Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1342192 - Apache SSO Configuration needs to be updated
Summary: Apache SSO Configuration needs to be updated
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: Documentation
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ovirt-4.0.4
: ---
Assignee: Tahlia Richardson
QA Contact: Julie
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-02 16:12 UTC by Ravi Nori
Modified: 2016-10-27 06:21 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-27 06:21:27 UTC
oVirt Team: Docs
Target Upstream Version:


Attachments (Terms of Use)
Apache ovirt-engine 4.0 sso.conf (deleted)
2016-06-02 16:12 UTC, Ravi Nori
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1367513 None CLOSED Kerberos negotiation for RESTAPI should be enabled by default to maintain SDK v3 compatibility 2019-04-10 10:29:42 UTC

Internal Links: 1367513

Description Ravi Nori 2016-06-02 16:12:37 UTC
Created attachment 1164122 [details]
Apache ovirt-engine 4.0 sso.conf

Description of problem:

The apache sso configuration needs to be updated in 4.0. The sso configuration is not update during setup as apache configuration is managed by admin.

The location match needs to be updated to

<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)>

and the ErrorDcument needs to be set to 

ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"

The attached document shows the sso configuration for 4.0

Comment 4 Fabrice Bacchella 2016-08-04 15:01:33 UTC
From https://github.com/modauthgssapi/mod_auth_gssapi :

This module has been built as a replacement for the aging mod_auth_kerb. Its aim is to use only GSSAPI calls and be as much as possible agnostic of the actual mechanism used.

And indeed if you you have a look at https://sourceforge.net/projects/modauthkerb/files/mod_auth_kerb/

The current version shipped with Centos 7 is 5.4 and it was release in 2008. In the spec log file :
* Thu Dec 11 2008 Joe Orton <jorton@redhat.com> 5.4-2
- update to 5.4

At https://www.ovirt.org/blog/2016/04/sso/, there is an example that uses mod_auth_gssapi.

Comment 5 Ondra Machacek 2016-08-17 06:34:31 UTC
We need to also document how to configure SSO, so /ovirt-engine/api endpoint works with SDKv3 in RHV4:

RestAPI negotiation authentication is disabled by default, application should use the new OAuth2 interface in order to acquire a token. 
This can be re­enabled by engine configuration ENGINE_RESTAPI_NEGO and adding 
|^/ovirt­engine/api to LocationMatch of apache configuration. 
Notice: in most cases this will have negative performance impact due to HTTP renegotiation.

Comment 6 Fabrice Bacchella 2016-08-17 08:58:50 UTC
To sum up all the needed steps that I have to done to migrate:

- use ovirt-engine-rename and use the virtual host I configured in Apache. I didn't really rename the host, just ovirt.

- add

    ENGINE_HTTPS_PKI_TRUST_STORE=".../mypki.jks"
    ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""

To allows ovirt engine to trust himself in oauth SSO.

- add

    ENGINE_RESTAPI_NEGO=true

to allows python SDKv3 to still use kerberos for authentication

- protect ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth) with CAS to integrate with our SSO. Everything else is left unprotected. 

Now it's working fine, and I hope even better that before, as I had to clean my Apache configuration and remove useless or redondant things.

Thanks every one for the help, even if it was a painful trip.

Comment 7 Martin Perina 2016-08-17 10:58:07 UTC
(In reply to Fabrice Bacchella from comment #6)
> To sum up all the needed steps that I have to done to migrate:
> 
> - add
> 
>     ENGINE_RESTAPI_NEGO=true
> 
> to allows python SDKv3 to still use kerberos for authentication

We have decided to set ENGINE_RESTAPI_NEGO=true by default as a fix for BZ1367513, so users upgrading to 4.0.4+ will not need to do that step.

> 
> - protect
> ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth) with
> CAS to integrate with our SSO. Everything else is left unprotected. 
> 
> Now it's working fine, and I hope even better that before, as I had to clean
> my Apache configuration and remove useless or redondant things.
> 
> Thanks every one for the help, even if it was a painful trip.

Fabrice, I'm glad that your setup is finally working and thanks a lot for your huge effort!!!

Comment 8 Martin Perina 2016-08-24 12:09:53 UTC
(In reply to Ravi Nori from comment #0)
> Created attachment 1164122 [details]
> Apache ovirt-engine 4.0 sso.conf
> 
> Description of problem:
> 
> The apache sso configuration needs to be updated in 4.0. The sso
> configuration is not update during setup as apache configuration is managed
> by admin.
> 
> The location match needs to be updated to
> 
> <LocationMatch
> ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)>
> 
> and the ErrorDcument needs to be set to 
> 
> ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;
> url=/ovirt-engine/sso/login-unauthorized\"/><body><a
> href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
> 
> The attached document shows the sso configuration for 4.0


It should be noted that if user still wants to use kerberos SSO for RESTAPI v3 (includding SDKs v3), than LocationMatch has to be set to:

  <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>

If users want to use RESTAPI v4 only, then following LocationMatch is sufficient:

  <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)>

Comment 9 Lucy Bopf 2016-09-23 06:59:35 UTC
Assigning to Tahlia for review.

Comment 10 Tahlia Richardson 2016-09-28 00:41:38 UTC
* Replaced 'Example 15.5 Example authentication method file' with the content of the attachment
* Added a note per comment 8

Will request tech/docs review as a group with other bugs for this section.


Note You need to log in before you can comment on or make changes to this bug.