[ovirt-users] ovirt and CAS SSO
Fabrice Bacchella
fabrice.bacchella at orange.fr
Mon Mar 14 09:28:02 UTC 2016
I managed to set a not 100% perfect solution but quite usable any way.
I used org.ovirt.engineextensions.aaa.misc.http.AuthnExtension for authentication, behind a mod_cas_auth. [1]
Authorization is done using org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension.
I still need to create users manually with ovirt-aaa-jdbc-tool and assign right manually, but I don't have a lof of users, so I can live with that.
I can share my configuration with you if you are interested.
I tried to have a look at the source code of current AAA modules. And they teach me only one thing, that without a complete documentation, there is
no hope to write a new one. Is the javadoc ovirt-engine-extensions-api-impl-javadoc online somewhere ?
[1] https://wiki.jasig.org/display/casc/mod_auth_cas.
> Le 11 mars 2016 à 17:55, Martin Perina <mperina at redhat.com> a écrit :
>
> Hi,
>
> I'm glad to hear that you were able to successfully configure aaa-misc
> and mod_auth_cas to allow CAS based login for oVirt.
>
> Unfortunately regarding CAS authorization for oVirt I have somewhat bad
> news for you. But let me explain the issue a bit:
>
> 1. Using aaa-misc we are able to pass only user name of the authenticated
> user from apache to ovirt.
>
> 2. After that we have authenticated user on oVirt and then we pass
> its username to authz extension to fetch full principal record including
> group memberships. At the moment we don't pass anything else to authz
> extension, just principal name (username).
>
> So here are options how to enable CAS authorization for oVirt:
>
> 1. Implement new authz extension which will fetch principal record for CAS
> server (if this is possible, I don't know much about CAS)
>
> 2. Or implement new authn/authz extensions specific to CAS which will use
> CAS API do both authn and authz.
>
> 3. Use LDAP as a backend for you CAS server (if possible) and configure
> authz part using ovirt-engine-extension-aaa-ldap
>
> 4. You could also create an RFE bug on oVirt to add CAS support, but
> no promises from me :-) you are the first user asking about CAS support
>
> Regarding documentation:
>
> - oVirt engine extensions API JavaDoc is contained in package
> ovirt-engine-extensions-api-impl-javadoc
>
> - Ondra wrote some great articles about oVirt AAA configurations and
> published them on his blog [1]
>
> - You can also take a look at some presentations about oVirt extensions:
>
> The New oVirt Extension API: Taking AAA to the next level [2] [3]
> oVirt Extension API: The first step for fully modular oVirt [4] [5]
>
> - And you can also take a look at sources of existing aaa-ldap [6],
> aaa-misc [7] and aaa-jdbc [8] extensions
>
> And of course feel free to ask!
>
> Regards
>
> Martin Perina
>
> [1] http://machacekondra.blogspot.cz/
> [2] https://www.youtube.com/watch?v=bSbdqmRNLi0
> [3] http://www.slideshare.net/MartinPeina/the-new-ovirt-extension-api-taking-aaa-authentication-authorization-accounting-to-the-next-level
> [4] https://www.youtube.com/watch?v=9b9WVFsy_yg
> [5] http://www.slideshare.net/MartinPeina/ovirt-extension-api-the-first-step-for-fully-modular-ovirt
> [6] https://github.com/oVirt/ovirt-engine-extension-aaa-ldap
> [7] https://github.com/oVirt/ovirt-engine-extension-aaa-misc
> [8] https://github.com/oVirt/ovirt-engine-extension-aaa-jdbc
>
> ----- Original Message -----
>> From: "Fabrice Bacchella" <fabrice.bacchella at orange.fr>
>> To: Users at ovirt.org
>> Sent: Tuesday, March 8, 2016 11:54:13 AM
>> Subject: [ovirt-users] ovirt and CAS SSO
>>
>> I'm trying to add CAS SSO to ovirt.
>>
>> For authn (authentication),
>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension is OK, I put jboss
>> behind an Apache with mod_auth_cas.
>>
>> Now I'm fighting with authz (authorization). CAS provides everything needed
>> as header. So I don't need ldap or jdbc extensions. Is there anything done
>> about that or do I need to write my own extension ? Is there some
>> documentation about that ?
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
More information about the Users
mailing list