[ovirt-users] ovirt can't find user

Fabrice Bacchella fabrice.bacchella at orange.fr
Sat Jul 1 07:09:08 UTC 2017 

> Le 30 juin 2017 à 23:25, Ondra Machacek <omachace at redhat.com> a écrit :
> 
> On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella
> <fabrice.bacchella at orange.fr> wrote:
>> 
>>> Le 29 juin 2017 à 14:42, Fabrice Bacchella <fabrice.bacchella at orange.fr> a écrit :
>>> 
>>> 
>>>> Le 29 juin 2017 à 13:41, Ondra Machacek <omachace at redhat.com> a écrit :
>>>> 
>>>> How do you login? Do you use webadmin or API/SDK, if using SDK, don't
>>>> you use kerberos=True?
>>> 
>>> Ok, got it.
>>> It's tested with the sdk, using kerberos. But Kerberos authentication is done in Apache and I configure a profile for that, so I needed to add: config.artifact.arg = X-Remote-User in my /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is missing from internal-authn.properties. So rexecutor at internal  is checked with my profil, and not found. But as the internal profil don't know about X-Remote-User, it can't check the user and fails silently. That's why I'm getting only one line. Perhaps the log line should have said the extensions name that was failing, not the generic "External Authentication" that did'nt caught my eye.
>>> 
>>> I will check that as soon as I have a few minutes to spare and tell you.
>> 
>> I'm starting to understand. I need two authn modules, both using org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a different authz.plugin. Is that possible ? If I do what, in what order the different Authn will be tried ? Are they all tried until one succeed  both authn and authz ?
>> 
> 
> Yes you can have multiple authn profiles and it tries to login until
> one succeed:
> 
> https://github.com/oVirt/ovirt-engine/blob/de46aa78f3117cbe436ab10926ac0c23fcdd7cfc/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java#L125
> 
> The order isn't guaranteed, but I think it's not important, or is it for you?

I'm not sure. As I need two org.ovirt.engineextensions.aaa.misc.http.AuthnExtension, the authentication will always succeed. It's the auhtz that fails as user as either in one backend or the other. So if ExtMap output = profile.getAuthn().invoke(..) calls the authz part I will be fine.

More information about the Users mailing list