[ovirt-users] RESTAPI and kerberos authentication

Marcel Galke mazl_galke at web.de
Thu Apr 14 09:44:48 UTC 2016 

Hi,

I'm using curl and I followed steps in [1] and double checked the
permissions.
I've tested API access vs. webadmin access (see below).

$ curl -v --negotiate -X GET -H "Accept: application/xml" -k
https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE
# Result: HTTP 401
$ kinit
$ curl -v --negotiate -X GET -H "Accept: application/xml" -k
https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE # Result:
HTTP 200
$ curl --negotiate -v -u : -X GET -H "Accept: application/xml" -k
https://server8.funfurt.de/api/vms # Result: HTTP 401

Therfore I believe httpd config is fine.
For engine.log and and properties file see attachment.
I've also attached console output from curl.

Thanks and regards
Marcel

On 14.04.2016 08:11, Ondra Machacek wrote:
> On 04/14/2016 08:06 AM, Ondra Machacek wrote:
>> On 04/13/2016 10:43 PM, Marcel Galke wrote:
>>> Hello,
>>>
>>> I need to automatically create a list of all the VMs and the storage
>>> path to their disks in the data center for offline storage for desaster
>>> recovery. We have oVirt 3.6 and IPA 4.2.0.
>>> To achieve this my idea was to query the API using Kerberos
>>> authentication and a keytab. This could then run as cronjob.
>>> Using username and password is not an option.
>>>
>>> To configure oVirt for use with IPA I've run engine-manage-domains but
>>> the result is not exactly what I'm looking for (despite from the fact,
>>> that I can add direcotry users etc.).
>>> Next I tried the generic LDAP provider as per documentation
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html
>>>
>>>
>>
>> Just to be sure did you followed these steps[1]?
>> If yes and it don't work, it would be nice if you can share a properties
>> files you have and engine.log(the part when engine starts). Please also
>> ensure twice you have correct permissions on properties files, keytab
>> and apache confiig.
>>
>> Also ensure your browser is correctly setup. Example for firefox[2].
> 
> Sorry, I've just realized you use API.
> So do you use SDKs or curl? Make sure you use kerberos properly in both
> cases.
> For cur its:  curl --negotiate
> For SDKs[1], there is a parameter 'kerberos=true' in creation of api
> object.
> 
> [1]
> http://www.ovirt.org/develop/release-management/features/infra/kerberos-support-in-sdks-and-cli/
> 
> 
>>
>> It don't work only for API or for UserPortal and Webadmin as well? Or
>> you set it up only for API?
>>
>> [1]
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html#sect-Single_Sign-On_to_the_Administration_and_User_Portal
>>
>>
>> [2]
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html
>>
>>
>>
>>>
>>> It was quite easy to get Apache to authenticate against IPA, but I did
>>> not manage to access the API. Each try ended with an "HTTP/1.1 401
>>> Unauthorized".
>>> At the moment Apache authentication appears first and then the RESTAPI
>>> auth dialog comes up.
>>> Some facts about my setup:
>>> oVirt Host:
>>> -OS: CentOS 6.7
>>> -Engine Version: 3.6
>>> IPA Host:
>>> -OS: CentOS 7.2
>>> -IPA Version: 4.2.0
>>>
>>>
>>> I might mix some things up. Please help me to find out how to achieve my
>>> goal. I can provide more information if required.
>>>
>>> Thanks a lot!
>>>
>>>
>>> Best regards
>>> Marcel
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: engine.log
Type: text/x-log
Size: 113634 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160414/eb187a22/attachment-0001.bin>
-------------- next part --------------
include = <ipa.properties>

vars.domain = funfurt.de
vars.user = uid=aaa,cn=users,cn=accounts,dc=funfurt,dc=de
vars.password = netlognetlog

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = ${local:_basedir}/profile1.jks
pool.default.ssl.truststore.password = changeit
-------------- next part --------------
-sh-4.1$ kinit
Password for aaa at FUNFURT.DE: 
-sh-4.1$ klist 
Ticket cache: FILE:/tmp/krb5cc_1838600003
Default principal: aaa at FUNFURT.DE

Valid starting     Expires            Service principal
04/14/16 11:38:47  04/15/16 11:38:42  krbtgt/FUNFURT.DE at FUNFURT.DE
-sh-4.1$ curl -v --negotiate -u : -X GET -H "Accept: application/xml" -k https://server8.funfurt.de/api/vms
* About to connect() to server8.funfurt.de port 443 (#0)
*   Trying 192.168.100.108... connected
* Connected to server8.funfurt.de (192.168.100.108) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=server8.funfurt.de,O=funfurt.de,C=US
* 	start date: Apr 05 21:42:46 2016 GMT
* 	expire date: Mar 11 21:42:46 2021 GMT
* 	common name: server8.funfurt.de
* 	issuer: CN=server8.funfurt.de.90408,O=funfurt.de,C=US
> GET /api/vms HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: server8.funfurt.de
> Accept: application/xml
> 
< HTTP/1.1 401 Authorization Required
< Date: Thu, 14 Apr 2016 09:39:00 GMT
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="Kerberos Login"
< Vary: Accept-Encoding
< Content-Length: 486
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
< 
* Closing connection #0
* Issue another request to this URL: 'https://server8.funfurt.de/api/vms'
* About to connect() to server8.funfurt.de port 443 (#0)
*   Trying 192.168.100.108... connected
* Connected to server8.funfurt.de (192.168.100.108) port 443 (#0)
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=server8.funfurt.de,O=funfurt.de,C=US
* 	start date: Apr 05 21:42:46 2016 GMT
* 	expire date: Mar 11 21:42:46 2021 GMT
* 	common name: server8.funfurt.de
* 	issuer: CN=server8.funfurt.de.90408,O=funfurt.de,C=US
* Server auth using GSS-Negotiate with user ''
> GET /api/vms HTTP/1.1
> Authorization: Negotiate YIICTwYJKoZIhvcSAQICAQBuggI+MIICOqADAgEFoQMCAQ6iBwMFAAAAAACjggFVYYIBUTCCAU2gAwIBBaEMGwpGVU5GVVJULkRFoiUwI6ADAgEDoRwwGhsESFRUUBsSc2VydmVyOC5mdW5mdXJ0LmRlo4IBDzCCAQugAwIBEqEDAgEBooH+BIH7Nl50GmrKKL0CCAlciIihQQBpaRedJWN2KBXA43dKZ4IBzQwNJYfFPSaIbgx4Q01T5aXzXYttEhhE4qyvA0ruKMRtn+w5Ba+gycI7qn63z/VQe3TmV9Fz5PyieYHyF6x7yFD4HyY47RlovIz+31w7WQifR/5wy4BNH1AQLNfV8KtBs6O76BA997q0/tqf44WWSo2u+49+RtUV1NNAj8qoYZXGv3ETpDt52JMqEaNZ3dqEIzHxANuDiiVk1dIjwSkAADfhCS/TIVj1wqfVrMYW3s3uzMVIKrn+XmrTK/LWvmmBqNfhHa/H5kYppyNsHAcKt6eT76HVrqfD9DukgcswgcigAwIBEqKBwASBvb50rlylrtRRnAoSnuuR8dgDWvVlH3J0mtjBDYbjNRzfDOXkGtonmY8vXI/1IidB5f7VI7Czj2zS4ceKaAfFBO/BMd9mNf12yCOpMu0nt+X+NDu6WLfv0zExVMe7i0R4sXBalMLZyzAaGf3jOlpwYvKTMUsFz9zmtj5ccGN9VL7dO8Fn6/1uovzNn4PaQ2wFt1wNp3hufFJ70wqpAbymWTYU6PqbKzzxS/XiJa8LRFVLsAAgrDafB0RrPXduTQ==
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: server8.funfurt.de
> Accept: application/xml
> 
< HTTP/1.1 401 Unauthorized
< Date: Thu, 14 Apr 2016 09:39:48 GMT
< WWW-Authenticate: Basic realm="ENGINE"
< Content-Type: text/html;charset=UTF-8
< Content-Length: 71
< Vary: Accept-Encoding
< Connection: close
< 
* Closing connection #0
<html><head><title>Error</title></head><body>Unauthorized</body></html>-sh-4.1$ 
-sh-4.1$ klist 
Ticket cache: FILE:/tmp/krb5cc_1838600003
Default principal: aaa at FUNFURT.DE

Valid starting     Expires            Service principal
04/14/16 11:38:47  04/15/16 11:38:42  krbtgt/FUNFURT.DE at FUNFURT.DE
04/14/16 11:39:01  04/15/16 11:38:42  HTTP/server8.funfurt.de at FUNFURT.DE

More information about the Users mailing list