[ovirt-users] ovirt and CAS SSO

Fabrice Bacchella fabrice.bacchella at orange.fr
Mon Mar 14 09:28:02 UTC 2016 

I managed to set a not 100% perfect solution but quite usable any way.

I used org.ovirt.engineextensions.aaa.misc.http.AuthnExtension for authentication, behind a mod_cas_auth. [1]
Authorization is done using org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension.

I still need to create users manually with ovirt-aaa-jdbc-tool and assign right manually, but I don't have a lof of users, so I can live with that.

I can share my configuration with you if you are interested.

I tried to have a look at the source code of current AAA modules. And they teach me only one thing, that without a complete documentation, there is
no hope to write a new one. Is the javadoc ovirt-engine-extensions-api-impl-javadoc online somewhere ?

[1] https://wiki.jasig.org/display/casc/mod_auth_cas.


> Le 11 mars 2016 à 17:55, Martin Perina <mperina at redhat.com> a écrit :
> 
> Hi,
> 
> I'm glad to hear that you were able to successfully configure aaa-misc
> and mod_auth_cas to allow CAS based login for oVirt.
> 
> Unfortunately regarding CAS authorization for oVirt I have somewhat bad
> news for you. But let me explain the issue a bit:
> 
> 1. Using aaa-misc we are able to pass only user name of the authenticated
>   user from apache to ovirt.
> 
> 2. After that we have authenticated user on oVirt and then we pass
>   its username to authz extension to fetch full principal record including
>   group memberships. At the moment we don't pass anything else to authz
>   extension, just principal name (username).
> 
> So here are options how to enable CAS authorization for oVirt:
> 
> 1. Implement new authz extension which will fetch principal record for CAS
>   server (if this is possible, I don't know much about CAS)
> 
> 2. Or implement new authn/authz extensions specific to CAS which will use
>   CAS API do both authn and authz.
> 
> 3. Use LDAP as a backend for you CAS server (if possible) and configure
>   authz part using ovirt-engine-extension-aaa-ldap
> 
> 4. You could also create an RFE bug on oVirt to add CAS support, but
>   no promises from me :-) you are the first user asking about CAS support
> 
> Regarding documentation:
> 
>  - oVirt engine extensions API JavaDoc is contained in package
>    ovirt-engine-extensions-api-impl-javadoc
> 
>  - Ondra wrote some great articles about oVirt AAA configurations and
>    published them on his blog [1]
> 
>  - You can also take a look at some presentations about oVirt extensions:
> 
>      The New oVirt Extension API: Taking AAA to the next level [2] [3]
>      oVirt Extension API: The first step for fully modular oVirt [4] [5]
> 
>  - And you can also take a look at sources of existing aaa-ldap [6],
>    aaa-misc [7] and aaa-jdbc [8] extensions
> 
> And of course feel free to ask!
> 
> Regards
> 
> Martin Perina
> 
> [1] http://machacekondra.blogspot.cz/
> [2] https://www.youtube.com/watch?v=bSbdqmRNLi0
> [3] http://www.slideshare.net/MartinPeina/the-new-ovirt-extension-api-taking-aaa-authentication-authorization-accounting-to-the-next-level
> [4] https://www.youtube.com/watch?v=9b9WVFsy_yg
> [5] http://www.slideshare.net/MartinPeina/ovirt-extension-api-the-first-step-for-fully-modular-ovirt
> [6] https://github.com/oVirt/ovirt-engine-extension-aaa-ldap
> [7] https://github.com/oVirt/ovirt-engine-extension-aaa-misc
> [8] https://github.com/oVirt/ovirt-engine-extension-aaa-jdbc
> 
> ----- Original Message -----
>> From: "Fabrice Bacchella" <fabrice.bacchella at orange.fr>
>> To: Users at ovirt.org
>> Sent: Tuesday, March 8, 2016 11:54:13 AM
>> Subject: [ovirt-users] ovirt and CAS SSO
>> 
>> I'm trying to add CAS SSO to ovirt.
>> 
>> For authn (authentication),
>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension is OK, I put jboss
>> behind an Apache with mod_auth_cas.
>> 
>> Now I'm fighting with authz (authorization). CAS provides everything needed
>> as header. So I don't need ldap or jdbc extensions. Is there anything done
>> about that or do I need to write my own extension ? Is there some
>> documentation about that ?
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>

More information about the Users mailing list