Done in : https://bugzilla.redhat.com/show_bug.cgi?id=1468878.
> Le 7 juil. 2017 à 13:51, Ondra Machacek <omach...@redhat.com> a écrit : > > On Tue, Jul 4, 2017 at 6:05 PM, Fabrice Bacchella > <fabrice.bacche...@orange.fr> wrote: >> >>> Le 1 juil. 2017 à 09:09, Fabrice Bacchella <fabrice.bacche...@orange.fr> a >>> écrit : >>> >>> >>>> Le 30 juin 2017 à 23:25, Ondra Machacek <omach...@redhat.com> a écrit : >>>> >>>> On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella >>>> <fabrice.bacche...@orange.fr> wrote: >>>>> >>>>>> Le 29 juin 2017 à 14:42, Fabrice Bacchella <fabrice.bacche...@orange.fr> >>>>>> a écrit : >>>>>> >>>>>> >>>>>>> Le 29 juin 2017 à 13:41, Ondra Machacek <omach...@redhat.com> a écrit : >>>>>>> >>>>>>> How do you login? Do you use webadmin or API/SDK, if using SDK, don't >>>>>>> you use kerberos=True? >>>>>> >>>>>> Ok, got it. >>>>>> It's tested with the sdk, using kerberos. But Kerberos authentication is >>>>>> done in Apache and I configure a profile for that, so I needed to add: >>>>>> config.artifact.arg = X-Remote-User in my >>>>>> /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is >>>>>> missing from internal-authn.properties. So rexecutor@internal is >>>>>> checked with my profil, and not found. But as the internal profil don't >>>>>> know about X-Remote-User, it can't check the user and fails silently. >>>>>> That's why I'm getting only one line. Perhaps the log line should have >>>>>> said the extensions name that was failing, not the generic "External >>>>>> Authentication" that did'nt caught my eye. >>>>>> >>>>>> I will check that as soon as I have a few minutes to spare and tell you. >>>>> >>>>> I'm starting to understand. I need two authn modules, both using >>>>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a >>>>> different authz.plugin. Is that possible ? If I do what, in what order >>>>> the different Authn will be tried ? Are they all tried until one succeed >>>>> both authn and authz ? >>>>> >>>> >>>> Yes you can have multiple authn profiles and it tries to login until >>>> one succeed: >>>> >>>> https://github.com/oVirt/ovirt-engine/blob/de46aa78f3117cbe436ab10926ac0c23fcdd7cfc/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java#L125 >>>> >>>> The order isn't guaranteed, but I think it's not important, or is it for >>>> you? >>> >>> I'm not sure. As I need two >>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension, the authentication >>> will always succeed. It's the auhtz that fails as user as either in one >>> backend or the other. So if ExtMap output = profile.getAuthn().invoke(..) >>> calls the authz part I will be fine. >>> >> >> I think it's not possible to have 2 >> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension with different authz. >> >> The first authz ldap based backend is tried and return: >> 2017-07-04 17:50:25,711+02 DEBUG >> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (default task-2) [] >> Exception: java.lang.RuntimeException: Cannot resolve principal 'rexecutor' >> at >> org.ovirt.engineextensions.aaa.ldap.AuthzExtension.doFetchPrincipalRecord(AuthzExtension.java:579) >> [ovirt-engine-extension-aaa-ldap.jar:] >> at >> org.ovirt.engineextensions.aaa.ldap.AuthzExtension.invoke(AuthzExtension.java:478) >> [ovirt-engine-extension-aaa-ldap.jar:] >> at >> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:49) >> at >> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:73) >> at >> org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:109) >> at >> org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:122) >> at >> org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:68) >> at >> org.ovirt.engine.core.sso.utils.NonInteractiveAuth$2.doAuth(NonInteractiveAuth.java:51) >> at >> org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.issueTokenUsingHttpHeaders(OAuthTokenServlet.java:183) >> at >> org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.service(OAuthTokenServlet.java:72) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> at >> org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:66) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> org.ovirt.engine.core.utils.servlet.HeaderFilter.doFilter(HeaderFilter.java:94) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) >> at >> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) >> at >> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) >> at >> io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) >> at >> io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) >> at >> io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) >> at >> io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> [rt.jar:1.8.0_121] >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> [rt.jar:1.8.0_121] >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121] >> >> Right after that, I see in the log: >> 2017-07-04 17:50:25,718+02 ERROR >> [org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-2) [] >> External Authentication Failed: Cannot resolve principal 'rexecutor' >> >> and I don't see in the stack the modules you show me in >> org.ovirt.engine.core.aaa.filters.doAuth, I think the failure happens latter >> and ovirt won't manage to handle other authn modules. > > Ok, that's bug, can you please open it? > >> >> >> _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
