Re: [ovirt-users] RESTAPI and kerberos authentication
Hi, I've managed to get it work. What I've done is to first run "engine-manage-domains delete" to remove the domain and add it again using the new aaa extension tool "ovirt-engine-extension-aaa-ldap-setup". It's not a good idea to mix these two methods, I guess. Restart the engine after each change. To get rid of the double authentication for the webadmin portal I changed in /etc/httpd/conf.d/ovirt-sso.conf "" to "" So Kerberos SSO will be used for the API only. Furthermore I've given the user the role "superuser". Best regards Marcel On 14.04.2016 11:44, Marcel Galke wrote: > Hi, > > I'm using curl and I followed steps in [1] and double checked the > permissions. > I've tested API access vs. webadmin access (see below). > > $ curl -v --negotiate -X GET -H "Accept: application/xml" -k > https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE > # Result: HTTP 401 > $ kinit > $ curl -v --negotiate -X GET -H "Accept: application/xml" -k > https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE # Result: > HTTP 200 > $ curl --negotiate -v -u : -X GET -H "Accept: application/xml" -k > https://server8.funfurt.de/api/vms # Result: HTTP 401 > > Therfore I believe httpd config is fine. > For engine.log and and properties file see attachment. > I've also attached console output from curl. > > Thanks and regards > Marcel > > On 14.04.2016 08:11, Ondra Machacek wrote: >> On 04/14/2016 08:06 AM, Ondra Machacek wrote: >>> On 04/13/2016 10:43 PM, Marcel Galke wrote: Hello, I need to automatically create a list of all the VMs and the storage path to their disks in the data center for offline storage for desaster recovery. We have oVirt 3.6 and IPA 4.2.0. To achieve this my idea was to query the API using Kerberos authentication and a keytab. This could then run as cronjob. Using username and password is not an option. To configure oVirt for use with IPA I've run engine-manage-domains but the result is not exactly what I'm looking for (despite from the fact, that I can add direcotry users etc.). Next I tried the generic LDAP provider as per documentation https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html >>> >>> Just to be sure did you followed these steps[1]? >>> If yes and it don't work, it would be nice if you can share a properties >>> files you have and engine.log(the part when engine starts). Please also >>> ensure twice you have correct permissions on properties files, keytab >>> and apache confiig. >>> >>> Also ensure your browser is correctly setup. Example for firefox[2]. >> >> Sorry, I've just realized you use API. >> So do you use SDKs or curl? Make sure you use kerberos properly in both >> cases. >> For cur its: curl --negotiate >> For SDKs[1], there is a parameter 'kerberos=true' in creation of api >> object. >> >> [1] >> http://www.ovirt.org/develop/release-management/features/infra/kerberos-support-in-sdks-and-cli/ >> >> >>> >>> It don't work only for API or for UserPortal and Webadmin as well? Or >>> you set it up only for API? >>> >>> [1] >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html#sect-Single_Sign-On_to_the_Administration_and_User_Portal >>> >>> >>> [2] >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html >>> >>> >>> It was quite easy to get Apache to authenticate against IPA, but I did not manage to access the API. Each try ended with an "HTTP/1.1 401 Unauthorized". At the moment Apache authentication appears first and then the RESTAPI auth dialog comes up. Some facts about my setup: oVirt Host: -OS: CentOS 6.7 -Engine Version: 3.6 IPA Host: -OS: CentOS 7.2 -IPA Version: 4.2.0 I might mix some things up. Please help me to find out how to achieve my goal. I can provide more information if required. Thanks a lot! Best regards Marcel ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users >>> ___ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] RESTAPI and kerberos authentication
The issue is most probably that your user don't have permissions to login/see vms in oVirt. Just login as admin@internal to webadmin and assign user 'aaa' some permissions. Here[1] is example how to work with virtual machine permissions. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Virtual_Machines_and_Permissions.html On 04/14/2016 11:44 AM, Marcel Galke wrote: Hi, I'm using curl and I followed steps in [1] and double checked the permissions. I've tested API access vs. webadmin access (see below). $ curl -v --negotiate -X GET -H "Accept: application/xml" -k https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE # Result: HTTP 401 $ kinit $ curl -v --negotiate -X GET -H "Accept: application/xml" -k https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE # Result: HTTP 200 $ curl --negotiate -v -u : -X GET -H "Accept: application/xml" -k https://server8.funfurt.de/api/vms # Result: HTTP 401 Therfore I believe httpd config is fine. For engine.log and and properties file see attachment. I've also attached console output from curl. Thanks and regards Marcel On 14.04.2016 08:11, Ondra Machacek wrote: On 04/14/2016 08:06 AM, Ondra Machacek wrote: On 04/13/2016 10:43 PM, Marcel Galke wrote: Hello, I need to automatically create a list of all the VMs and the storage path to their disks in the data center for offline storage for desaster recovery. We have oVirt 3.6 and IPA 4.2.0. To achieve this my idea was to query the API using Kerberos authentication and a keytab. This could then run as cronjob. Using username and password is not an option. To configure oVirt for use with IPA I've run engine-manage-domains but the result is not exactly what I'm looking for (despite from the fact, that I can add direcotry users etc.). Next I tried the generic LDAP provider as per documentation https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html Just to be sure did you followed these steps[1]? If yes and it don't work, it would be nice if you can share a properties files you have and engine.log(the part when engine starts). Please also ensure twice you have correct permissions on properties files, keytab and apache confiig. Also ensure your browser is correctly setup. Example for firefox[2]. Sorry, I've just realized you use API. So do you use SDKs or curl? Make sure you use kerberos properly in both cases. For cur its: curl --negotiate For SDKs[1], there is a parameter 'kerberos=true' in creation of api object. [1] http://www.ovirt.org/develop/release-management/features/infra/kerberos-support-in-sdks-and-cli/ It don't work only for API or for UserPortal and Webadmin as well? Or you set it up only for API? [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html#sect-Single_Sign-On_to_the_Administration_and_User_Portal [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html It was quite easy to get Apache to authenticate against IPA, but I did not manage to access the API. Each try ended with an "HTTP/1.1 401 Unauthorized". At the moment Apache authentication appears first and then the RESTAPI auth dialog comes up. Some facts about my setup: oVirt Host: -OS: CentOS 6.7 -Engine Version: 3.6 IPA Host: -OS: CentOS 7.2 -IPA Version: 4.2.0 I might mix some things up. Please help me to find out how to achieve my goal. I can provide more information if required. Thanks a lot! Best regards Marcel ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] RESTAPI and kerberos authentication
Hi,
I'm using curl and I followed steps in [1] and double checked the
permissions.
I've tested API access vs. webadmin access (see below).
$ curl -v --negotiate -X GET -H "Accept: application/xml" -k
https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE
# Result: HTTP 401
$ kinit
$ curl -v --negotiate -X GET -H "Accept: application/xml" -k
https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE # Result:
HTTP 200
$ curl --negotiate -v -u : -X GET -H "Accept: application/xml" -k
https://server8.funfurt.de/api/vms # Result: HTTP 401
Therfore I believe httpd config is fine.
For engine.log and and properties file see attachment.
I've also attached console output from curl.
Thanks and regards
Marcel
On 14.04.2016 08:11, Ondra Machacek wrote:
> On 04/14/2016 08:06 AM, Ondra Machacek wrote:
>> On 04/13/2016 10:43 PM, Marcel Galke wrote:
>>> Hello,
>>>
>>> I need to automatically create a list of all the VMs and the storage
>>> path to their disks in the data center for offline storage for desaster
>>> recovery. We have oVirt 3.6 and IPA 4.2.0.
>>> To achieve this my idea was to query the API using Kerberos
>>> authentication and a keytab. This could then run as cronjob.
>>> Using username and password is not an option.
>>>
>>> To configure oVirt for use with IPA I've run engine-manage-domains but
>>> the result is not exactly what I'm looking for (despite from the fact,
>>> that I can add direcotry users etc.).
>>> Next I tried the generic LDAP provider as per documentation
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html
>>>
>>>
>>
>> Just to be sure did you followed these steps[1]?
>> If yes and it don't work, it would be nice if you can share a properties
>> files you have and engine.log(the part when engine starts). Please also
>> ensure twice you have correct permissions on properties files, keytab
>> and apache confiig.
>>
>> Also ensure your browser is correctly setup. Example for firefox[2].
>
> Sorry, I've just realized you use API.
> So do you use SDKs or curl? Make sure you use kerberos properly in both
> cases.
> For cur its: curl --negotiate
> For SDKs[1], there is a parameter 'kerberos=true' in creation of api
> object.
>
> [1]
> http://www.ovirt.org/develop/release-management/features/infra/kerberos-support-in-sdks-and-cli/
>
>
>>
>> It don't work only for API or for UserPortal and Webadmin as well? Or
>> you set it up only for API?
>>
>> [1]
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html#sect-Single_Sign-On_to_the_Administration_and_User_Portal
>>
>>
>> [2]
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html
>>
>>
>>
>>>
>>> It was quite easy to get Apache to authenticate against IPA, but I did
>>> not manage to access the API. Each try ended with an "HTTP/1.1 401
>>> Unauthorized".
>>> At the moment Apache authentication appears first and then the RESTAPI
>>> auth dialog comes up.
>>> Some facts about my setup:
>>> oVirt Host:
>>> -OS: CentOS 6.7
>>> -Engine Version: 3.6
>>> IPA Host:
>>> -OS: CentOS 7.2
>>> -IPA Version: 4.2.0
>>>
>>>
>>> I might mix some things up. Please help me to find out how to achieve my
>>> goal. I can provide more information if required.
>>>
>>> Thanks a lot!
>>>
>>>
>>> Best regards
>>> Marcel
>>> ___
>>> Users mailing list
>>> Users@ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
2016-04-14 11:29:05,113 INFO [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp Reactor) [] Connecting to /192.168.100.106
2016-04-14 11:29:08,114 INFO [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp Reactor) [] Connecting to /192.168.100.106
2016-04-14 11:29:08,130 ERROR [org.ovirt.engine.core.vdsbroker.vdsbroker.ListVDSCommand] (DefaultQuartzScheduler_Worker-91) [] Command 'ListVDSCommand(HostName = server6, VdsIdAndVdsVDSCommandParametersBase:{runAsync='true', hostId='35241a8e-495f-4225-9cbd-07ebc216a8f4', vds='Host[server6,35241a8e-495f-4225-9cbd-07ebc216a8f4]'})' execution failed: org.ovirt.vdsm.jsonrpc.client.ClientConnectionException: Connection failed
2016-04-14 11:29:08,130 INFO [org.ovirt.engine.core.vdsbroker.PollVmStatsRefresher] (DefaultQuartzScheduler_Worker-91) [] Failed to fetch vms info for host 'server6' - skipping VMs monitoring.
2016-04-14 11:29:10,627 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-15) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User a...@funfurt.de@profile1-http failed to log in.
2016-04-14 11:29:10,627 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default
Re: [ovirt-users] RESTAPI and kerberos authentication
On 04/13/2016 10:43 PM, Marcel Galke wrote: Hello, I need to automatically create a list of all the VMs and the storage path to their disks in the data center for offline storage for desaster recovery. We have oVirt 3.6 and IPA 4.2.0. To achieve this my idea was to query the API using Kerberos authentication and a keytab. This could then run as cronjob. Using username and password is not an option. To configure oVirt for use with IPA I've run engine-manage-domains but the result is not exactly what I'm looking for (despite from the fact, that I can add direcotry users etc.). Next I tried the generic LDAP provider as per documentation https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html Just to be sure did you followed these steps[1]? If yes and it don't work, it would be nice if you can share a properties files you have and engine.log(the part when engine starts). Please also ensure twice you have correct permissions on properties files, keytab and apache confiig. Also ensure your browser is correctly setup. Example for firefox[2]. It don't work only for API or for UserPortal and Webadmin as well? Or you set it up only for API? [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html#sect-Single_Sign-On_to_the_Administration_and_User_Portal [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html It was quite easy to get Apache to authenticate against IPA, but I did not manage to access the API. Each try ended with an "HTTP/1.1 401 Unauthorized". At the moment Apache authentication appears first and then the RESTAPI auth dialog comes up. Some facts about my setup: oVirt Host: -OS: CentOS 6.7 -Engine Version: 3.6 IPA Host: -OS: CentOS 7.2 -IPA Version: 4.2.0 I might mix some things up. Please help me to find out how to achieve my goal. I can provide more information if required. Thanks a lot! Best regards Marcel ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] RESTAPI and kerberos authentication
Hello, I need to automatically create a list of all the VMs and the storage path to their disks in the data center for offline storage for desaster recovery. We have oVirt 3.6 and IPA 4.2.0. To achieve this my idea was to query the API using Kerberos authentication and a keytab. This could then run as cronjob. Using username and password is not an option. To configure oVirt for use with IPA I've run engine-manage-domains but the result is not exactly what I'm looking for (despite from the fact, that I can add direcotry users etc.). Next I tried the generic LDAP provider as per documentation https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html It was quite easy to get Apache to authenticate against IPA, but I did not manage to access the API. Each try ended with an "HTTP/1.1 401 Unauthorized". At the moment Apache authentication appears first and then the RESTAPI auth dialog comes up. Some facts about my setup: oVirt Host: -OS: CentOS 6.7 -Engine Version: 3.6 IPA Host: -OS: CentOS 7.2 -IPA Version: 4.2.0 I might mix some things up. Please help me to find out how to achieve my goal. I can provide more information if required. Thanks a lot! Best regards Marcel ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
