[ovirt-users] RESTAPI and kerberos authentication

Ondra Machacek omachace at redhat.com
Thu Apr 14 06:11:32 UTC 2016 

On 04/14/2016 08:06 AM, Ondra Machacek wrote:
> On 04/13/2016 10:43 PM, Marcel Galke wrote:
>> Hello,
>>
>> I need to automatically create a list of all the VMs and the storage
>> path to their disks in the data center for offline storage for desaster
>> recovery. We have oVirt 3.6 and IPA 4.2.0.
>> To achieve this my idea was to query the API using Kerberos
>> authentication and a keytab. This could then run as cronjob.
>> Using username and password is not an option.
>>
>> To configure oVirt for use with IPA I've run engine-manage-domains but
>> the result is not exactly what I'm looking for (despite from the fact,
>> that I can add direcotry users etc.).
>> Next I tried the generic LDAP provider as per documentation
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html
>>
>
> Just to be sure did you followed these steps[1]?
> If yes and it don't work, it would be nice if you can share a properties
> files you have and engine.log(the part when engine starts). Please also
> ensure twice you have correct permissions on properties files, keytab
> and apache confiig.
>
> Also ensure your browser is correctly setup. Example for firefox[2].

Sorry, I've just realized you use API.
So do you use SDKs or curl? Make sure you use kerberos properly in both 
cases.
For cur its:  curl --negotiate
For SDKs[1], there is a parameter 'kerberos=true' in creation of api object.

[1] 
http://www.ovirt.org/develop/release-management/features/infra/kerberos-support-in-sdks-and-cli/

>
> It don't work only for API or for UserPortal and Webadmin as well? Or
> you set it up only for API?
>
> [1]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html#sect-Single_Sign-On_to_the_Administration_and_User_Portal
>
> [2]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html
>
>
>>
>> It was quite easy to get Apache to authenticate against IPA, but I did
>> not manage to access the API. Each try ended with an "HTTP/1.1 401
>> Unauthorized".
>> At the moment Apache authentication appears first and then the RESTAPI
>> auth dialog comes up.
>> Some facts about my setup:
>> oVirt Host:
>> -OS: CentOS 6.7
>> -Engine Version: 3.6
>> IPA Host:
>> -OS: CentOS 7.2
>> -IPA Version: 4.2.0
>>
>>
>> I might mix some things up. Please help me to find out how to achieve my
>> goal. I can provide more information if required.
>>
>> Thanks a lot!
>>
>>
>> Best regards
>> Marcel
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

More information about the Users mailing list