--Apple-Mail=_138C94D8-E499-4C85-8D42-96B668C52119 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii I'm currently fighting with the new mandatory SSO system introduced in = 4.0. It's also used internally as ovirt-engine is calling himself, as shown = in the apache log, to identity himself to himself: [2016-08-12 11:30:24] 10.83.16.34 "ovirt.prod.exalead.com" "POST = /ovirt-engine/sso/status HTTP/1.1" 256 401 + 163 "-" "Java/1.8.0_92" [2016-08-12 10:55:49] 10.83.16.34 "ovirt.prod.exalead.com" "POST = /ovirt-engine/sso/oauth/token HTTP/1.1" 237 401 + 163 "-" = "Java/1.8.0_92" But the sso will be acceded by human too: [2016-08-12 11:29:27] 192.168.205.59 "ovirt.prod.exalead.com" "GET = /ovirt-engine/sso/interactive-redirect-to-module HTTP/1.1" 5097 302 + - = "https://ovirt.prod.exalead.com/ovirt-engine/" "Mozilla/5.0 (Macintosh; = Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0" I'm using a custom apache configuration, as I need that to better = integrate ovirt in our running SSO and PKI setup. So under SSO I wonder which part needs to be protected using our own = SSO, and what part can be open to any access, and the internal security = of ovirt will manage it ? In https://bugzilla.redhat.com/show_bug.cgi?id=3D1342192, it seems for = me that = ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth) = needs to be protected. Am i right ? In my log, I've seen access to: /ovirt-engine/sso/status /ovirt-engine/sso/oauth/token-info /ovirt-engine/webadmin/sso/oauth2-callback /ovirt-engine/webadmin/sso/login /ovirt-engine/sso/oauth/token /ovirt-engine/sso/oauth/authorize /ovirt-engine/sso/interactive-redirect-to-module /ovirt-engine/sso/interactive-login-next-auth /ovirt-engine/sso/interactive-login-negotiate/ovirt-auth= --Apple-Mail=_138C94D8-E499-4C85-8D42-96B668C52119 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html = charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" = class=3D"">I'm currently fighting with the new mandatory SSO system = introduced in 4.0.<div class=3D""><br class=3D""></div><div = class=3D"">It's also used internally as ovirt-engine is calling himself, = as shown in the apache log, to identity himself to himself:</div><div = class=3D""><br class=3D""></div><div class=3D""><div style=3D"margin: = 0px; font-size: 11px; line-height: normal; font-family: Menlo;" = class=3D""><span style=3D"font-variant-ligatures: no-common-ligatures" = class=3D"">[2016-08-12 11:30:24] 10.83.16.34 "<a = href=3D"http://ovirt.prod.exalead.com" = class=3D"">ovirt.prod.exalead.com</a>" "POST /ovirt-engine/sso/status = HTTP/1.1" 256 401 + 163 "-" "Java/1.8.0_92"</span></div></div><div = class=3D""><span style=3D"font-variant-ligatures: no-common-ligatures" = class=3D""><div style=3D"margin: 0px; font-size: 11px; line-height: = normal; font-family: Menlo;" class=3D""><span = style=3D"font-variant-ligatures: no-common-ligatures" = class=3D"">[2016-08-12 10:55:49] 10.83.16.34 "<a = href=3D"http://ovirt.prod.exalead.com" = class=3D"">ovirt.prod.exalead.com</a>" "POST = /ovirt-engine/sso/oauth/token HTTP/1.1" 237 401 + 163 "-" = "Java/1.8.0_92"</span></div><div class=3D""><span = style=3D"font-variant-ligatures: no-common-ligatures" class=3D""><br = class=3D""></span></div></span></div><div class=3D"">But the sso will be = acceded by human too:</div><div class=3D""><br class=3D""></div><div = class=3D""><div style=3D"margin: 0px; font-size: 11px; line-height: = normal; font-family: Menlo;" class=3D""><span = style=3D"font-variant-ligatures: no-common-ligatures" = class=3D"">[2016-08-12 11:29:27] 192.168.205.59 "<a = href=3D"http://ovirt.prod.exalead.com" = class=3D"">ovirt.prod.exalead.com</a>" "GET = /ovirt-engine/sso/interactive-redirect-to-module HTTP/1.1" 5097 302 + - = "<a href=3D"https://ovirt.prod.exalead.com/ovirt-engine/" = class=3D"">https://ovirt.prod.exalead.com/ovirt-engine/</... = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 = Firefox/47.0"</span></div></div><div class=3D""><span = style=3D"font-variant-ligatures: no-common-ligatures" class=3D""><br = class=3D""></span></div><div class=3D""><br class=3D""></div><div = class=3D"">I'm using a custom apache configuration, as I need that to = better integrate ovirt in our running SSO and PKI setup.</div><div = class=3D""><br class=3D""></div><div class=3D"">So under SSO I wonder = which part needs to be protected using our own SSO, and what part can be = open to any access, and the internal security of ovirt will manage it = ?</div><div class=3D""><br class=3D""></div><div class=3D"">In&nbsp;<a = href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D1342192" = class=3D"">https://bugzilla.redhat.com/show_bug.cgi?id=3D134...;, it = seems for me that&nbsp;<span style=3D"white-space: pre-wrap;" = class=3D"">^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-htt= p-auth) needs to be protected. Am i right ?</span></div><div = class=3D""><br class=3D""></div><div class=3D"">In my log, I've seen = access to:</div><div class=3D""><br class=3D"">/ovirt-engine/sso/status<br= class=3D"">/ovirt-engine/sso/oauth/token-info<br = class=3D"">/ovirt-engine/webadmin/sso/oauth2-callback<br = class=3D"">/ovirt-engine/webadmin/sso/login<br = class=3D"">/ovirt-engine/sso/oauth/token<br = class=3D"">/ovirt-engine/sso/oauth/authorize<br = class=3D"">/ovirt-engine/sso/interactive-redirect-to-module<br = class=3D"">/ovirt-engine/sso/interactive-login-next-auth<br = class=3D"">/ovirt-engine/sso/interactive-login-negotiate/ovirt-auth</div><= /body></html>= --Apple-Mail=_138C94D8-E499-4C85-8D42-96B668C52119--