Re: [ovirt-users] ovirt can't find user

Tue, 04 Jul 2017 09:06:00 -0700 

> Le 1 juil. 2017 à 09:09, Fabrice Bacchella <fabrice.bacche...@orange.fr> a 
> écrit :
> 
> 
>> Le 30 juin 2017 à 23:25, Ondra Machacek <omach...@redhat.com> a écrit :
>> 
>> On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella
>> <fabrice.bacche...@orange.fr> wrote:
>>> 
>>>> Le 29 juin 2017 à 14:42, Fabrice Bacchella <fabrice.bacche...@orange.fr> a 
>>>> écrit :
>>>> 
>>>> 
>>>>> Le 29 juin 2017 à 13:41, Ondra Machacek <omach...@redhat.com> a écrit :
>>>>> 
>>>>> How do you login? Do you use webadmin or API/SDK, if using SDK, don't
>>>>> you use kerberos=True?
>>>> 
>>>> Ok, got it.
>>>> It's tested with the sdk, using kerberos. But Kerberos authentication is 
>>>> done in Apache and I configure a profile for that, so I needed to add: 
>>>> config.artifact.arg = X-Remote-User in my 
>>>> /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is 
>>>> missing from internal-authn.properties. So rexecutor@internal  is checked 
>>>> with my profil, and not found. But as the internal profil don't know about 
>>>> X-Remote-User, it can't check the user and fails silently. That's why I'm 
>>>> getting only one line. Perhaps the log line should have said the 
>>>> extensions name that was failing, not the generic "External 
>>>> Authentication" that did'nt caught my eye.
>>>> 
>>>> I will check that as soon as I have a few minutes to spare and tell you.
>>> 
>>> I'm starting to understand. I need two authn modules, both using 
>>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a 
>>> different authz.plugin. Is that possible ? If I do what, in what order the 
>>> different Authn will be tried ? Are they all tried until one succeed  both 
>>> authn and authz ?
>>> 
>> 
>> Yes you can have multiple authn profiles and it tries to login until
>> one succeed:
>> 
>> https://github.com/oVirt/ovirt-engine/blob/de46aa78f3117cbe436ab10926ac0c23fcdd7cfc/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java#L125
>> 
>> The order isn't guaranteed, but I think it's not important, or is it for you?
> 
> I'm not sure. As I need two 
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension, the authentication 
> will always succeed. It's the auhtz that fails as user as either in one 
> backend or the other. So if ExtMap output = profile.getAuthn().invoke(..) 
> calls the authz part I will be fine.
> 

I think it's not possible to have 2 
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension with different authz.

The first authz ldap based backend is tried and return:
2017-07-04 17:50:25,711+02 DEBUG 
[org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (default task-2) [] 
Exception: java.lang.RuntimeException: Cannot resolve principal 'rexecutor'
        at 
org.ovirt.engineextensions.aaa.ldap.AuthzExtension.doFetchPrincipalRecord(AuthzExtension.java:579)
 [ovirt-engine-extension-aaa-ldap.jar:]
        at 
org.ovirt.engineextensions.aaa.ldap.AuthzExtension.invoke(AuthzExtension.java:478)
 [ovirt-engine-extension-aaa-ldap.jar:]
        at 
org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:49)
        at 
org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:73)
        at 
org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:109)
        at 
org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:122)
        at 
org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:68)
        at 
org.ovirt.engine.core.sso.utils.NonInteractiveAuth$2.doAuth(NonInteractiveAuth.java:51)
        at 
org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.issueTokenUsingHttpHeaders(OAuthTokenServlet.java:183)
        at 
org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.service(OAuthTokenServlet.java:72)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at 
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
        at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at 
org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73)
        at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at 
org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:66)
        at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at 
org.ovirt.engine.core.utils.servlet.HeaderFilter.doFilter(HeaderFilter.java:94)
        at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at 
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at 
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at 
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at 
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at 
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at 
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at 
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
        at 
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at 
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at 
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
        at 
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at 
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at 
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at 
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at 
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at 
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at 
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at 
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at 
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at 
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at 
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at 
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at 
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at 
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at 
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
        at 
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
[rt.jar:1.8.0_121]
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
[rt.jar:1.8.0_121]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]

Right after that, I see in the log:
2017-07-04 17:50:25,718+02 ERROR 
[org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-2) [] 
External Authentication Failed: Cannot resolve principal 'rexecutor'

and I don't see in the stack the modules you show me in 
org.ovirt.engine.core.aaa.filters.doAuth, I think the failure happens latter 
and ovirt won't manage to handle other authn modules.



_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to