Re: [ovirt-users] ovirt can't find user

2017-07-09 Thread Fabrice Bacchella
Done in : https://bugzilla.redhat.com/show_bug.cgi?id=1468878.

> Le 7 juil. 2017 à 13:51, Ondra Machacek  a écrit :
> 
> On Tue, Jul 4, 2017 at 6:05 PM, Fabrice Bacchella
>  wrote:
>> 
>>> Le 1 juil. 2017 à 09:09, Fabrice Bacchella  a 
>>> écrit :
>>> 
>>> 
 Le 30 juin 2017 à 23:25, Ondra Machacek  a écrit :
 
 On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella
  wrote:
> 
>> Le 29 juin 2017 à 14:42, Fabrice Bacchella  
>> a écrit :
>> 
>> 
>>> Le 29 juin 2017 à 13:41, Ondra Machacek  a écrit :
>>> 
>>> How do you login? Do you use webadmin or API/SDK, if using SDK, don't
>>> you use kerberos=True?
>> 
>> Ok, got it.
>> It's tested with the sdk, using kerberos. But Kerberos authentication is 
>> done in Apache and I configure a profile for that, so I needed to add: 
>> config.artifact.arg = X-Remote-User in my 
>> /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is 
>> missing from internal-authn.properties. So rexecutor@internal  is 
>> checked with my profil, and not found. But as the internal profil don't 
>> know about X-Remote-User, it can't check the user and fails silently. 
>> That's why I'm getting only one line. Perhaps the log line should have 
>> said the extensions name that was failing, not the generic "External 
>> Authentication" that did'nt caught my eye.
>> 
>> I will check that as soon as I have a few minutes to spare and tell you.
> 
> I'm starting to understand. I need two authn modules, both using 
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a 
> different authz.plugin. Is that possible ? If I do what, in what order 
> the different Authn will be tried ? Are they all tried until one succeed  
> both authn and authz ?
> 
 
 Yes you can have multiple authn profiles and it tries to login until
 one succeed:
 
 https://github.com/oVirt/ovirt-engine/blob/de46aa78f3117cbe436ab10926ac0c23fcdd7cfc/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java#L125
 
 The order isn't guaranteed, but I think it's not important, or is it for 
 you?
>>> 
>>> I'm not sure. As I need two 
>>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension, the authentication 
>>> will always succeed. It's the auhtz that fails as user as either in one 
>>> backend or the other. So if ExtMap output = profile.getAuthn().invoke(..) 
>>> calls the authz part I will be fine.
>>> 
>> 
>> I think it's not possible to have 2 
>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension with different authz.
>> 
>> The first authz ldap based backend is tried and return:
>> 2017-07-04 17:50:25,711+02 DEBUG 
>> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (default task-2) [] 
>> Exception: java.lang.RuntimeException: Cannot resolve principal 'rexecutor'
>>at 
>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension.doFetchPrincipalRecord(AuthzExtension.java:579)
>>  [ovirt-engine-extension-aaa-ldap.jar:]
>>at 
>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension.invoke(AuthzExtension.java:478)
>>  [ovirt-engine-extension-aaa-ldap.jar:]
>>at 
>> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:49)
>>at 
>> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:73)
>>at 
>> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:109)
>>at 
>> org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:122)
>>at 
>> org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:68)
>>at 
>> org.ovirt.engine.core.sso.utils.NonInteractiveAuth$2.doAuth(NonInteractiveAuth.java:51)
>>at 
>> org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.issueTokenUsingHttpHeaders(OAuthTokenServlet.java:183)
>>at 
>> org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.service(OAuthTokenServlet.java:72)
>>at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>at 
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>at 
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>at 
>> org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73)
>>at 
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>at 
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>at 
>> org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:66)
>>at 
>> 

Re: [ovirt-users] ovirt can't find user

2017-07-07 Thread Fabrice Bacchella
Ok.

> Le 7 juil. 2017 à 13:51, Ondra Machacek  a écrit :
> 
> On Tue, Jul 4, 2017 at 6:05 PM, Fabrice Bacchella
>  wrote:
>> 
>>> Le 1 juil. 2017 à 09:09, Fabrice Bacchella  a 
>>> écrit :
>>> 
>>> 
 Le 30 juin 2017 à 23:25, Ondra Machacek  a écrit :
 
 On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella
  wrote:
> 
>> Le 29 juin 2017 à 14:42, Fabrice Bacchella  
>> a écrit :
>> 
>> 
>>> Le 29 juin 2017 à 13:41, Ondra Machacek  a écrit :
>>> 
>>> How do you login? Do you use webadmin or API/SDK, if using SDK, don't
>>> you use kerberos=True?
>> 
>> Ok, got it.
>> It's tested with the sdk, using kerberos. But Kerberos authentication is 
>> done in Apache and I configure a profile for that, so I needed to add: 
>> config.artifact.arg = X-Remote-User in my 
>> /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is 
>> missing from internal-authn.properties. So rexecutor@internal  is 
>> checked with my profil, and not found. But as the internal profil don't 
>> know about X-Remote-User, it can't check the user and fails silently. 
>> That's why I'm getting only one line. Perhaps the log line should have 
>> said the extensions name that was failing, not the generic "External 
>> Authentication" that did'nt caught my eye.
>> 
>> I will check that as soon as I have a few minutes to spare and tell you.
> 
> I'm starting to understand. I need two authn modules, both using 
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a 
> different authz.plugin. Is that possible ? If I do what, in what order 
> the different Authn will be tried ? Are they all tried until one succeed  
> both authn and authz ?
> 
 
 Yes you can have multiple authn profiles and it tries to login until
 one succeed:
 
 https://github.com/oVirt/ovirt-engine/blob/de46aa78f3117cbe436ab10926ac0c23fcdd7cfc/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java#L125
 
 The order isn't guaranteed, but I think it's not important, or is it for 
 you?
>>> 
>>> I'm not sure. As I need two 
>>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension, the authentication 
>>> will always succeed. It's the auhtz that fails as user as either in one 
>>> backend or the other. So if ExtMap output = profile.getAuthn().invoke(..) 
>>> calls the authz part I will be fine.
>>> 
>> 
>> I think it's not possible to have 2 
>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension with different authz.
>> 
>> The first authz ldap based backend is tried and return:
>> 2017-07-04 17:50:25,711+02 DEBUG 
>> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (default task-2) [] 
>> Exception: java.lang.RuntimeException: Cannot resolve principal 'rexecutor'
>>at 
>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension.doFetchPrincipalRecord(AuthzExtension.java:579)
>>  [ovirt-engine-extension-aaa-ldap.jar:]
>>at 
>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension.invoke(AuthzExtension.java:478)
>>  [ovirt-engine-extension-aaa-ldap.jar:]
>>at 
>> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:49)
>>at 
>> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:73)
>>at 
>> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:109)
>>at 
>> org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:122)
>>at 
>> org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:68)
>>at 
>> org.ovirt.engine.core.sso.utils.NonInteractiveAuth$2.doAuth(NonInteractiveAuth.java:51)
>>at 
>> org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.issueTokenUsingHttpHeaders(OAuthTokenServlet.java:183)
>>at 
>> org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.service(OAuthTokenServlet.java:72)
>>at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>at 
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>at 
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>at 
>> org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73)
>>at 
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>at 
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>at 
>> org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:66)
>>at 
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>at 
>> 

Re: [ovirt-users] ovirt can't find user

2017-07-07 Thread Ondra Machacek
On Tue, Jul 4, 2017 at 6:05 PM, Fabrice Bacchella
 wrote:
>
>> Le 1 juil. 2017 à 09:09, Fabrice Bacchella  a 
>> écrit :
>>
>>
>>> Le 30 juin 2017 à 23:25, Ondra Machacek  a écrit :
>>>
>>> On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella
>>>  wrote:

> Le 29 juin 2017 à 14:42, Fabrice Bacchella  
> a écrit :
>
>
>> Le 29 juin 2017 à 13:41, Ondra Machacek  a écrit :
>>
>> How do you login? Do you use webadmin or API/SDK, if using SDK, don't
>> you use kerberos=True?
>
> Ok, got it.
> It's tested with the sdk, using kerberos. But Kerberos authentication is 
> done in Apache and I configure a profile for that, so I needed to add: 
> config.artifact.arg = X-Remote-User in my 
> /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is 
> missing from internal-authn.properties. So rexecutor@internal  is checked 
> with my profil, and not found. But as the internal profil don't know 
> about X-Remote-User, it can't check the user and fails silently. That's 
> why I'm getting only one line. Perhaps the log line should have said the 
> extensions name that was failing, not the generic "External 
> Authentication" that did'nt caught my eye.
>
> I will check that as soon as I have a few minutes to spare and tell you.

 I'm starting to understand. I need two authn modules, both using 
 org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a 
 different authz.plugin. Is that possible ? If I do what, in what order the 
 different Authn will be tried ? Are they all tried until one succeed  both 
 authn and authz ?

>>>
>>> Yes you can have multiple authn profiles and it tries to login until
>>> one succeed:
>>>
>>> https://github.com/oVirt/ovirt-engine/blob/de46aa78f3117cbe436ab10926ac0c23fcdd7cfc/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java#L125
>>>
>>> The order isn't guaranteed, but I think it's not important, or is it for 
>>> you?
>>
>> I'm not sure. As I need two 
>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension, the authentication 
>> will always succeed. It's the auhtz that fails as user as either in one 
>> backend or the other. So if ExtMap output = profile.getAuthn().invoke(..) 
>> calls the authz part I will be fine.
>>
>
> I think it's not possible to have 2 
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension with different authz.
>
> The first authz ldap based backend is tried and return:
> 2017-07-04 17:50:25,711+02 DEBUG 
> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (default task-2) [] 
> Exception: java.lang.RuntimeException: Cannot resolve principal 'rexecutor'
> at 
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension.doFetchPrincipalRecord(AuthzExtension.java:579)
>  [ovirt-engine-extension-aaa-ldap.jar:]
> at 
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension.invoke(AuthzExtension.java:478)
>  [ovirt-engine-extension-aaa-ldap.jar:]
> at 
> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:49)
> at 
> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:73)
> at 
> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:109)
> at 
> org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:122)
> at 
> org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:68)
> at 
> org.ovirt.engine.core.sso.utils.NonInteractiveAuth$2.doAuth(NonInteractiveAuth.java:51)
> at 
> org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.issueTokenUsingHttpHeaders(OAuthTokenServlet.java:183)
> at 
> org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.service(OAuthTokenServlet.java:72)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at 
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at 
> org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73)
> at 
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at 
> org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:66)
> at 
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at 
> org.ovirt.engine.core.utils.servlet.HeaderFilter.doFilter(HeaderFilter.java:94)
> at 

Re: [ovirt-users] ovirt can't find user

2017-07-04 Thread Fabrice Bacchella

> Le 1 juil. 2017 à 09:09, Fabrice Bacchella  a 
> écrit :
> 
> 
>> Le 30 juin 2017 à 23:25, Ondra Machacek  a écrit :
>> 
>> On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella
>>  wrote:
>>> 
 Le 29 juin 2017 à 14:42, Fabrice Bacchella  a 
 écrit :
 
 
> Le 29 juin 2017 à 13:41, Ondra Machacek  a écrit :
> 
> How do you login? Do you use webadmin or API/SDK, if using SDK, don't
> you use kerberos=True?
 
 Ok, got it.
 It's tested with the sdk, using kerberos. But Kerberos authentication is 
 done in Apache and I configure a profile for that, so I needed to add: 
 config.artifact.arg = X-Remote-User in my 
 /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is 
 missing from internal-authn.properties. So rexecutor@internal  is checked 
 with my profil, and not found. But as the internal profil don't know about 
 X-Remote-User, it can't check the user and fails silently. That's why I'm 
 getting only one line. Perhaps the log line should have said the 
 extensions name that was failing, not the generic "External 
 Authentication" that did'nt caught my eye.
 
 I will check that as soon as I have a few minutes to spare and tell you.
>>> 
>>> I'm starting to understand. I need two authn modules, both using 
>>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a 
>>> different authz.plugin. Is that possible ? If I do what, in what order the 
>>> different Authn will be tried ? Are they all tried until one succeed  both 
>>> authn and authz ?
>>> 
>> 
>> Yes you can have multiple authn profiles and it tries to login until
>> one succeed:
>> 
>> https://github.com/oVirt/ovirt-engine/blob/de46aa78f3117cbe436ab10926ac0c23fcdd7cfc/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java#L125
>> 
>> The order isn't guaranteed, but I think it's not important, or is it for you?
> 
> I'm not sure. As I need two 
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension, the authentication 
> will always succeed. It's the auhtz that fails as user as either in one 
> backend or the other. So if ExtMap output = profile.getAuthn().invoke(..) 
> calls the authz part I will be fine.
> 

I think it's not possible to have 2 
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension with different authz.

The first authz ldap based backend is tried and return:
2017-07-04 17:50:25,711+02 DEBUG 
[org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (default task-2) [] 
Exception: java.lang.RuntimeException: Cannot resolve principal 'rexecutor'
at 
org.ovirt.engineextensions.aaa.ldap.AuthzExtension.doFetchPrincipalRecord(AuthzExtension.java:579)
 [ovirt-engine-extension-aaa-ldap.jar:]
at 
org.ovirt.engineextensions.aaa.ldap.AuthzExtension.invoke(AuthzExtension.java:478)
 [ovirt-engine-extension-aaa-ldap.jar:]
at 
org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:49)
at 
org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:73)
at 
org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:109)
at 
org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:122)
at 
org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:68)
at 
org.ovirt.engine.core.sso.utils.NonInteractiveAuth$2.doAuth(NonInteractiveAuth.java:51)
at 
org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.issueTokenUsingHttpHeaders(OAuthTokenServlet.java:183)
at 
org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.service(OAuthTokenServlet.java:72)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at 
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at 
org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73)
at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at 
org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:66)
at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at 
org.ovirt.engine.core.utils.servlet.HeaderFilter.doFilter(HeaderFilter.java:94)
at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at 

Re: [ovirt-users] ovirt can't find user

2017-07-01 Thread Fabrice Bacchella

> Le 30 juin 2017 à 23:25, Ondra Machacek  a écrit :
> 
> On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella
>  wrote:
>> 
>>> Le 29 juin 2017 à 14:42, Fabrice Bacchella  a 
>>> écrit :
>>> 
>>> 
 Le 29 juin 2017 à 13:41, Ondra Machacek  a écrit :
 
 How do you login? Do you use webadmin or API/SDK, if using SDK, don't
 you use kerberos=True?
>>> 
>>> Ok, got it.
>>> It's tested with the sdk, using kerberos. But Kerberos authentication is 
>>> done in Apache and I configure a profile for that, so I needed to add: 
>>> config.artifact.arg = X-Remote-User in my 
>>> /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is 
>>> missing from internal-authn.properties. So rexecutor@internal  is checked 
>>> with my profil, and not found. But as the internal profil don't know about 
>>> X-Remote-User, it can't check the user and fails silently. That's why I'm 
>>> getting only one line. Perhaps the log line should have said the extensions 
>>> name that was failing, not the generic "External Authentication" that 
>>> did'nt caught my eye.
>>> 
>>> I will check that as soon as I have a few minutes to spare and tell you.
>> 
>> I'm starting to understand. I need two authn modules, both using 
>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a different 
>> authz.plugin. Is that possible ? If I do what, in what order the different 
>> Authn will be tried ? Are they all tried until one succeed  both authn and 
>> authz ?
>> 
> 
> Yes you can have multiple authn profiles and it tries to login until
> one succeed:
> 
> https://github.com/oVirt/ovirt-engine/blob/de46aa78f3117cbe436ab10926ac0c23fcdd7cfc/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java#L125
> 
> The order isn't guaranteed, but I think it's not important, or is it for you?

I'm not sure. As I need two 
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension, the authentication 
will always succeed. It's the auhtz that fails as user as either in one backend 
or the other. So if ExtMap output = profile.getAuthn().invoke(..) calls the 
authz part I will be fine.


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirt can't find user

2017-06-30 Thread Ondra Machacek
On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella
 wrote:
>
>> Le 29 juin 2017 à 14:42, Fabrice Bacchella  a 
>> écrit :
>>
>>
>>> Le 29 juin 2017 à 13:41, Ondra Machacek  a écrit :
>>>
>>> How do you login? Do you use webadmin or API/SDK, if using SDK, don't
>>> you use kerberos=True?
>>
>> Ok, got it.
>> It's tested with the sdk, using kerberos. But Kerberos authentication is 
>> done in Apache and I configure a profile for that, so I needed to add: 
>> config.artifact.arg = X-Remote-User in my 
>> /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is 
>> missing from internal-authn.properties. So rexecutor@internal  is checked 
>> with my profil, and not found. But as the internal profil don't know about 
>> X-Remote-User, it can't check the user and fails silently. That's why I'm 
>> getting only one line. Perhaps the log line should have said the extensions 
>> name that was failing, not the generic "External Authentication" that did'nt 
>> caught my eye.
>>
>> I will check that as soon as I have a few minutes to spare and tell you.
>
> I'm starting to understand. I need two authn modules, both using 
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a different 
> authz.plugin. Is that possible ? If I do what, in what order the different 
> Authn will be tried ? Are they all tried until one succeed  both authn and 
> authz ?
>

Yes you can have multiple authn profiles and it tries to login until
one succeed:

 
https://github.com/oVirt/ovirt-engine/blob/de46aa78f3117cbe436ab10926ac0c23fcdd7cfc/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java#L125

The order isn't guaranteed, but I think it's not important, or is it for you?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirt can't find user

2017-06-29 Thread Fabrice Bacchella

> Le 29 juin 2017 à 14:42, Fabrice Bacchella  a 
> écrit :
> 
> 
>> Le 29 juin 2017 à 13:41, Ondra Machacek  a écrit :
>> 
>> How do you login? Do you use webadmin or API/SDK, if using SDK, don't
>> you use kerberos=True?
> 
> Ok, got it.
> It's tested with the sdk, using kerberos. But Kerberos authentication is done 
> in Apache and I configure a profile for that, so I needed to add: 
> config.artifact.arg = X-Remote-User in my 
> /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is 
> missing from internal-authn.properties. So rexecutor@internal  is checked 
> with my profil, and not found. But as the internal profil don't know about 
> X-Remote-User, it can't check the user and fails silently. That's why I'm 
> getting only one line. Perhaps the log line should have said the extensions 
> name that was failing, not the generic "External Authentication" that did'nt 
> caught my eye.
> 
> I will check that as soon as I have a few minutes to spare and tell you.

I'm starting to understand. I need two authn modules, both using 
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a different 
authz.plugin. Is that possible ? If I do what, in what order the different 
Authn will be tried ? Are they all tried until one succeed  both authn and 
authz ?

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirt can't find user

2017-06-29 Thread Fabrice Bacchella

> Le 29 juin 2017 à 13:41, Ondra Machacek  a écrit :
> 
> How do you login? Do you use webadmin or API/SDK, if using SDK, don't
> you use kerberos=True?

Ok, got it.
It's tested with the sdk, using kerberos. But Kerberos authentication is done 
in Apache and I configure a profile for that, so I needed to add: 
config.artifact.arg = X-Remote-User in my 
/etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is missing 
from internal-authn.properties. So rexecutor@internal  is checked with my 
profil, and not found. But as the internal profil don't know about 
X-Remote-User, it can't check the user and fails silently. That's why I'm 
getting only one line. Perhaps the log line should have said the extensions 
name that was failing, not the generic "External Authentication" that did'nt 
caught my eye.

I will check that as soon as I have a few minutes to spare and tell you.


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirt can't find user

2017-06-29 Thread Ondra Machacek
How do you login? Do you use webadmin or API/SDK, if using SDK, don't
you use kerberos=True?

On Wed, Jun 28, 2017 at 5:21 PM, Fabrice Bacchella
 wrote:
> I tried to add a user in ovirt, but it's not identified:
> 2017-06-28 16:48:48,505+02 ERROR
> [org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-22) []
> External Authentication Failed: Cannot resolve principal
> 'rexecutor@internal'
>
>
> /usr/bin/ovirt-aaa-jdbc-tool user  show rexecutor
> -- User rexecutor(b1727291-5ad4-4575-b8ec-53bdc9ce4aef) --
> Namespace: *
> Name: rexecutor
> ID: b1727291-5ad4-4575-b8ec-53bdc9ce4aef
> Display Name:
> Email:
> First Name:
> Last Name:
> Department:
> Title:
> Description:
> Account Disabled: false
> Account Locked: false
> Account Unlocked At: 2017-06-16 13:49:31Z
> Account Valid From: 2017-06-15 16:41:14Z
> Account Valid To: 2217-06-15 16:41:14Z
> Account Without Password: true
> Last successful Login At: 1970-01-01 00:00:00Z
> Last unsuccessful Login At: 1970-01-01 00:00:00Z
> Password Valid To: 2025-08-15 10:30:00Z
>
> It's listed as a known user:
>  id="49a12b6e-de03-4095-b6ed-2c1883f5542e">
>   
>
> 62313732373239312D356164342D343537352D623865632D353362646339636534616566
>   
>   
>   
>   *
>   rexecutor
>   rexecutor@internal-authz
>id="696E7465726E616C2D617574687A">
> internal-authz
>   
>href="/ovirt-engine/api/users/49a12b6e-de03-4095-b6ed-2c1883f5542e/permissions"/>
>href="/ovirt-engine/api/users/49a12b6e-de03-4095-b6ed-2c1883f5542e/roles"/>
>href="/ovirt-engine/api/users/49a12b6e-de03-4095-b6ed-2c1883f5542e/sshpublickeys"/>
>href="/ovirt-engine/api/users/49a12b6e-de03-4095-b6ed-2c1883f5542e/tags"/>
> 
>
> My admin domain authentication looks OK:
> config.datasource.jdbcurl=jdbc:postgresql://pgdb:5432/ovirt_engine?sslfactory=org.postgresql.ssl.NonValidatingFactory
> config.datasource.dbuser=ovirt
> config.datasource.dbpassword=XXX
> config.datasource.jdbcdriver=org.postgresql.Driver
> config.datasource.schemaname=aaa_jdbc
>
> It tried to increase org.ovirt.engine.core.sso.utils debug log level by
> modifying /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in
>
> diff ovirt-engine.xml.in*
> 201,204d200
> <   
> < 
> <   
> <
>
> I just got in the log:
> 2017-06-28 17:17:09,404+02 DEBUG
> [org.ovirt.engine.core.sso.utils.NonInteractiveAuth] (default task-7) []
> Performing Negotiate Auth
> 2017-06-28 17:17:09,404+02 DEBUG
> [org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-7) []
> Performing external authentication
> 2017-06-28 17:17:09,410+02 ERROR
> [org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-7) []
> External Authentication Failed: Cannot resolve principal
> 'rexecutor@internal'
> 2017-06-28 17:17:09,410+02 DEBUG
> [org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-7) []
> External Authentication Failed: Class: class
> org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
> Input:
> {Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
> org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHZ_FETCH_PRINCIPAL_RECORD[5a5bf9bb-9336-4376-a823-26efe1ba26df],
> Extkey[name=AAA_AUTHZ_QUERY_FLAGS;type=class
> java.lang.Integer;uuid=AAA_AUTHZ_QUERY_FLAGS[97d226e9-8d87-49a0-9a7f-af689320907b];]=3,
> Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface
> java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35-0a272b45a711];]=[DC=XXX],
> Extkey[name=EXTENSION_LICENSE;type=class
> java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
> 2.0, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
> Extkey[name=EXTENSION_NAME;type=class
> java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authz,
> Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
> org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authz.XXX-authz),
> Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
> java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
> Extkey[name=EXTENSION_VERSION;type=class
> java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.3.1,
> Extkey[name=EXTENSION_PROVIDES;type=interface
> java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authz],
> Extkey[name=EXTENSION_AUTHOR;type=class
> 

[ovirt-users] ovirt can't find user

2017-06-28 Thread Fabrice Bacchella
I tried to add a user in ovirt, but it's not identified:
2017-06-28 16:48:48,505+02 ERROR 
[org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-22) [] 
External Authentication Failed: Cannot resolve principal 'rexecutor@internal'


/usr/bin/ovirt-aaa-jdbc-tool user  show rexecutor
-- User rexecutor(b1727291-5ad4-4575-b8ec-53bdc9ce4aef) --
Namespace: *
Name: rexecutor
ID: b1727291-5ad4-4575-b8ec-53bdc9ce4aef
Display Name: 
Email: 
First Name: 
Last Name: 
Department: 
Title: 
Description: 
Account Disabled: false
Account Locked: false
Account Unlocked At: 2017-06-16 13:49:31Z
Account Valid From: 2017-06-15 16:41:14Z
Account Valid To: 2217-06-15 16:41:14Z
Account Without Password: true
Last successful Login At: 1970-01-01 00:00:00Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 2025-08-15 10:30:00Z

It's listed as a known user:

  
  
62313732373239312D356164342D343537352D623865632D353362646339636534616566
  
  
  
  *
  rexecutor
  rexecutor@internal-authz
  
internal-authz
  
  
  
  
  


My admin domain authentication looks OK:
config.datasource.jdbcurl=jdbc:postgresql://pgdb:5432/ovirt_engine?sslfactory=org.postgresql.ssl.NonValidatingFactory
config.datasource.dbuser=ovirt
config.datasource.dbpassword=XXX
config.datasource.jdbcdriver=org.postgresql.Driver
config.datasource.schemaname=aaa_jdbc

It tried to increase org.ovirt.engine.core.sso.utils debug log level by 
modifying /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in

diff ovirt-engine.xml.in*
201,204d200
<   
< 
<   
< 

I just got in the log:
2017-06-28 17:17:09,404+02 DEBUG 
[org.ovirt.engine.core.sso.utils.NonInteractiveAuth] (default task-7) [] 
Performing Negotiate Auth
2017-06-28 17:17:09,404+02 DEBUG 
[org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-7) [] 
Performing external authentication
2017-06-28 17:17:09,410+02 ERROR 
[org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-7) [] 
External Authentication Failed: Cannot resolve principal 'rexecutor@internal'
2017-06-28 17:17:09,410+02 DEBUG 
[org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-7) [] 
External Authentication Failed: Class: class 
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=EXTENSION_INVOKE_COMMAND;type=class 
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHZ_FETCH_PRINCIPAL_RECORD[5a5bf9bb-9336-4376-a823-26efe1ba26df],
 Extkey[name=AAA_AUTHZ_QUERY_FLAGS;type=class 
java.lang.Integer;uuid=AAA_AUTHZ_QUERY_FLAGS[97d226e9-8d87-49a0-9a7f-af689320907b];]=3,
 Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class 
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface
 
java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35-0a272b45a711];]=[DC=XXX],
 Extkey[name=EXTENSION_LICENSE;type=class 
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
 2.0, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class 
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
 Extkey[name=EXTENSION_NAME;type=class 
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authz,
 Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface 
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authz.XXX-authz),
 Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface 
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
 Extkey[name=EXTENSION_VERSION;type=class 
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.3.1,
 Extkey[name=EXTENSION_PROVIDES;type=interface 
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authz],
 Extkey[name=EXTENSION_AUTHOR;type=class 
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
 oVirt Project, Extkey[name=EXTENSION_LOCALE;type=class 
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
 Extkey[name=EXTENSION_CONFIGURATION_FILE;type=class 
java.lang.String;uuid=EXTENSION_CONFIGURATION_FILE[4fb0ffd3-983c-4f3f-98ff-9660bd67af6a];]=/etc/ovirt-engine/extensions.d/-authz.properties,
 Extkey[name=EXTENSION_HOME_URL;type=class 
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=http://www.ovirt.org,
 Extkey[name=EXTENSION_CONFIGURATION;type=class 
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,