Change in ovirt-engine-sdk-java[master]: sdk: Add support for Kerberos authentication

juan.hernandez at redhat.com juan.hernandez at redhat.com
Wed Oct 8 17:14:27 UTC 2014 

Juan Hernandez has submitted this change and it was merged.

Change subject: sdk: Add support for Kerberos authentication
......................................................................


sdk: Add support for Kerberos authentication

This patch adds support for Kerberos authentication. To use it the user
must explicitly indicate it when creating the API object, for example:

  Api api = new ApiBuilder()
    .url("https://ovirt.example.com/ovirt-engine/api")
    .kerberos(true)
    .build();

When doing this the SDK will take the credentials from the Kerberos
credentials cache and will use them to authenticate with the server.

Note that the Kerberos environment has to be configured correctly before
calling the SDK and that the creditials cache has to be already
populated, using the "kinit" command, for example.

In order to configure the environment two files are needed: the Kerberos
configuration file and the JAAS configuration file. The Kerberos
configuration file will usually existin "/etc/krb5.conf". The JAAS
configuration file won't probably exist. It needs to be created with
content similar to this:

  com.sun.security.jgss.login {
    com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=true;
  };

  com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=true;
  };

  com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=true;
  };

The location of this file isn't relevant, it just needs to be readable
by the JVM, it can be, for example, located in "/etc/jaas.conf".

In addition to these files the following system properties have to be
added to the JVM:

  -Djava.security.auth.login.config=/etc/jaas.conf
  -Djava.security.krb5.conf=/etc/krb5.conf
  -Djavax.security.auth.useSubjectCredsOnly=false

Change-Id: Ide82e150a5b5b7e8ec9b83aa33c89f0c09656f99
Bug-Url: https://bugzilla.redhat.com/1145237
Signed-off-by: Juan Hernandez <juan.hernandez at redhat.com>
---
M ovirt-engine-sdk-java-codegen/src/main/java/org/ovirt/engine/sdk/codegen/templates/ApiTemplate
M ovirt-engine-sdk-java/src/main/java/org/ovirt/engine/sdk/Api.java
M ovirt-engine-sdk-java/src/main/java/org/ovirt/engine/sdk/ApiBuilder.java
M ovirt-engine-sdk-java/src/main/java/org/ovirt/engine/sdk/web/ConnectionsPoolBuilder.java
4 files changed, 141 insertions(+), 27 deletions(-)

Approvals:
  Juan Hernandez: Verified; Looks good to me, approved



-- 
To view, visit http://gerrit.ovirt.org/33504
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ide82e150a5b5b7e8ec9b83aa33c89f0c09656f99
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine-sdk-java
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Ravi Nori <rnori at redhat.com>
Gerrit-Reviewer: automation at ovirt.org
Gerrit-Reviewer: oVirt Jenkins CI Server

More information about the Engine-commits mailing list