new internal SSO

12 Aug 2016

      --Apple-Mail=_138C94D8-E499-4C85-8D42-96B668C52119
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

I'm currently fighting with the new mandatory SSO system introduced in =
4.0.

It's also used internally as ovirt-engine is calling himself, as shown =
in the apache log, to identity himself to himself:

[2016-08-12 11:30:24] 10.83.16.34 "ovirt.prod.exalead.com" "POST =
/ovirt-engine/sso/status HTTP/1.1" 256 401 + 163 "-" "Java/1.8.0_92"
[2016-08-12 10:55:49] 10.83.16.34 "ovirt.prod.exalead.com" "POST =
/ovirt-engine/sso/oauth/token HTTP/1.1" 237 401 + 163 "-" =
"Java/1.8.0_92"

But the sso will be acceded by human too:

[2016-08-12 11:29:27] 192.168.205.59 "ovirt.prod.exalead.com" "GET =
/ovirt-engine/sso/interactive-redirect-to-module HTTP/1.1" 5097 302 + - =
"https://ovirt.prod.exalead.com/ovirt-engine/" "Mozilla/5.0 (Macintosh; =
Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"

I'm using a custom apache configuration, as I need that to better =
integrate ovirt in our running SSO and PKI setup.

So under SSO I wonder which part needs to be protected using our own =
SSO, and what part can be open to any access, and the internal security =
of ovirt will manage it ?

In https://bugzilla.redhat.com/show_bug.cgi?id=3D1342192, it seems for =
me that =
^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth) =
needs to be protected. Am i right ?

In my log, I've seen access to:

/ovirt-engine/sso/status
/ovirt-engine/sso/oauth/token-info
/ovirt-engine/webadmin/sso/oauth2-callback
/ovirt-engine/webadmin/sso/login
/ovirt-engine/sso/oauth/token
/ovirt-engine/sso/oauth/authorize
/ovirt-engine/sso/interactive-redirect-to-module
/ovirt-engine/sso/interactive-login-next-auth
/ovirt-engine/sso/interactive-login-negotiate/ovirt-auth=

--Apple-Mail=_138C94D8-E499-4C85-8D42-96B668C52119
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">I'm currently fighting with the new mandatory SSO system =
introduced in 4.0.<div class=3D""><br class=3D""></div><div =
class=3D"">It's also used internally as ovirt-engine is calling himself, =
as shown in the apache log, to identity himself to himself:</div><div =
class=3D""><br class=3D""></div><div class=3D""><div style=3D"margin: =
0px; font-size: 11px; line-height: normal; font-family: Menlo;" =
class=3D""><span style=3D"font-variant-ligatures: no-common-ligatures" =
class=3D"">[2016-08-12 11:30:24] 10.83.16.34 "<a =
href=3D"http://ovirt.prod.exalead.com" =
class=3D"">ovirt.prod.exalead.com</a>" "POST /ovirt-engine/sso/status =
HTTP/1.1" 256 401 + 163 "-" "Java/1.8.0_92"</span></div></div><div =
class=3D""><span style=3D"font-variant-ligatures: no-common-ligatures" =
class=3D""><div style=3D"margin: 0px; font-size: 11px; line-height: =
normal; font-family: Menlo;" class=3D""><span =
style=3D"font-variant-ligatures: no-common-ligatures" =
class=3D"">[2016-08-12 10:55:49] 10.83.16.34 "<a =
href=3D"http://ovirt.prod.exalead.com" =
class=3D"">ovirt.prod.exalead.com</a>" "POST =
/ovirt-engine/sso/oauth/token HTTP/1.1" 237 401 + 163 "-" =
"Java/1.8.0_92"</span></div><div class=3D""><span =
style=3D"font-variant-ligatures: no-common-ligatures" class=3D""><br =
class=3D""></span></div></span></div><div class=3D"">But the sso will be =
acceded by human too:</div><div class=3D""><br class=3D""></div><div =
class=3D""><div style=3D"margin: 0px; font-size: 11px; line-height: =
normal; font-family: Menlo;" class=3D""><span =
style=3D"font-variant-ligatures: no-common-ligatures" =
class=3D"">[2016-08-12 11:29:27] 192.168.205.59 "<a =
href=3D"http://ovirt.prod.exalead.com" =
class=3D"">ovirt.prod.exalead.com</a>" "GET =
/ovirt-engine/sso/interactive-redirect-to-module HTTP/1.1" 5097 302 + - =
"<a href=3D"https://ovirt.prod.exalead.com/ovirt-engine/" =
class=3D"">https://ovirt.prod.exalead.com/ovirt-engine/</a>" =
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 =
Firefox/47.0"</span></div></div><div class=3D""><span =
style=3D"font-variant-ligatures: no-common-ligatures" class=3D""><br =
class=3D""></span></div><div class=3D""><br class=3D""></div><div =
class=3D"">I'm using a custom apache configuration, as I need that to =
better integrate ovirt in our running SSO and PKI setup.</div><div =
class=3D""><br class=3D""></div><div class=3D"">So under SSO I wonder =
which part needs to be protected using our own SSO, and what part can be =
open to any access, and the internal security of ovirt will manage it =
?</div><div class=3D""><br class=3D""></div><div class=3D"">In <a =
href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D1342192" =
class=3D"">https://bugzilla.redhat.com/show_bug.cgi?id=3D1342192</a>, it =
seems for me that <span style=3D"white-space: pre-wrap;" =
class=3D"">^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-htt=
p-auth) needs to be protected. Am i right ?</span></div><div =
class=3D""><br class=3D""></div><div class=3D"">In my log, I've seen =
access to:</div><div class=3D""><br class=3D"">/ovirt-engine/sso/status<br=
 class=3D"">/ovirt-engine/sso/oauth/token-info<br =
class=3D"">/ovirt-engine/webadmin/sso/oauth2-callback<br =
class=3D"">/ovirt-engine/webadmin/sso/login<br =
class=3D"">/ovirt-engine/sso/oauth/token<br =
class=3D"">/ovirt-engine/sso/oauth/authorize<br =
class=3D"">/ovirt-engine/sso/interactive-redirect-to-module<br =
class=3D"">/ovirt-engine/sso/interactive-login-next-auth<br =
class=3D"">/ovirt-engine/sso/interactive-login-negotiate/ovirt-auth</div><=
/body></html>=

--Apple-Mail=_138C94D8-E499-4C85-8D42-96B668C52119--

Fabrice Bacchella

Ravi Nori

Ravi Nori

tags

participants (2)