[Users] API read-only access / roles

Juan Hernandez jhernand at redhat.com
Sat Feb 22 12:22:14 UTC 2014 

On 02/20/2014 04:51 PM, Itamar Heim wrote:
> On 02/20/2014 05:24 PM, Sven Kieske wrote:
>> Hi,
>>
>> is nobody interested in this feature at all?
>> it would be a huge security gain, while lowering
>> the bars for having a read only user if this could get shipped with 3.4:
> 
> we are very interested, but we want to do this based on the 
> authentication re-factoring, which in itself, barely made the 3.4 timeline.
> Yair - are we "pluggable" yet, that someone could add such a user by 
> dropping a jar somewhere, or still on going work towards 3.5?
> 

Pugglability of authentication already works in 3.4. By default it uses
the previous mechanism, but the administrator can change this. In order
to change you need to create the /etc/ovirt-engine/auth.conf.d directory
and then create inside one or more "authentication profiles"
configuration files. An authentication profile is a combination of an
"authenticator" and a "directory". The authenticator is used to check
the credentials (the user name and password) and the "directory" is used
to search users and their details. For example, if you want to use local
authentication (the users, passwords, and groups of the OS) you can
create a "local.conf" file with the following content:

  #
  # The name of the profile. This is what will be displayed in the
  # combo box in the login page.
  #
  name=local

  #
  # Needed to enable the profile, by default all profiles are
  # disabled.
  #
  enabled=true

  #
  # The configuration of the authenticator used by the profile. The
  # type and the module are mandatory, the rest are optional and
  # the default values are as shown below.
  #
  authenticator.type=ssh
  authenticator.module=org.ovirt.engine.core.authentication.ssh
  # authenticator.host=localhost
  # authenticator.port=22
  # authenticator.timeout=10

  #
  # The configuration of the directory:
  #
  directory.type=nss
  directory.module=org.ovirt.engine.core.authentication.nss

For this to work you need to install some additional modules, which
aren't currently part of the engine. This is where plugabillity comes in
place. This modules can be built externally. I created modules for SSH
authentication and NSS (Name Service Switch) directory. The source is
available here:

https://github.com/jhernand/ovirt-engine-ssh-authenticator
https://github.com/jhernand/ovirt-engine-nss-directory

The NSS directory also needs JNA (Java Native Access):

https://github.com/jhernand/ovirt-engine-jna-module

Installing these extensions is very easy, just build from source and
uncompress the generated .zip files to /usr/share/ovirt-engine/modules.
In case you don't want to build from source you can use the RPMs that I
created. The source for the .spec files is here:

https://github.com/jhernand/ovirt-engine-rpms

If you don't want to build form source you can use a yum repository that
I created with binaries for Fedora 20 (should work in CentOS as well):

http://jhernand.fedorapeople.org/repo

So, to summarize:

# cat > /etc/yum.repos.d/my.repo <<.
[my]
name=my
baseurl=http://jhernand.fedorapeople.org/repo
enabled=1
gpgcheck=0
.

# yum -y install \
ovirt-engine-ssh-authenticator \
ovirt-engine-nss-directory

# mkdir -p /etc/ovirt-engine/auth.conf.d

# cat > /etc/ovirt-engine/auth.conf.d/local.conf <<.
name=local
enabled=true
authenticator.type=ssh
authenticator.module=org.ovirt.engine.core.authentication.ssh
directory.type=nss
directory.module=org.ovirt.engine.core.authentication.nss
.

# systemctl restart ovirt-engine

Then you can login with admin at internal, add some local users and
permissions, and then use them to login to the GUI or the API.

Take into account that I created these modules as a way to test the new
authentication infrastructure, so they may have limitations or issues. I
appreciate any feedback.

>>
>> Am 19.02.2014 15:32, schrieb Sven Kieske:> I just looked into my test vm
>> with the 3.4 beta
>>> and I can't see such an user there.
>>>
>>> I created an RFE at: https://bugzilla.redhat.com/show_bug.cgi?id=1067036
>>>
>>>
>>> I really hope this can get included in 3.4 (I know it's late)
>>> as it should be a very very minor change at engine-setup.
>>>
>>> Thanks
>>>
>>> Am 19.02.2014 14:55, schrieb Sven Kieske:
>>>> Hi,
>>>>
>>>> reiterating on this somewhat old mail:
>>>>
>>>> Is there a read only user integrated in 3.4?
>>>>
>>>> Because it's a huge overhead to install somewhere
>>>> e.g. a freeipa server just to get read only access.
>>>>
>>>> Am 21.11.2013 09:52, schrieb Sander Grendelman:
>>>>> Hi Doron,
>>>>>
>>>>> The user I've defined in [1] works for me.
>>>>> A built-in login-/read-only role would be nice,
>>>>> but it's quite easy to define a custom role so
>>>>> more of a nice-to-have instead of a must-have.
>>>>>
>>>>> Thanks for asking!
>>>>>
>>>>> Sander.
>>>>>
>>>>> On Wed, Nov 20, 2013 at 5:40 PM, Doron Fediuck <dfediuck at redhat.com>
>> wrote:
>>>>>> Hi Sander,
>>>>>> We're closing the ovirt 3.4 scope, and wondering if you're handling
>>>>>> Zabbix based on [1].
>>>>>> If so please let me know and I'll update the 3.4 features list.
>>>>>>
>>>>>> Thanks,
>>>>>> Doron
>>>>>>
>>>>>> [1] http://lists.ovirt.org/pipermail/users/2013-November/017946.html
>>>>
>>>
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 


-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.

More information about the Users mailing list