[ovirt-users] slow kerberos authentication

Ondra Machacek omachace at redhat.com
Fri May 12 11:35:11 UTC 2017 

On Fri, May 12, 2017 at 1:18 PM, Fabrice Bacchella <
fabrice.bacchella at orange.fr> wrote:

> The request is indeed quite slow within ovirt, using the setup given by
> Juan:
>
> /ovirt-engine/sso/oauth/token-http-auth 7001ms
>
> I was not able to authenticate jboss-cli.sh, I don't know why:
> 'admin at internal-authz': No valid profile found in credentials.
>

It should be admin at internal.


>
> So I tried to modifie usr/share/ovirt-engine/services/ovirt-engine/ovirt-
> engine-logging.properties.in, adding:
> org.ovirt.engineextensions.aaa=ALL
> org.ovirt.engine.core.bll.aaa=ALL
> and then restart ovirt-engine. But that changed nothing. That's not the
> good syntax ?
>

You must change the file in ovirt-engine.xml.in same file as Juan send
above.
See here:
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/ovirt-engine-extension-aaa-ldap-1.0/README#L377

But I think better to use JBoss CLI, you don't have to restart oVirt engine
then.


>
>
>
>
> > Le 12 mai 2017 à 09:25, Ondra Machacek <omachace at redhat.com> a écrit :
> >
> > I am not aware of anything, but debug log of all aaa stuff would help,
> > to understand what takes the most time.
> >
> >  - org.ovirt.engineextensions.aaa.ldap
> >  - org.ovirt.engineextensions.aaa.misc
> >  - org.ovirt.engine.core.aaa
> >  - org.ovirt.engine.core.sso
> >
> > To enable it in runtime, please follow:
> >
> >  https://github.com/oVirt/ovirt-engine-extension-aaa-
> ldap/blob/master/README#L469
> >
> > On Thu, May 11, 2017 at 7:24 PM, Fabrice Bacchella <
> fabrice.bacchella at orange.fr> wrote:
> > I'm using kerberos authentication in ovirt for the URL
> /sso/oauth/token-http-auth, but kerberos is done in Apache using
> auth_gssapi_module and it's quite slow, about 6s for a request.
> >
> > I'm trying to understand if it's apache or ovirt-engine that are slow.
> Is there a way to get response time metered for http requests inside ovirt
> instead of seen from apache ?
> >
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170512/bc4f1d2d/attachment.html>

More information about the Users mailing list