In addition to the list of urls in the original email /ovirt-engine/webadmin/sso/logout /ovirt-engine/userportal/sso/oauth2-callback /ovirt-engine/userportal/sso/login /ovirt-engine/userportal/sso/logout /ovirt-engine/login /ovirt-engine/logout /ovirt-engine/switch-user /ovirt-engine/error.html /ovirt-engine/index.html /ovirt-engine/oauth2-callback
/ovirt-engine/sso/interactive-login /ovirt-engine/sso/interactive-redirect-to-module /ovirt-engine/sso/interactive-login-basic /ovirt-engine/sso/interactive-login-basic-enforce /ovirt-engine/sso/interactive-login-negotiate /ovirt-engine/sso/interactive-change-passwd /ovirt-engine/sso/login-unauthorized /ovirt-engine/sso/interactive-login-next-auth /ovirt-engine/sso/oauth/authorize /ovirt-engine/sso/oauth/token /ovirt-engine/sso/oauth/token-http-auth/* /ovirt-engine/sso/oauth/token-info /ovirt-engine/sso/oauth/revoke /ovirt-engine/sso/login.html /ovirt-engine/sso/credentials-change.html and there is also /ovirt-engine/api and all the resources hosts, vms etc On Fri, Aug 12, 2016 at 6:45 AM, Fabrice Bacchella <[email protected]> wrote: > I'm currently fighting with the new mandatory SSO system introduced in 4.0. > > It's also used internally as ovirt-engine is calling himself, as shown in > the apache log, to identity himself to himself: > > [2016-08-12 11:30:24] 10.83.16.34 "ovirt.prod.exalead.com" "POST > /ovirt-engine/sso/status HTTP/1.1" 256 401 + 163 "-" "Java/1.8.0_92" > [2016-08-12 10:55:49] 10.83.16.34 "ovirt.prod.exalead.com" "POST > /ovirt-engine/sso/oauth/token HTTP/1.1" 237 401 + 163 "-" "Java/1.8.0_92" > > But the sso will be acceded by human too: > > [2016-08-12 11:29:27] 192.168.205.59 "ovirt.prod.exalead.com" "GET > /ovirt-engine/sso/interactive-redirect-to-module HTTP/1.1" 5097 302 + - > "https://ovirt.prod.exalead.com/ovirt-engine/"; "Mozilla/5.0 (Macintosh; > Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0" > > > I'm using a custom apache configuration, as I need that to better integrate > ovirt in our running SSO and PKI setup. > > So under SSO I wonder which part needs to be protected using our own SSO, > and what part can be open to any access, and the internal security of ovirt > will manage it ? > > In https://bugzilla.redhat.com/show_bug.cgi?id=1342192, it seems for me that > ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth) needs > to be protected. Am i right ? > > In my log, I've seen access to: > > /ovirt-engine/sso/status > /ovirt-engine/sso/oauth/token-info > /ovirt-engine/webadmin/sso/oauth2-callback > /ovirt-engine/webadmin/sso/login > /ovirt-engine/sso/oauth/token > /ovirt-engine/sso/oauth/authorize > /ovirt-engine/sso/interactive-redirect-to-module > /ovirt-engine/sso/interactive-login-next-auth > /ovirt-engine/sso/interactive-login-negotiate/ovirt-auth > > _______________________________________________ > Users mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
