[ovirt-users] RESTAPI and kerberos authentication

Marcel Galke mazl_galke at web.de
Thu Apr 14 11:00:34 UTC 2016 

Hi,

I've managed to get it work.
What I've done is to first run "engine-manage-domains delete" to remove
the domain and add it again using the new aaa extension tool
"ovirt-engine-extension-aaa-ldap-setup". It's not a good idea to mix
these two methods, I guess.
Restart the engine after each change.
To get rid of the double authentication for the webadmin portal I
changed in /etc/httpd/conf.d/ovirt-sso.conf

"<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)>"
to
"<LocationMatch ^(/ovirt-engine/api|/api)>"

So Kerberos SSO will be used for the API only.
Furthermore I've given the user the role "superuser".

Best regards
Marcel

On 14.04.2016 11:44, Marcel Galke wrote:
> Hi,
> 
> I'm using curl and I followed steps in [1] and double checked the
> permissions.
> I've tested API access vs. webadmin access (see below).
> 
> $ curl -v --negotiate -X GET -H "Accept: application/xml" -k
> https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE
> # Result: HTTP 401
> $ kinit
> $ curl -v --negotiate -X GET -H "Accept: application/xml" -k
> https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE # Result:
> HTTP 200
> $ curl --negotiate -v -u : -X GET -H "Accept: application/xml" -k
> https://server8.funfurt.de/api/vms # Result: HTTP 401
> 
> Therfore I believe httpd config is fine.
> For engine.log and and properties file see attachment.
> I've also attached console output from curl.
> 
> Thanks and regards
> Marcel
> 
> On 14.04.2016 08:11, Ondra Machacek wrote:
>> On 04/14/2016 08:06 AM, Ondra Machacek wrote:
>>> On 04/13/2016 10:43 PM, Marcel Galke wrote:
>>>> Hello,
>>>>
>>>> I need to automatically create a list of all the VMs and the storage
>>>> path to their disks in the data center for offline storage for desaster
>>>> recovery. We have oVirt 3.6 and IPA 4.2.0.
>>>> To achieve this my idea was to query the API using Kerberos
>>>> authentication and a keytab. This could then run as cronjob.
>>>> Using username and password is not an option.
>>>>
>>>> To configure oVirt for use with IPA I've run engine-manage-domains but
>>>> the result is not exactly what I'm looking for (despite from the fact,
>>>> that I can add direcotry users etc.).
>>>> Next I tried the generic LDAP provider as per documentation
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html
>>>>
>>>>
>>>
>>> Just to be sure did you followed these steps[1]?
>>> If yes and it don't work, it would be nice if you can share a properties
>>> files you have and engine.log(the part when engine starts). Please also
>>> ensure twice you have correct permissions on properties files, keytab
>>> and apache confiig.
>>>
>>> Also ensure your browser is correctly setup. Example for firefox[2].
>>
>> Sorry, I've just realized you use API.
>> So do you use SDKs or curl? Make sure you use kerberos properly in both
>> cases.
>> For cur its:  curl --negotiate
>> For SDKs[1], there is a parameter 'kerberos=true' in creation of api
>> object.
>>
>> [1]
>> http://www.ovirt.org/develop/release-management/features/infra/kerberos-support-in-sdks-and-cli/
>>
>>
>>>
>>> It don't work only for API or for UserPortal and Webadmin as well? Or
>>> you set it up only for API?
>>>
>>> [1]
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html#sect-Single_Sign-On_to_the_Administration_and_User_Portal
>>>
>>>
>>> [2]
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html
>>>
>>>
>>>
>>>>
>>>> It was quite easy to get Apache to authenticate against IPA, but I did
>>>> not manage to access the API. Each try ended with an "HTTP/1.1 401
>>>> Unauthorized".
>>>> At the moment Apache authentication appears first and then the RESTAPI
>>>> auth dialog comes up.
>>>> Some facts about my setup:
>>>> oVirt Host:
>>>> -OS: CentOS 6.7
>>>> -Engine Version: 3.6
>>>> IPA Host:
>>>> -OS: CentOS 7.2
>>>> -IPA Version: 4.2.0
>>>>
>>>>
>>>> I might mix some things up. Please help me to find out how to achieve my
>>>> goal. I can provide more information if required.
>>>>
>>>> Thanks a lot!
>>>>
>>>>
>>>> Best regards
>>>> Marcel
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list