I'm currently fighting with the new mandatory SSO system introduced in 4.0.

It's also used internally as ovirt-engine is calling himself, as shown in the 
apache log, to identity himself to himself:

[2016-08-12 11:30:24] "ovirt.prod.exalead.com" "POST 
/ovirt-engine/sso/status HTTP/1.1" 256 401 + 163 "-" "Java/1.8.0_92"
[2016-08-12 10:55:49] "ovirt.prod.exalead.com" "POST 
/ovirt-engine/sso/oauth/token HTTP/1.1" 237 401 + 163 "-" "Java/1.8.0_92"

But the sso will be acceded by human too:

[2016-08-12 11:29:27] "ovirt.prod.exalead.com" "GET 
/ovirt-engine/sso/interactive-redirect-to-module HTTP/1.1" 5097 302 + - 
"https://ovirt.prod.exalead.com/ovirt-engine/"; "Mozilla/5.0 (Macintosh; Intel 
Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"

I'm using a custom apache configuration, as I need that to better integrate 
ovirt in our running SSO and PKI setup.

So under SSO I wonder which part needs to be protected using our own SSO, and 
what part can be open to any access, and the internal security of ovirt will 
manage it ?

In https://bugzilla.redhat.com/show_bug.cgi?id=1342192, it seems for me that 
^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth) needs to 
be protected. Am i right ?

In my log, I've seen access to:

Users mailing list

Reply via email to