Bug 962438 - Support LDAP users for authenticating in the rest-api
Support LDAP users for authenticating in the rest-api
Status: CLOSED CURRENTRELEASE
Product: JBoss Operations Network
Classification: JBoss
Component: REST (Show other bugs)
JON 3.1.2
Unspecified Unspecified
urgent Severity unspecified
: ER01
: JON 3.2.0
Assigned To: Heiko W. Rupp
:
Depends On: 961656
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-13 09:47 EDT by Heiko W. Rupp
Modified: 2014-01-02 15:39 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 961656
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Heiko W. Rupp 2013-05-13 09:47:51 EDT
+++ This bug was initially created as a clone of Bug #961656 +++

The authentication in the REST api currently only supports local users, but no LDAP users.

We need to fix that.

--- Additional comment from Heiko W. Rupp on 2013-05-13 05:37:30 EDT ---

The simplest way to support LDAP would be to switch to the "RHQUserSecurityDomain", which fails as RHQ is removing / re-adding the domain on each start. 
EAP sees this and complains that the removal would leave the rhq-rest.war in an illegal state (with a referenced but not provided security-domain) -- see below

I currently see three possible options:
1) add the logic to add/remove LDAP support to the RHQRESTSecurityDomain
2) Fix the RHQUserSecurityDomain setup in the CustomJaasDeploymentService to
not touch the security-domain on each restart and to only add/remove the LDAP module when requested (and perhaps change flags on the other modules.
3) Check if the remove/re-add can be done in Transaction (A EAP-composite operation), so that other services only see the end result. 



11:26:28,758 INFO  [org.rhq.enterprise.server.core.CustomJaasDeploymentService] (EJB default - 1) Security domain [RHQUserSecurityDomain] already exists, it will be replaced.
11:26:28,804 INFO  [org.jboss.web] (ServerService Thread Pool -- 82) JBAS018224: Unregister web context: /rest
11:26:28,806 INFO  [org.rhq.helpers.rtfilter.filter.RtFilter] (ServerService Thread Pool -- 82) -- Filter destroy: 0 requests processed (hashCode=226618607).
11:26:28,813 INFO  [org.jboss.web] (ServerService Thread Pool -- 82) JBAS018210: Register web context: /rest
11:26:28,820 INFO  [org.rhq.helpers.rtfilter.filter.RtFilter] (ServerService Thread Pool -- 82) Initialized response-time filter for webapp with context root 'rest'.
11:26:28,823 ERROR [org.rhq.enterprise.server.core.CustomJaasDeploymentService] (EJB default - 1) Error deploying JAAS login modules: java.lang.Exception: Error registering RHQ JAAS modules
	at org.rhq.enterprise.server.core.CustomJaasDeploymentService.registerJaasModules(CustomJaasDeploymentService.java:176) [rhq-enterprise-server-ejb3.jar:4.8.0-SNAPSHOT]
	at org.rhq.enterprise.server.core.CustomJaasDeploymentService.installJaasModules(CustomJaasDeploymentService.java:76) [rhq-enterprise-server-ejb3.jar:4.8.0-SNAPSHOT]
Caused by: org.rhq.common.jbossas.client.controller.FailureException: Failed to remove security domain [RHQUserSecurityDomain]: JBAS014762: Removing services has lead to unsatisfied dependencies:
Service jboss.security.security-domain.RHQUserSecurityDomain was depended upon by service jboss.web.deployment.default-host./rest.realm
	at org.rhq.common.jbossas.client.controller.SecurityDomainJBossASClient.removeSecurityDomain(SecurityDomainJBossASClient.java:256)

--- Additional comment from Heiko W. Rupp on 2013-05-13 07:07:57 EDT ---

I think doing option 2) got just easier with the use of EAP6.1, as this now allows to individually address login modules:

[standalone@localhost:6999 authentication=classic] ./login-module=org.rhq.enterprise.server.core.jaas.

org.rhq.enterprise.server.core.jaas.JDBCLoginModule                 org.rhq.enterprise.server.core.jaas.JDBCPrincipalCheckLoginModule
org.rhq.enterprise.server.core.jaas.LdapLoginModule
[standalone@localhost:6999 authentication=classic] ./login-module=org.rhq.enterprise.server.core.jaas.LdapLoginModule:

add                          read-attribute               read-children-names          read-children-resources
read-children-types          read-operation-description   read-operation-names         read-resource
read-resource-description    remove                       undefine-attribute           whoami
write-attribute
[standalone@localhost:6999 authentication=classic] ./login-module=org.rhq.enterprise.server.core.jaas.LdapLoginModule:
Comment 1 Charles Crouch 2013-05-14 11:48:47 EDT
The REST api needs to authenticate users in exactly the same manner as CLI/UI
Comment 8 Heiko W. Rupp 2013-05-17 08:29:13 EDT
( as written in the linked BZ : master ba97ade9666a )
Comment 9 Mike Foley 2013-09-13 18:16:05 EDT
QE has automation running nightly with LDAP authentication and REST API.  This is working.

Note You need to log in before you can comment on or make changes to this bug.