AAA changes on 3.6 and master
Hi, yesterday we merged couple of changes in the AAA area: 1. Legacy provider for 'internal' domain (3.6 and master) - it's still installed by default if aaa-jdbc provider is not present (details below) - UUID of 'admin@internal' user is no longer static, but for new installations UUID is generated - Password of 'admin@internal' is no longer saved in vdc_options table, but it's stored encoded in legacy internal provider config file (PREFIX/etc/ovirt-engine/extensions.d/internal-authn.properties) - If you want to change 'admin@internal' password please execute: PREFIX/bin/engine-setup \ --otopi-environment="OVESETUP_CONFIG/adminPassword=str:MY_PASSWORD" replacing MY_PASSWORD with your new password 2. aaa-jdbc provider for 'internal' domain (3.6 and master) - this is new implementation of AAA provider which stores users/groups in database and provide (from engine point of view) same capabilities as aaa-ldap provider - on RPM installations it replaces legacy provider for 'internal' domain - it's configured automatically on RPM installations when running engine-setup - if you want to use it also in development environment, please do following steps: a. Checkout sources [1], build and install into your PREFIX b. Execute PREFIX/bin/engine-setup \ --otopi-environment="OVESETUP_CONFIG/adminPassword=str:MY_PASSWORD" This will replace legacy internal provider with aaa-jdbc one. 3. Legacy kerbldap provider (master only) - it has been dropped from the project - engine-setup will fail if you have kerbldap provider configured - you can either migrate to the new aaa-ldap provider using [2] or create new prefix without kerbldap provider config Thanks Martin Perina [1] https://gerrit.ovirt.org/#/admin/projects/ovirt-engine-extension-aaa-jdbc [2] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases
On 08/12/2015 01:11 PM, Martin Perina wrote:
Hi,
yesterday we merged couple of changes in the AAA area:
1. Legacy provider for 'internal' domain (3.6 and master) - it's still installed by default if aaa-jdbc provider is not present (details below) - UUID of 'admin@internal' user is no longer static, but for new installations UUID is generated - Password of 'admin@internal' is no longer saved in vdc_options table, but it's stored encoded in legacy internal provider config file (PREFIX/etc/ovirt-engine/extensions.d/internal-authn.properties) - If you want to change 'admin@internal' password please execute:
PREFIX/bin/engine-setup \ --otopi-environment="OVESETUP_CONFIG/adminPassword=str:MY_PASSWORD"
Is this supported in the answer file?
replacing MY_PASSWORD with your new password
2. aaa-jdbc provider for 'internal' domain (3.6 and master) - this is new implementation of AAA provider which stores users/groups in database and provide (from engine point of view) same capabilities as aaa-ldap provider - on RPM installations it replaces legacy provider for 'internal' domain - it's configured automatically on RPM installations when running engine-setup - if you want to use it also in development environment, please do following steps:
a. Checkout sources [1], build and install into your PREFIX
b. Execute PREFIX/bin/engine-setup \ --otopi-environment="OVESETUP_CONFIG/adminPassword=str:MY_PASSWORD"
This will replace legacy internal provider with aaa-jdbc one.
3. Legacy kerbldap provider (master only) - it has been dropped from the project - engine-setup will fail if you have kerbldap provider configured - you can either migrate to the new aaa-ldap provider using [2] or create new prefix without kerbldap provider config
Thanks
Martin Perina
[1] https://gerrit.ovirt.org/#/admin/projects/ovirt-engine-extension-aaa-jdbc [2] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
----- Original Message -----
From: "Roy Golan" <rgolan@redhat.com> To: "Martin Perina" <mperina@redhat.com>, "devel" <devel@ovirt.org> Sent: Thursday, August 13, 2015 7:39:21 AM Subject: Re: [ovirt-devel] AAA changes on 3.6 and master
On 08/12/2015 01:11 PM, Martin Perina wrote:
Hi,
yesterday we merged couple of changes in the AAA area:
1. Legacy provider for 'internal' domain (3.6 and master) - it's still installed by default if aaa-jdbc provider is not present (details below) - UUID of 'admin@internal' user is no longer static, but for new installations UUID is generated - Password of 'admin@internal' is no longer saved in vdc_options table, but it's stored encoded in legacy internal provider config file (PREFIX/etc/ovirt-engine/extensions.d/internal-authn.properties) - If you want to change 'admin@internal' password please execute:
PREFIX/bin/engine-setup \ --otopi-environment="OVESETUP_CONFIG/adminPassword=str:MY_PASSWORD"
Is this supported in the answer file?
Yes
replacing MY_PASSWORD with your new password
2. aaa-jdbc provider for 'internal' domain (3.6 and master) - this is new implementation of AAA provider which stores users/groups in database and provide (from engine point of view) same capabilities as aaa-ldap provider - on RPM installations it replaces legacy provider for 'internal' domain - it's configured automatically on RPM installations when running engine-setup - if you want to use it also in development environment, please do following steps:
a. Checkout sources [1], build and install into your PREFIX
b. Execute PREFIX/bin/engine-setup \ --otopi-environment="OVESETUP_CONFIG/adminPassword=str:MY_PASSWORD"
This will replace legacy internal provider with aaa-jdbc one.
3. Legacy kerbldap provider (master only) - it has been dropped from the project - engine-setup will fail if you have kerbldap provider configured - you can either migrate to the new aaa-ldap provider using [2] or create new prefix without kerbldap provider config
Thanks
Martin Perina
[1] https://gerrit.ovirt.org/#/admin/projects/ovirt-engine-extension-aaa-jdbc [2] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
participants (2)
-
Martin Perina -
Roy Golan