12:39 a.m.
Hello,
We have merged SSO patchset into master.
These kind of deep infra changes are non trivial, we hope we reduced most of the side
effects within the 171 revisions and testing.
Thanks for Ravi Nori for his great effort!
The SSO is based on OAuth2 specification, full description is available[1], it is a stable
supported interface of engine.
In a nut shell, the major change is that login dialog is now handled by a separate non gwt
webapp, this webapp provides authentication and authorization services to other webapps.
The immediate bonus is: no need to re-authenticate to user portal and/or admin portal,
maybe soon we integrate reports.
Performance bonus: if using spnego (kerberos) there is no performance penalty (double
request).
Usability bonus: support many authentication sequences we were unable to provide using the
previous implementation.
Regards,
Alon Bar-Lev.
[1] http://www.ovirt.org/Features/UniformSSOSupport
10:30 a.m.
Ravi and Alon - thanks for great work and dedication!
Regards,
Oved
On Tue, Nov 24, 2015 at 11:39 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
Hello,
We have merged SSO patchset into master.
These kind of deep infra changes are non trivial, we hope we reduced most
of the side effects within the 171 revisions and testing.
Thanks for Ravi Nori for his great effort!
The SSO is based on OAuth2 specification, full description is
available[1], it is a stable supported interface of engine.
In a nut shell, the major change is that login dialog is now handled by a
separate non gwt webapp, this webapp provides authentication and
authorization services to other webapps.
The immediate bonus is: no need to re-authenticate to user portal and/or
admin portal, maybe soon we integrate reports.
Performance bonus: if using spnego (kerberos) there is no performance
penalty (double request).
Usability bonus: support many authentication sequences we were unable to
provide using the previous implementation.
Regards,
Alon Bar-Lev.
[1] http://www.ovirt.org/Features/UniformSSOSupport
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
4:47 p.m.
New subject: SSO Setup
Hi,
Some of you have faced issues setting up engine after SSO patches were
merged.
Below are the issues and the proposed solutions on how to proceed.
* Issue #1: Host name resolution.
During setup make sure the engine FQDN that you provide can be resolved.
If it cannot be resolved externally edit /etc/hosts and add an entry for
your
host name pointing to the local host ip address.
* Issue #2 : non-localized string ???pageheader.notLoggedIn?? in Ovirt
landing page
Do a fresh setup in a new directory on your dev machine. This fixes the
issue.
I am still investigating the cause.
If you face addition issues please feel free to ping me or open a BZ.
Thanks,
Ravi
5:28 p.m.
New subject: SSO Setup
On Dec 1, 2015 3:47 PM, "Ravi Nori" <rnori(a)redhat.com> wrote:
Hi,
Some of you have faced issues setting up engine after SSO patches were
merged.
Below are the issues and the proposed solutions on how to proceed.
* Issue #1: Host name resolution.
During setup make sure the engine FQDN that you provide can be resolved.
If it cannot be resolved externally edit /etc/hosts and add an entry for
your
host name pointing to the local host ip address.
Usually FQDN
is dynamic and is assigned by DHCP (e.g. dhcp-0-131.domain.com),
so using that statically isn't the right way.
Also the engine redirects the browser to port 80 whereas in dev we use port
8080, so the browser doesn't get a response.
* Issue #2 : non-localized string ???pageheader.notLoggedIn?? in Ovirt
landing
page
Do a fresh setup in a new directory on your dev machine. This fixes the
issue.
I am still investigating the cause.
If you face addition issues please feel free to ping me or open a BZ.
Thanks,
Ravi
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
5:40 p.m.
New subject: SSO Setup
This is a multi-part message in MIME format.
--------------000902070901070108060704
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
On 12/01/2015 09:28 AM, Yevgeny Zaspitsky wrote:
On Dec 1, 2015 3:47 PM, "Ravi Nori" <rnori(a)redhat.com
<mailto:rnori@redhat.com>> wrote:
>
> Hi,
>
> Some of you have faced issues setting up engine after SSO patches
were merged.
>
> Below are the issues and the proposed solutions on how to proceed.
>
> * Issue #1: Host name resolution.
>
> During setup make sure the engine FQDN that you provide can be resolved.
> If it cannot be resolved externally edit /etc/hosts and add an entry
for your
> host name pointing to the local host ip address.
Usually FQDN is dynamic and is assigned by DHCP (e.g.
dhcp-0-131.domain.com <http://dhcp-0-131.domain.com>), so using that
statically isn't the right way.
Also the engine redirects the browser to port 80 whereas in dev we use
port 8080, so the browser doesn't get a response.
If the FQDN can be resolved externally by DHCP you need not worry about
the /etc/hosts, but please make sure it is indeed resolving to your machine
In dev env, sso should redirect to 8080 not 80.
if your instance is being redirected to port 80 please share your
PREFIX/etc/ovirt-engine/engine.conf.d/11-setup-sso.conf and
PREFIX/etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf
>
> * Issue #2 : non-localized string ???pageheader.notLoggedIn?? in
Ovirt landing page
>
> Do a fresh setup in a new directory on your dev machine. This fixes
the issue.
> I am still investigating the cause.
>
> If you face addition issues please feel free to ping me or open a BZ.
>
> Thanks,
>
> Ravi
> _______________________________________________
> Devel mailing list
> Devel(a)ovirt.org <mailto:Devel@ovirt.org>
> http://lists.ovirt.org/mailman/listinfo/devel
--------------000902070901070108060704
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 12/01/2015 09:28 AM, Yevgeny
Zaspitsky wrote:<br>
</div>
<blockquote
cite="mid:CAOQTZNdNHKJRsNdt5yvX_CZB_OYtAdwc8Z8TG_6LNSp7wUAFOQ@mail.gmail.com"
type="cite">
<p dir="ltr"><br>
On Dec 1, 2015 3:47 PM, "Ravi Nori" <<a
moz-do-not-send="true"
href="mailto:rnori@redhat.com"><a
class="moz-txt-link-abbreviated"
href="mailto:rnori@redhat.com">rnori@redhat.com</a></a>>
wrote:<br>
><br>
> Hi,<br>
><br>
> Some of you have faced issues setting up engine after SSO
patches were merged.<br>
><br>
> Below are the issues and the proposed solutions on how to
proceed.<br>
><br>
> * Issue #1: Host name resolution.<br>
><br>
> During setup make sure the engine FQDN that you provide can
be resolved.<br>
> If it cannot be resolved externally edit /etc/hosts and add
an entry for your<br>
> host name pointing to the local host ip address.<br>
Usually FQDN is dynamic and is assigned by DHCP (e.g. <a
moz-do-not-send="true"
href="http://dhcp-0-131.domain.com">dhcp-0-131.domain.com</a>),
so using that statically isn't the right way.<br>
Also the engine redirects the browser to port 80 whereas in dev
we use port 8080, so the browser doesn't get a response.<br>
</p>
</blockquote>
<br>
If the FQDN can be resolved externally by DHCP you need not worry
about the /etc/hosts, but please make sure it is indeed resolving to
your machine<br>
<br>
In dev env, sso should redirect to 8080 not 80. <br>
<br>
if your instance is being redirected to port 80 please share your <br>
PREFIX/etc/ovirt-engine/engine.conf.d/11-setup-sso.conf and
PREFIX/etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf<br>
<br>
<br>
<br>
<blockquote
cite="mid:CAOQTZNdNHKJRsNdt5yvX_CZB_OYtAdwc8Z8TG_6LNSp7wUAFOQ@mail.gmail.com"
type="cite">
<p dir="ltr">
><br>
> * Issue #2 : non-localized string
???pageheader.notLoggedIn?? in Ovirt landing page<br>
><br>
> Do a fresh setup in a new directory on your dev machine.
This fixes the issue.<br>
> I am still investigating the cause.<br>
><br>
> If you face addition issues please feel free to ping me or
open a BZ.<br>
><br>
> Thanks,<br>
><br>
> Ravi<br>
> _______________________________________________<br>
> Devel mailing list<br>
> <a moz-do-not-send="true"
href="mailto:Devel@ovirt.org">Devel@ovirt.org</a><br>
> <a moz-do-not-send="true"
href="http://lists.ovirt.org/mailman/listinfo/devel">http://...
</p>
</blockquote>
<br>
</body>
</html>
--------------000902070901070108060704--
5:46 p.m.
New subject: SSO Setup
On Tue, Dec 1, 2015 at 2:47 PM, Ravi Nori <rnori(a)redhat.com> wrote:
Hi,
Some of you have faced issues setting up engine after SSO patches were
merged.
Below are the issues and the proposed solutions on how to proceed.
* Issue #1: Host name resolution.
During setup make sure the engine FQDN that you provide can be resolved.
If it cannot be resolved externally edit /etc/hosts and add an entry for
your
host name pointing to the local host ip address.
Here probably we could enforce it at engine-setup
* Issue #2 : non-localized string ???pageheader.notLoggedIn?? in Ovirt
landing page
Do a fresh setup in a new directory on your dev machine. This fixes the
issue.
I am still investigating the cause.
If you face addition issues please feel free to ping me or open a BZ.
Thanks,
Ravi
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
10:35 a.m.
Its great that we can now support OAuth2! I can see us using that in
oVirt infra...
Does this somehow enable integration with Keycloak [1] or Ipsilon [2] ?
[1]: http://keycloak.jboss.org/
[2]: https://fedorahosted.org/ipsilon/
On 24 November 2015 at 23:39, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
Hello,
We have merged SSO patchset into master.
These kind of deep infra changes are non trivial, we hope we reduced most of the side
effects within the 171 revisions and testing.
Thanks for Ravi Nori for his great effort!
The SSO is based on OAuth2 specification, full description is available[1], it is a
stable supported interface of engine.
In a nut shell, the major change is that login dialog is now handled by a separate non
gwt webapp, this webapp provides authentication and authorization services to other
webapps.
The immediate bonus is: no need to re-authenticate to user portal and/or admin portal,
maybe soon we integrate reports.
Performance bonus: if using spnego (kerberos) there is no performance penalty (double
request).
Usability bonus: support many authentication sequences we were unable to provide using
the previous implementation.
Regards,
Alon Bar-Lev.
[1] http://www.ovirt.org/Features/UniformSSOSupport
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
--
Barak Korren
bkorren(a)redhat.com
RHEV-CI Team
3278
days inactive
3285
days old
6 comments
6 participants
participants (6)
-
Alon Bar-Lev -
Barak Korren -
Oved Ourfali -
Ravi Nori -
Simone Tiraboschi -
Yevgeny Zaspitsky