[ovirt-users] Disable auth basic in API

Jose Manuel Marquez Alhambra jm.marquez at ayto-miguelturra.es
Mon Apr 14 10:32:31 EDT 2014


Hi Juan,

Thank you. It’s working now and I can continue to testing the broker. I’ll revert it as soon as possible.

Regards,

Jose
El 14/04/2014, a las 11:47, Juan Hernandez <jhernand at redhat.com> escribió:

> On 04/11/2014 11:28 PM, Jose Manuel Marquez Alhambra wrote:
>> Hi,
>> 
>> I’m testing a connection broker that uses oVirt's API. At the moment, the connection broker doesn’t work because it doesn’t send the basic authentication to oVirt's API. I contacted the developers and they're investigating the error. While they solve the error, I would like to continue testing the connection broker. Is there any way to disable auth basic in oVirt's API?
>> 
>> I’m using it in a testing environment (oVirt 3.4 at CentOS 6), so I’m not worried about security risks.
>> 
>> Thank you.
>> 
>> Regards,
>> 
>> Jose
> 
> 
> Disabling authentication is very bad practice, but if you really need to
> you can use the web server configuration to automatically add the
> required "Authorization" header:
> 
> 1. Compute the basic authentication token from your user name and
> password. For example, if your password if your user is "admin at internal"
> and your possword is "abcdefg":
> 
> # echo -n admin at internal:abcdefg | base64
> YWRtaW5AaW50ZXJuYWw6YWJjZGVmZw==
> 
> 2. Use the mod_headers module to append the authorization header to all
> the requests directed to the RESTAPI, creating a file
> disable-restapi-auth.conf in the /etc/httpd/conf.d directory, with the
> following content:
> 
> <Location /ovirt-engine/api>
>  RequestHeader set Authorization "Basic YWRtaW5AaW50ZXJuYWw6YWJjZGVmZw=="
> </Location>
> 
> Make sure that this file is readable only by root, as it contains your
> password:
> 
> # chmod u=r,g=,o= /etc/httpd/conf.d/disable-restapi-auth.conf
> 
> 3. Restart the web server:
> 
> # service httpd restart
> 
> To make this a little bit more secure I would suggest to allow this
> unauthenticated access available only to certain client IP addresses.
> For example:
> 
> <Location /ovirt-engine/api>
>  SetEnvIf Remote_Addr 192\.168\.122\.1 Disable_Auth
>  RequestHeader set Authorization "Basic
> YWRtaW5AaW50ZXJuYWw6cmVkaGF0MTIz" env=Disable_Auth
> </Location>
> 
> As I said this is a very bad setting from a security point of view, so
> remember to revert it as soon as the broker developers fix the error.
> 
> -- 
> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
> 3ºD, 28016 Madrid, Spain
> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.



More information about the Users mailing list