12:28 p.m.
I managed to set a not 100% perfect solution but quite usable any way.
I used org.ovirt.engineextensions.aaa.misc.http.AuthnExtension for authentication, behind
a mod_cas_auth. [1]
Authorization is done using
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension.
I still need to create users manually with ovirt-aaa-jdbc-tool and assign right manually,
but I don't have a lof of users, so I can live with that.
I can share my configuration with you if you are interested.
I tried to have a look at the source code of current AAA modules. And they teach me only
one thing, that without a complete documentation, there is
no hope to write a new one. Is the javadoc ovirt-engine-extensions-api-impl-javadoc online
somewhere ?
[1] https://wiki.jasig.org/display/casc/mod_auth_cas.
Le 11 mars 2016 à 17:55, Martin Perina <mperina(a)redhat.com> a
écrit :
Hi,
I'm glad to hear that you were able to successfully configure aaa-misc
and mod_auth_cas to allow CAS based login for oVirt.
Unfortunately regarding CAS authorization for oVirt I have somewhat bad
news for you. But let me explain the issue a bit:
1. Using aaa-misc we are able to pass only user name of the authenticated
user from apache to ovirt.
2. After that we have authenticated user on oVirt and then we pass
its username to authz extension to fetch full principal record including
group memberships. At the moment we don't pass anything else to authz
extension, just principal name (username).
So here are options how to enable CAS authorization for oVirt:
1. Implement new authz extension which will fetch principal record for CAS
server (if this is possible, I don't know much about CAS)
2. Or implement new authn/authz extensions specific to CAS which will use
CAS API do both authn and authz.
3. Use LDAP as a backend for you CAS server (if possible) and configure
authz part using ovirt-engine-extension-aaa-ldap
4. You could also create an RFE bug on oVirt to add CAS support, but
no promises from me :-) you are the first user asking about CAS support
Regarding documentation:
- oVirt engine extensions API JavaDoc is contained in package
ovirt-engine-extensions-api-impl-javadoc
- Ondra wrote some great articles about oVirt AAA configurations and
published them on his blog [1]
- You can also take a look at some presentations about oVirt extensions:
The New oVirt Extension API: Taking AAA to the next level [2] [3]
oVirt Extension API: The first step for fully modular oVirt [4] [5]
- And you can also take a look at sources of existing aaa-ldap [6],
aaa-misc [7] and aaa-jdbc [8] extensions
And of course feel free to ask!
Regards
Martin Perina
[1] http://machacekondra.blogspot.cz/
[2] https://www.youtube.com/watch?v=bSbdqmRNLi0
[3]
http://www.slideshare.net/MartinPeina/the-new-ovirt-extension-api-taking-...
[4] https://www.youtube.com/watch?v=9b9WVFsy_yg
[5]
http://www.slideshare.net/MartinPeina/ovirt-extension-api-the-first-step-...
[6] https://github.com/oVirt/ovirt-engine-extension-aaa-ldap
[7] https://github.com/oVirt/ovirt-engine-extension-aaa-misc
[8] https://github.com/oVirt/ovirt-engine-extension-aaa-jdbc
----- Original Message -----
> From: "Fabrice Bacchella" <fabrice.bacchella(a)orange.fr>
> To: Users(a)ovirt.org
> Sent: Tuesday, March 8, 2016 11:54:13 AM
> Subject: [ovirt-users] ovirt and CAS SSO
>
> I'm trying to add CAS SSO to ovirt.
>
> For authn (authentication),
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension is OK, I put jboss
> behind an Apache with mod_auth_cas.
>
> Now I'm fighting with authz (authorization). CAS provides everything needed
> as header. So I don't need ldap or jdbc extensions. Is there anything done
> about that or do I need to write my own extension ? Is there some
> documentation about that ?
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>