension.doFetchPrincipalRecord(AuthzExtension.java:579) [ovirt-engine-extension-aaa-ldap.jar:]
       at org.ovirt.engineextensions.aaa.ldap.AuthzExtension.invoke(AuthzExtension.java:478) [ovirt-engine-extension-aaa-ldap.jar:]
       at org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:49)
       at org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:73)
       at org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:109)
       at org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:122)
       at org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:68)
       at org.ovirt.engine.core.sso.utils.NonInteractiveAuth$2.doAuth(NonInteractiveAuth.java:51)
       at org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.issueTokenUsingHttpHeaders(OAuthTokenServlet.java:183)
       at org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.service(OAuthTokenServlet.java:72)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
       at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
       at org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:66)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at org.ovirt.engine.core.utils.servlet.HeaderFilter.doFilter(HeaderFilter.java:94)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
       at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
       at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
       at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
       at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
       at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
       at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
       at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
       at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
       at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
       at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
       at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
       at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
       at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
       at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
       at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
       at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
       at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
       at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
       at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
       at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
       at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
       at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
       at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
       at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
       at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_121]
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_121]
       at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]

Right after that, I see in the log:
2017-07-04 17:50:25,718+02 ERROR [org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-2) [] External Authentication Failed: Cannot resolve principal 'rexecutor'

Note You need to log in before you can comment on or make changes to this bug.