On Tue, Jul 4, 2017 at 6:05 PM, Fabrice Bacchella
<fabrice.bacche...@orange.fr> wrote:
>
>> Le 1 juil. 2017 à 09:09, Fabrice Bacchella <fabrice.bacche...@orange.fr> a 
>> écrit :
>>
>>
>>> Le 30 juin 2017 à 23:25, Ondra Machacek <omach...@redhat.com> a écrit :
>>>
>>> On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella
>>> <fabrice.bacche...@orange.fr> wrote:
>>>>
>>>>> Le 29 juin 2017 à 14:42, Fabrice Bacchella <fabrice.bacche...@orange.fr> 
>>>>> a écrit :
>>>>>
>>>>>
>>>>>> Le 29 juin 2017 à 13:41, Ondra Machacek <omach...@redhat.com> a écrit :
>>>>>>
>>>>>> How do you login? Do you use webadmin or API/SDK, if using SDK, don't
>>>>>> you use kerberos=True?
>>>>>
>>>>> Ok, got it.
>>>>> It's tested with the sdk, using kerberos. But Kerberos authentication is 
>>>>> done in Apache and I configure a profile for that, so I needed to add: 
>>>>> config.artifact.arg = X-Remote-User in my 
>>>>> /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is 
>>>>> missing from internal-authn.properties. So rexecutor@internal  is checked 
>>>>> with my profil, and not found. But as the internal profil don't know 
>>>>> about X-Remote-User, it can't check the user and fails silently. That's 
>>>>> why I'm getting only one line. Perhaps the log line should have said the 
>>>>> extensions name that was failing, not the generic "External 
>>>>> Authentication" that did'nt caught my eye.
>>>>>
>>>>> I will check that as soon as I have a few minutes to spare and tell you.
>>>>
>>>> I'm starting to understand. I need two authn modules, both using 
>>>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a 
>>>> different authz.plugin. Is that possible ? If I do what, in what order the 
>>>> different Authn will be tried ? Are they all tried until one succeed  both 
>>>> authn and authz ?
>>>>
>>>
>>> Yes you can have multiple authn profiles and it tries to login until
>>> one succeed:
>>>
>>> https://github.com/oVirt/ovirt-engine/blob/de46aa78f3117cbe436ab10926ac0c23fcdd7cfc/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java#L125
>>>
>>> The order isn't guaranteed, but I think it's not important, or is it for 
>>> you?
>>
>> I'm not sure. As I need two 
>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension, the authentication 
>> will always succeed. It's the auhtz that fails as user as either in one 
>> backend or the other. So if ExtMap output = profile.getAuthn().invoke(..) 
>> calls the authz part I will be fine.
>>
>
> I think it's not possible to have 2 
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension with different authz.
>
> The first authz ldap based backend is tried and return:
> 2017-07-04 17:50:25,711+02 DEBUG 
> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (default task-2) [] 
> Exception: java.lang.RuntimeException: Cannot resolve principal 'rexecutor'
>         at 
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension.doFetchPrincipalRecord(AuthzExtension.java:579)
>  [ovirt-engine-extension-aaa-ldap.jar:]
>         at 
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension.invoke(AuthzExtension.java:478)
>  [ovirt-engine-extension-aaa-ldap.jar:]
>         at 
> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:49)
>         at 
> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:73)
>         at 
> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:109)
>         at 
> org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:122)
>         at 
> org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:68)
>         at 
> org.ovirt.engine.core.sso.utils.NonInteractiveAuth$2.doAuth(NonInteractiveAuth.java:51)
>         at 
> org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.issueTokenUsingHttpHeaders(OAuthTokenServlet.java:183)
>         at 
> org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.service(OAuthTokenServlet.java:72)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>         at 
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>         at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>         at 
> org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73)
>         at 
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>         at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>         at 
> org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:66)
>         at 
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>         at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>         at 
> org.ovirt.engine.core.utils.servlet.HeaderFilter.doFilter(HeaderFilter.java:94)
>         at 
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>         at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>         at 
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>         at 
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>         at 
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>         at 
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at 
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>         at 
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at 
> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
>         at 
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>         at 
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>         at 
> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>         at 
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>         at 
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>         at 
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>         at 
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at 
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>         at 
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>         at 
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>         at 
> io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
>         at 
> io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
>         at 
> io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
>         at 
> io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>         at 
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>         at 
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>  [rt.jar:1.8.0_121]
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>  [rt.jar:1.8.0_121]
>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]
>
> Right after that, I see in the log:
> 2017-07-04 17:50:25,718+02 ERROR 
> [org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-2) [] 
> External Authentication Failed: Cannot resolve principal 'rexecutor'
>
> and I don't see in the stack the modules you show me in 
> org.ovirt.engine.core.aaa.filters.doAuth, I think the failure happens latter 
> and ovirt won't manage to handle other authn modules.

Ok, that's bug, can you please open it?

>
>
>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to