[ovirt-devel] AAA changes on 3.6 and master
Martin Perina
mperina at redhat.com
Wed Aug 12 10:11:26 UTC 2015
Hi,
yesterday we merged couple of changes in the AAA area:
1. Legacy provider for 'internal' domain (3.6 and master)
- it's still installed by default if aaa-jdbc provider
is not present (details below)
- UUID of 'admin at internal' user is no longer static, but
for new installations UUID is generated
- Password of 'admin at internal' is no longer saved in vdc_options table,
but it's stored encoded in legacy internal provider config file
(PREFIX/etc/ovirt-engine/extensions.d/internal-authn.properties)
- If you want to change 'admin at internal' password please execute:
PREFIX/bin/engine-setup \
--otopi-environment="OVESETUP_CONFIG/adminPassword=str:MY_PASSWORD"
replacing MY_PASSWORD with your new password
2. aaa-jdbc provider for 'internal' domain (3.6 and master)
- this is new implementation of AAA provider which stores users/groups
in database and provide (from engine point of view) same capabilities
as aaa-ldap provider
- on RPM installations it replaces legacy provider for 'internal'
domain
- it's configured automatically on RPM installations when running
engine-setup
- if you want to use it also in development environment, please do
following steps:
a. Checkout sources [1], build and install into your PREFIX
b. Execute
PREFIX/bin/engine-setup \
--otopi-environment="OVESETUP_CONFIG/adminPassword=str:MY_PASSWORD"
This will replace legacy internal provider with aaa-jdbc one.
3. Legacy kerbldap provider (master only)
- it has been dropped from the project
- engine-setup will fail if you have kerbldap provider configured
- you can either migrate to the new aaa-ldap provider using [2]
or create new prefix without kerbldap provider config
Thanks
Martin Perina
[1] https://gerrit.ovirt.org/#/admin/projects/ovirt-engine-extension-aaa-jdbc
[2] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases
More information about the Devel
mailing list