[ovirt-users] new internal SSO

Ravi Nori rnori at redhat.com
Mon Aug 15 06:42:26 UTC 2016 

In addition to the list of urls in the original email

/ovirt-engine/webadmin/sso/logout
/ovirt-engine/userportal/sso/oauth2-callback
/ovirt-engine/userportal/sso/login
/ovirt-engine/userportal/sso/logout
/ovirt-engine/login
/ovirt-engine/logout
/ovirt-engine/switch-user
/ovirt-engine/error.html
/ovirt-engine/index.html
/ovirt-engine/oauth2-callback

/ovirt-engine/sso/interactive-login
/ovirt-engine/sso/interactive-redirect-to-module
/ovirt-engine/sso/interactive-login-basic
/ovirt-engine/sso/interactive-login-basic-enforce
/ovirt-engine/sso/interactive-login-negotiate
/ovirt-engine/sso/interactive-change-passwd
/ovirt-engine/sso/login-unauthorized
/ovirt-engine/sso/interactive-login-next-auth
/ovirt-engine/sso/oauth/authorize
/ovirt-engine/sso/oauth/token
/ovirt-engine/sso/oauth/token-http-auth/*
/ovirt-engine/sso/oauth/token-info
/ovirt-engine/sso/oauth/revoke
/ovirt-engine/sso/login.html
/ovirt-engine/sso/credentials-change.html

and there is also

/ovirt-engine/api and all the resources  hosts, vms etc


On Fri, Aug 12, 2016 at 6:45 AM, Fabrice Bacchella
<fabrice.bacchella at orange.fr> wrote:
> I'm currently fighting with the new mandatory SSO system introduced in 4.0.
>
> It's also used internally as ovirt-engine is calling himself, as shown in
> the apache log, to identity himself to himself:
>
> [2016-08-12 11:30:24] 10.83.16.34 "ovirt.prod.exalead.com" "POST
> /ovirt-engine/sso/status HTTP/1.1" 256 401 + 163 "-" "Java/1.8.0_92"
> [2016-08-12 10:55:49] 10.83.16.34 "ovirt.prod.exalead.com" "POST
> /ovirt-engine/sso/oauth/token HTTP/1.1" 237 401 + 163 "-" "Java/1.8.0_92"
>
> But the sso will be acceded by human too:
>
> [2016-08-12 11:29:27] 192.168.205.59 "ovirt.prod.exalead.com" "GET
> /ovirt-engine/sso/interactive-redirect-to-module HTTP/1.1" 5097 302 + -
> "https://ovirt.prod.exalead.com/ovirt-engine/" "Mozilla/5.0 (Macintosh;
> Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"
>
>
> I'm using a custom apache configuration, as I need that to better integrate
> ovirt in our running SSO and PKI setup.
>
> So under SSO I wonder which part needs to be protected using our own SSO,
> and what part can be open to any access, and the internal security of ovirt
> will manage it ?
>
> In https://bugzilla.redhat.com/show_bug.cgi?id=1342192, it seems for me that
> ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth) needs
> to be protected. Am i right ?
>
> In my log, I've seen access to:
>
> /ovirt-engine/sso/status
> /ovirt-engine/sso/oauth/token-info
> /ovirt-engine/webadmin/sso/oauth2-callback
> /ovirt-engine/webadmin/sso/login
> /ovirt-engine/sso/oauth/token
> /ovirt-engine/sso/oauth/authorize
> /ovirt-engine/sso/interactive-redirect-to-module
> /ovirt-engine/sso/interactive-login-next-auth
> /ovirt-engine/sso/interactive-login-negotiate/ovirt-auth
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list