On Tue, Jul 4, 2017 at 6:05 PM, Fabrice Bacchella
<fabrice.bacchella(a)orange.fr> wrote:
> Le 1 juil. 2017 à 09:09, Fabrice Bacchella <fabrice.bacchella(a)orange.fr> a
écrit :
>
>
>> Le 30 juin 2017 à 23:25, Ondra Machacek <omachace(a)redhat.com> a écrit :
>>
>> On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella
>> <fabrice.bacchella(a)orange.fr> wrote:
>>>
>>>> Le 29 juin 2017 à 14:42, Fabrice Bacchella
<fabrice.bacchella(a)orange.fr> a écrit :
>>>>
>>>>
>>>>> Le 29 juin 2017 à 13:41, Ondra Machacek <omachace(a)redhat.com> a
écrit :
>>>>>
>>>>> How do you login? Do you use webadmin or API/SDK, if using SDK,
don't
>>>>> you use kerberos=True?
>>>>
>>>> Ok, got it.
>>>> It's tested with the sdk, using kerberos. But Kerberos authentication
is done in Apache and I configure a profile for that, so I needed to add:
config.artifact.arg = X-Remote-User in my
/etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is missing from
internal-authn.properties. So rexecutor@internal is checked with my profil, and not
found. But as the internal profil don't know about X-Remote-User, it can't check
the user and fails silently. That's why I'm getting only one line. Perhaps the log
line should have said the extensions name that was failing, not the generic "External
Authentication" that did'nt caught my eye.
>>>>
>>>> I will check that as soon as I have a few minutes to spare and tell you.
>>>
>>> I'm starting to understand. I need two authn modules, both using
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a different authz.plugin.
Is that possible ? If I do what, in what order the different Authn will be tried ? Are
they all tried until one succeed both authn and authz ?
>>>
>>
>> Yes you can have multiple authn profiles and it tries to login until
>> one succeed:
>>
>>
https://github.com/oVirt/ovirt-engine/blob/de46aa78f3117cbe436ab10926ac0c...
>>
>> The order isn't guaranteed, but I think it's not important, or is it for
you?
>
> I'm not sure. As I need two
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension, the authentication will always
succeed. It's the auhtz that fails as user as either in one backend or the other. So
if ExtMap output = profile.getAuthn().invoke(..) calls the authz part I will be fine.
>
I think it's not possible to have 2
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension with different authz.
The first authz ldap based backend is tried and return:
2017-07-04 17:50:25,711+02 DEBUG [org.ovirt.engineextensions.aaa.ldap.AuthzExtension]
(default task-2) [] Exception: java.lang.RuntimeException: Cannot resolve principal
'rexecutor'
at
org.ovirt.engineextensions.aaa.ldap.AuthzExtension.doFetchPrincipalRecord(AuthzExtension.java:579)
[ovirt-engine-extension-aaa-ldap.jar:]
at
org.ovirt.engineextensions.aaa.ldap.AuthzExtension.invoke(AuthzExtension.java:478)
[ovirt-engine-extension-aaa-ldap.jar:]
at
org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:49)
at
org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:73)
at
org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:109)
at
org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:122)
at
org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:68)
at
org.ovirt.engine.core.sso.utils.NonInteractiveAuth$2.doAuth(NonInteractiveAuth.java:51)
at
org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.issueTokenUsingHttpHeaders(OAuthTokenServlet.java:183)
at
org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.service(OAuthTokenServlet.java:72)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:66)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.ovirt.engine.core.utils.servlet.HeaderFilter.doFilter(HeaderFilter.java:94)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_121]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_121]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]
Right after that, I see in the log:
2017-07-04 17:50:25,718+02 ERROR [org.ovirt.engine.core.sso.utils.NegotiateAuthUtils]
(default task-2) [] External Authentication Failed: Cannot resolve principal
'rexecutor'
and I don't see in the stack the modules you show me in
org.ovirt.engine.core.aaa.filters.doAuth, I think the failure happens latter and ovirt
won't manage to handle other authn modules.