Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 570191 - PRD35 - [RFE] [AAA] support Kerberos authentication (for REST API)
Summary: PRD35 - [RFE] [AAA] support Kerberos authentication (for REST API)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 2.3.0
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
: 3.5.0
Assignee: Alon Bar-Lev
QA Contact: Ondra Machacek
URL: x
Whiteboard: infra
Depends On:
Blocks: Simon-RFE-Tracker 1113937 1121493 rhev3.5beta 1156165
TreeView+ depends on / blocked
 
Reported: 2010-03-03 15:19 UTC by Mark McLoughlin
Modified: 2016-02-10 19:44 UTC (History)
22 users (show)

Fixed In Version: vt1.3
Doc Type: Technology Preview
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-11 17:49:13 UTC
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
JBoss Issue Tracker PLFED-261 Major Open Continuation Required exception using SPNEGO 2017-05-26 21:14:51 UTC
Red Hat Product Errata RHSA-2015:0158 normal SHIPPED_LIVE Important: Red Hat Enterprise Virtualization Manager 3.5.0 2015-02-11 22:38:50 UTC

Description Mark McLoughlin 2010-03-03 15:19:49 UTC
The AutoLogin command allows users on the same machine as the RHEV-M backend to avoid re-authenticating because RHEV-M can use the ServiceSecurityContext::WindowsIdentity property to check the calling user's identity.

No similar API exists in Java/JBoss, so this functionality has been disabled.

This thread on the mailing list discusses the need for the functionality and some ideas for how it might be implemented:

  http://post-office.corp.redhat.com/archives/rhev-x/2010-March/thread.html#00022

Comment 1 Itamar Heim 2010-03-24 20:13:08 UTC
Two issues here:
1. CLI (and maybe SDK) need to support implicit, persistent login in case of session failure[1].
2. CLI (and maybe SDK) need to support kerberos authentication for currently logged in windows/linux user

[1] pay attention the current implementation in 2.2 windows powershell is actually not correct. consider the following use case:
a. user is logged in to windows with domain\xxx
b. user opens powershell and runs a script which will login-user domain\yyy.
c. after several commands the session breaks, and implicit auto authentication will re-authenticate the user, but with the windows logged in user of domain\xxx, rather than the last user the user logged in with.

fixing #1 is relatively easy, since all we need to do is keep the login-user parameters and re-use them on session failure.
fixing #2 actually requires kerberos support from windows-->jboss-->AD (and later for linux-->jboss>AD/RHDS

Comment 2 Itamar Heim 2010-12-13 17:09:16 UTC
this is basically "support kerberos authentication" by backend

Comment 3 Itamar Heim 2012-03-06 19:33:34 UTC
*** Bug 746706 has been marked as a duplicate of this bug. ***

Comment 4 Itamar Heim 2012-12-06 19:46:28 UTC
related to bug 884653

Comment 5 Alon Bar-Lev 2013-08-31 06:38:57 UTC
Relates to: bug#958874

Comment 6 Alon Bar-Lev 2013-08-31 06:41:48 UTC
Relates to: bug#958861

Comment 7 Juan Hernández 2014-06-16 13:40:35 UTC
Authentication is now external to the RESTAPI.

Comment 8 Alon Bar-Lev 2014-06-22 17:30:22 UTC
Working with mod_auth_kerb, implies that kerberos is enforced, no other method is enabled.

Comment 13 errata-xmlrpc 2015-02-11 17:49:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html


Note You need to log in before you can comment on or make changes to this bug.