Bug 1649706 - [RFE] AD integrated authentication for Satellite and VMware compute resource.
Summary: [RFE] AD integrated authentication for Satellite and VMware compute resource.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Compute Resources - VMWare
Version: 6.4.0
Hardware: All
OS: Linux
unspecified
low vote
Target Milestone: Unspecified
Assignee: Chris Roberts
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-14 09:42 UTC by Varatharaja Perumal G
Modified: 2019-08-12 19:29 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-29 14:55:30 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Varatharaja Perumal G 2018-11-14 09:42:30 UTC
1. Proposed title of this feature request

AD integrated authentication for Satellite and VMware compute resource.

2. What is the nature and description of the request?

IHAC want the Satellite to use Ad authenticated user for VMWare compute resource. 

In current scenario customer use service account to configure VMWare compute resources. Instead of this customer want the Ad authentication to be passed with compute resource. 

Each user's LDAP account has (very slightly) different permissions on VMWare so we would want to allow the users to keep their permissions. Customer also have LDAP set up on our Red Hat Satellite so the feature he wants to add is when we log into Satellite with LDAP credentials it should pass those along to his VMWare compute resource profile so that he can retain the permissions and that there is an audit trail on both the Satellite side and the VMWare side.


3. Why does the customer need this? (List the business requirements here)

By enabling this feature customer can audit the activities from satellite and VMWare.

4. How would the customer like to achieve this? (List the functional requirements here)

By enabling AD authentication for Compute resources.

5. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

NA

6. Is there already an existing RFE upstream or in Red Hat Bugzilla?

No

7. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?

ASAP

8. Is the sales team involved in this request and do they have any additional input?

No

9. List any affected packages or components.

10. Would the customer be able to assist in testing this functionality if implemented?

Yes

Comment 1 Marek Hulan 2018-11-14 13:00:00 UTC
For the authentication, today all compute resources user password based authentication. So for users, we'd need to know and store their AD passwords. This is clearly a no go option. So we'd need to start supporting SSO somehow. Looking at fog-vsphere, the underlaying library we use, it only supports password based authentication.

To set the right expectations, this feature would be very complicated to implement because of above. I also see various other complications, e.g. from user perspective, two users can have permissions on Satellite host resource but only one of them would have required permissions on VM running in vmware. The system would behave unexpectedly if one or the other decides to delete the host in Satellite.

Dana, any thoughts from PM side? Do we want to go this direction at some point and what would be your prioritization guidance? I'm leaning towards closing as wontfix for now.

Comment 2 Dana Singleterry 2018-11-26 17:02:52 UTC
(In reply to Marek Hulan from comment #1)
> For the authentication, today all compute resources user password based
> authentication. So for users, we'd need to know and store their AD
> passwords. This is clearly a no go option. So we'd need to start supporting
> SSO somehow. Looking at fog-vsphere, the underlaying library we use, it only
> supports password based authentication.
> 
> To set the right expectations, this feature would be very complicated to
> implement because of above. I also see various other complications, e.g.
> from user perspective, two users can have permissions on Satellite host
> resource but only one of them would have required permissions on VM running
> in vmware. The system would behave unexpectedly if one or the other decides
> to delete the host in Satellite.
> 
> Dana, any thoughts from PM side? Do we want to go this direction at some
> point and what would be your prioritization guidance? I'm leaning towards
> closing as wontfix for now.

ack on your response Marek and agree on BK's FutureFeature thoughts. I say won't fix for now.

Comment 3 Chris Roberts 2018-11-29 14:55:30 UTC
Closing based on Danas and Marek's comments.


Note You need to log in before you can comment on or make changes to this bug.