Hi, I’m testing a connection broker that uses oVirt's API. At the moment, the connection broker doesn’t work because it doesn’t send the basic authentication to oVirt's API. I contacted the developers and they're investigating the error. While they solve the error, I would like to continue testing the connection broker. Is there any way to disable auth basic in oVirt's API? I’m using it in a testing environment (oVirt 3.4 at CentOS 6), so I’m not worried about security risks. Thank you. Regards, Jose
----- Original Message -----
From: "Jose Manuel Marquez Alhambra" <jm.marquez@ayto-miguelturra.es> To: users@ovirt.org Sent: Saturday, April 12, 2014 12:28:31 AM Subject: [ovirt-users] Disable auth basic in API
Hi,
I’m testing a connection broker that uses oVirt's API. At the moment, the connection broker doesn’t work because it doesn’t send the basic authentication to oVirt's API. I contacted the developers and they're investigating the error. While they solve the error, I would like to continue testing the connection broker. Is there any way to disable auth basic in oVirt's API?
I’m using it in a testing environment (oVirt 3.4 at CentOS 6), so I’m not worried about security risks.
Thank you.
Regards,
Jose
Please elaborate more on what you're trying to achieve, I'm not sure I fully understood. Thanks in advance, Yair
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 04/11/2014 11:28 PM, Jose Manuel Marquez Alhambra wrote:
Hi,
I’m testing a connection broker that uses oVirt's API. At the moment, the connection broker doesn’t work because it doesn’t send the basic authentication to oVirt's API. I contacted the developers and they're investigating the error. While they solve the error, I would like to continue testing the connection broker. Is there any way to disable auth basic in oVirt's API?
I’m using it in a testing environment (oVirt 3.4 at CentOS 6), so I’m not worried about security risks.
Thank you.
Regards,
Jose
Disabling authentication is very bad practice, but if you really need to you can use the web server configuration to automatically add the required "Authorization" header: 1. Compute the basic authentication token from your user name and password. For example, if your password if your user is "admin@internal" and your possword is "abcdefg": # echo -n admin@internal:abcdefg | base64 YWRtaW5AaW50ZXJuYWw6YWJjZGVmZw== 2. Use the mod_headers module to append the authorization header to all the requests directed to the RESTAPI, creating a file disable-restapi-auth.conf in the /etc/httpd/conf.d directory, with the following content: <Location /ovirt-engine/api> RequestHeader set Authorization "Basic YWRtaW5AaW50ZXJuYWw6YWJjZGVmZw==" </Location> Make sure that this file is readable only by root, as it contains your password: # chmod u=r,g=,o= /etc/httpd/conf.d/disable-restapi-auth.conf 3. Restart the web server: # service httpd restart To make this a little bit more secure I would suggest to allow this unauthenticated access available only to certain client IP addresses. For example: <Location /ovirt-engine/api> SetEnvIf Remote_Addr 192\.168\.122\.1 Disable_Auth RequestHeader set Authorization "Basic YWRtaW5AaW50ZXJuYWw6cmVkaGF0MTIz" env=Disable_Auth </Location> As I said this is a very bad setting from a security point of view, so remember to revert it as soon as the broker developers fix the error. -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
Hi Juan, Thank you. It’s working now and I can continue to testing the broker. I’ll revert it as soon as possible. Regards, Jose El 14/04/2014, a las 11:47, Juan Hernandez <jhernand@redhat.com> escribió:
On 04/11/2014 11:28 PM, Jose Manuel Marquez Alhambra wrote:
Hi,
I’m testing a connection broker that uses oVirt's API. At the moment, the connection broker doesn’t work because it doesn’t send the basic authentication to oVirt's API. I contacted the developers and they're investigating the error. While they solve the error, I would like to continue testing the connection broker. Is there any way to disable auth basic in oVirt's API?
I’m using it in a testing environment (oVirt 3.4 at CentOS 6), so I’m not worried about security risks.
Thank you.
Regards,
Jose
Disabling authentication is very bad practice, but if you really need to you can use the web server configuration to automatically add the required "Authorization" header:
1. Compute the basic authentication token from your user name and password. For example, if your password if your user is "admin@internal" and your possword is "abcdefg":
# echo -n admin@internal:abcdefg | base64 YWRtaW5AaW50ZXJuYWw6YWJjZGVmZw==
2. Use the mod_headers module to append the authorization header to all the requests directed to the RESTAPI, creating a file disable-restapi-auth.conf in the /etc/httpd/conf.d directory, with the following content:
<Location /ovirt-engine/api> RequestHeader set Authorization "Basic YWRtaW5AaW50ZXJuYWw6YWJjZGVmZw==" </Location>
Make sure that this file is readable only by root, as it contains your password:
# chmod u=r,g=,o= /etc/httpd/conf.d/disable-restapi-auth.conf
3. Restart the web server:
# service httpd restart
To make this a little bit more secure I would suggest to allow this unauthenticated access available only to certain client IP addresses. For example:
<Location /ovirt-engine/api> SetEnvIf Remote_Addr 192\.168\.122\.1 Disable_Auth RequestHeader set Authorization "Basic YWRtaW5AaW50ZXJuYWw6cmVkaGF0MTIz" env=Disable_Auth </Location>
As I said this is a very bad setting from a security point of view, so remember to revert it as soon as the broker developers fix the error.
-- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
participants (3)
-
Jose Manuel Marquez Alhambra -
Juan Hernandez -
Yair Zaslavsky