[ATN] [master] SSO patchset were merged
Hello, We have merged SSO patchset into master. These kind of deep infra changes are non trivial, we hope we reduced most of the side effects within the 171 revisions and testing. Thanks for Ravi Nori for his great effort! The SSO is based on OAuth2 specification, full description is available[1], it is a stable supported interface of engine. In a nut shell, the major change is that login dialog is now handled by a separate non gwt webapp, this webapp provides authentication and authorization services to other webapps. The immediate bonus is: no need to re-authenticate to user portal and/or admin portal, maybe soon we integrate reports. Performance bonus: if using spnego (kerberos) there is no performance penalty (double request). Usability bonus: support many authentication sequences we were unable to provide using the previous implementation. Regards, Alon Bar-Lev. [1] http://www.ovirt.org/Features/UniformSSOSupport
Ravi and Alon - thanks for great work and dedication! Regards, Oved On Tue, Nov 24, 2015 at 11:39 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
Hello,
We have merged SSO patchset into master. These kind of deep infra changes are non trivial, we hope we reduced most of the side effects within the 171 revisions and testing. Thanks for Ravi Nori for his great effort!
The SSO is based on OAuth2 specification, full description is available[1], it is a stable supported interface of engine.
In a nut shell, the major change is that login dialog is now handled by a separate non gwt webapp, this webapp provides authentication and authorization services to other webapps.
The immediate bonus is: no need to re-authenticate to user portal and/or admin portal, maybe soon we integrate reports. Performance bonus: if using spnego (kerberos) there is no performance penalty (double request). Usability bonus: support many authentication sequences we were unable to provide using the previous implementation.
Regards, Alon Bar-Lev.
[1] http://www.ovirt.org/Features/UniformSSOSupport _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
Hi, Some of you have faced issues setting up engine after SSO patches were merged. Below are the issues and the proposed solutions on how to proceed. * Issue #1: Host name resolution. During setup make sure the engine FQDN that you provide can be resolved. If it cannot be resolved externally edit /etc/hosts and add an entry for your host name pointing to the local host ip address. * Issue #2 : non-localized string ???pageheader.notLoggedIn?? in Ovirt landing page Do a fresh setup in a new directory on your dev machine. This fixes the issue. I am still investigating the cause. If you face addition issues please feel free to ping me or open a BZ. Thanks, Ravi
On Dec 1, 2015 3:47 PM, "Ravi Nori" <rnori@redhat.com> wrote:
Hi,
Some of you have faced issues setting up engine after SSO patches were
merged.
Below are the issues and the proposed solutions on how to proceed.
* Issue #1: Host name resolution.
During setup make sure the engine FQDN that you provide can be resolved. If it cannot be resolved externally edit /etc/hosts and add an entry for
your
host name pointing to the local host ip address. Usually FQDN is dynamic and is assigned by DHCP (e.g. dhcp-0-131.domain.com), so using that statically isn't the right way. Also the engine redirects the browser to port 80 whereas in dev we use port 8080, so the browser doesn't get a response.
* Issue #2 : non-localized string ???pageheader.notLoggedIn?? in Ovirt landing page
Do a fresh setup in a new directory on your dev machine. This fixes the issue. I am still investigating the cause.
If you face addition issues please feel free to ping me or open a BZ.
Thanks,
Ravi _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
This is a multi-part message in MIME format. --------------000902070901070108060704 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit On 12/01/2015 09:28 AM, Yevgeny Zaspitsky wrote:
On Dec 1, 2015 3:47 PM, "Ravi Nori" <rnori@redhat.com <mailto:rnori@redhat.com>> wrote:
Hi,
Some of you have faced issues setting up engine after SSO patches
were merged.
Below are the issues and the proposed solutions on how to proceed.
* Issue #1: Host name resolution.
During setup make sure the engine FQDN that you provide can be resolved. If it cannot be resolved externally edit /etc/hosts and add an entry
host name pointing to the local host ip address. Usually FQDN is dynamic and is assigned by DHCP (e.g. dhcp-0-131.domain.com <http://dhcp-0-131.domain.com>), so using that statically isn't the right way. Also the engine redirects the browser to port 80 whereas in dev we use
for your port 8080, so the browser doesn't get a response.
If the FQDN can be resolved externally by DHCP you need not worry about the /etc/hosts, but please make sure it is indeed resolving to your machine In dev env, sso should redirect to 8080 not 80. if your instance is being redirected to port 80 please share your PREFIX/etc/ovirt-engine/engine.conf.d/11-setup-sso.conf and PREFIX/etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf
* Issue #2 : non-localized string ???pageheader.notLoggedIn?? in
Ovirt landing page
Do a fresh setup in a new directory on your dev machine. This fixes
the issue.
I am still investigating the cause.
If you face addition issues please feel free to ping me or open a BZ.
Thanks,
Ravi _______________________________________________ Devel mailing list Devel@ovirt.org <mailto:Devel@ovirt.org> http://lists.ovirt.org/mailman/listinfo/devel
--------------000902070901070108060704 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 12/01/2015 09:28 AM, Yevgeny Zaspitsky wrote:<br> </div> <blockquote cite="mid:CAOQTZNdNHKJRsNdt5yvX_CZB_OYtAdwc8Z8TG_6LNSp7wUAFOQ@mail.gmail.com" type="cite"> <p dir="ltr"><br> On Dec 1, 2015 3:47 PM, "Ravi Nori" <<a moz-do-not-send="true" href="mailto:rnori@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:rnori@redhat.com">rnori@redhat.com</a></a>> wrote:<br> ><br> > Hi,<br> ><br> > Some of you have faced issues setting up engine after SSO patches were merged.<br> ><br> > Below are the issues and the proposed solutions on how to proceed.<br> ><br> > * Issue #1: Host name resolution.<br> ><br> > During setup make sure the engine FQDN that you provide can be resolved.<br> > If it cannot be resolved externally edit /etc/hosts and add an entry for your<br> > host name pointing to the local host ip address.<br> Usually FQDN is dynamic and is assigned by DHCP (e.g. <a moz-do-not-send="true" href="http://dhcp-0-131.domain.com">dhcp-0-131.domain.com</a>), so using that statically isn't the right way.<br> Also the engine redirects the browser to port 80 whereas in dev we use port 8080, so the browser doesn't get a response.<br> </p> </blockquote> <br> If the FQDN can be resolved externally by DHCP you need not worry about the /etc/hosts, but please make sure it is indeed resolving to your machine<br> <br> In dev env, sso should redirect to 8080 not 80. <br> <br> if your instance is being redirected to port 80 please share your <br> PREFIX/etc/ovirt-engine/engine.conf.d/11-setup-sso.conf and PREFIX/etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf<br> <br> <br> <br> <blockquote cite="mid:CAOQTZNdNHKJRsNdt5yvX_CZB_OYtAdwc8Z8TG_6LNSp7wUAFOQ@mail.gmail.com" type="cite"> <p dir="ltr"> ><br> > * Issue #2 : non-localized string ???pageheader.notLoggedIn?? in Ovirt landing page<br> ><br> > Do a fresh setup in a new directory on your dev machine. This fixes the issue.<br> > I am still investigating the cause.<br> ><br> > If you face addition issues please feel free to ping me or open a BZ.<br> ><br> > Thanks,<br> ><br> > Ravi<br> > _______________________________________________<br> > Devel mailing list<br> > <a moz-do-not-send="true" href="mailto:Devel@ovirt.org">Devel@ovirt.org</a><br> > <a moz-do-not-send="true" href="http://lists.ovirt.org/mailman/listinfo/devel">http://lists.ovirt.org/mailman/listinfo/devel</a><br> </p> </blockquote> <br> </body> </html> --------------000902070901070108060704--
On Tue, Dec 1, 2015 at 2:47 PM, Ravi Nori <rnori@redhat.com> wrote:
Hi,
Some of you have faced issues setting up engine after SSO patches were merged.
Below are the issues and the proposed solutions on how to proceed.
* Issue #1: Host name resolution.
During setup make sure the engine FQDN that you provide can be resolved. If it cannot be resolved externally edit /etc/hosts and add an entry for your host name pointing to the local host ip address.
Here probably we could enforce it at engine-setup
* Issue #2 : non-localized string ???pageheader.notLoggedIn?? in Ovirt landing page
Do a fresh setup in a new directory on your dev machine. This fixes the issue. I am still investigating the cause.
If you face addition issues please feel free to ping me or open a BZ.
Thanks,
Ravi _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
Its great that we can now support OAuth2! I can see us using that in oVirt infra... Does this somehow enable integration with Keycloak [1] or Ipsilon [2] ? [1]: http://keycloak.jboss.org/ [2]: https://fedorahosted.org/ipsilon/ On 24 November 2015 at 23:39, Alon Bar-Lev <alonbl@redhat.com> wrote:
Hello,
We have merged SSO patchset into master. These kind of deep infra changes are non trivial, we hope we reduced most of the side effects within the 171 revisions and testing. Thanks for Ravi Nori for his great effort!
The SSO is based on OAuth2 specification, full description is available[1], it is a stable supported interface of engine.
In a nut shell, the major change is that login dialog is now handled by a separate non gwt webapp, this webapp provides authentication and authorization services to other webapps.
The immediate bonus is: no need to re-authenticate to user portal and/or admin portal, maybe soon we integrate reports. Performance bonus: if using spnego (kerberos) there is no performance penalty (double request). Usability bonus: support many authentication sequences we were unable to provide using the previous implementation.
Regards, Alon Bar-Lev.
[1] http://www.ovirt.org/Features/UniformSSOSupport _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
-- Barak Korren bkorren@redhat.com RHEV-CI Team
participants (6)
-
Alon Bar-Lev -
Barak Korren -
Oved Ourfali -
Ravi Nori -
Simone Tiraboschi -
Yevgeny Zaspitsky