On Tue, Jul 4, 2017 at 6:05 PM, Fabrice Bacchella <[email protected]> wrote: > >> Le 1 juil. 2017 à 09:09, Fabrice Bacchella <[email protected]> a >> écrit : >> >> >>> Le 30 juin 2017 à 23:25, Ondra Machacek <[email protected]> a écrit : >>> >>> On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella >>> <[email protected]> wrote: >>>> >>>>> Le 29 juin 2017 à 14:42, Fabrice Bacchella <[email protected]> >>>>> a écrit : >>>>> >>>>> >>>>>> Le 29 juin 2017 à 13:41, Ondra Machacek <[email protected]> a écrit : >>>>>> >>>>>> How do you login? Do you use webadmin or API/SDK, if using SDK, don't >>>>>> you use kerberos=True? >>>>> >>>>> Ok, got it. >>>>> It's tested with the sdk, using kerberos. But Kerberos authentication is >>>>> done in Apache and I configure a profile for that, so I needed to add: >>>>> config.artifact.arg = X-Remote-User in my >>>>> /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is >>>>> missing from internal-authn.properties. So rexecutor@internal is checked >>>>> with my profil, and not found. But as the internal profil don't know >>>>> about X-Remote-User, it can't check the user and fails silently. That's >>>>> why I'm getting only one line. Perhaps the log line should have said the >>>>> extensions name that was failing, not the generic "External >>>>> Authentication" that did'nt caught my eye. >>>>> >>>>> I will check that as soon as I have a few minutes to spare and tell you. >>>> >>>> I'm starting to understand. I need two authn modules, both using >>>> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a >>>> different authz.plugin. Is that possible ? If I do what, in what order the >>>> different Authn will be tried ? Are they all tried until one succeed both >>>> authn and authz ? >>>> >>> >>> Yes you can have multiple authn profiles and it tries to login until >>> one succeed: >>> >>> https://github.com/oVirt/ovirt-engine/blob/de46aa78f3117cbe436ab10926ac0c23fcdd7cfc/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java#L125 >>> >>> The order isn't guaranteed, but I think it's not important, or is it for >>> you? >> >> I'm not sure. As I need two >> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension, the authentication >> will always succeed. It's the auhtz that fails as user as either in one >> backend or the other. So if ExtMap output = profile.getAuthn().invoke(..) >> calls the authz part I will be fine. >> > > I think it's not possible to have 2 > org.ovirt.engineextensions.aaa.misc.http.AuthnExtension with different authz. > > The first authz ldap based backend is tried and return: > 2017-07-04 17:50:25,711+02 DEBUG > [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (default task-2) [] > Exception: java.lang.RuntimeException: Cannot resolve principal 'rexecutor' > at > org.ovirt.engineextensions.aaa.ldap.AuthzExtension.doFetchPrincipalRecord(AuthzExtension.java:579) > [ovirt-engine-extension-aaa-ldap.jar:] > at > org.ovirt.engineextensions.aaa.ldap.AuthzExtension.invoke(AuthzExtension.java:478) > [ovirt-engine-extension-aaa-ldap.jar:] > at > org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:49) > at > org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:73) > at > org.ovirt.engine.core.extensions.mgr.ExtensionProxy.invoke(ExtensionProxy.java:109) > at > org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:122) > at > org.ovirt.engine.core.sso.utils.NegotiateAuthUtils.doAuth(NegotiateAuthUtils.java:68) > at > org.ovirt.engine.core.sso.utils.NonInteractiveAuth$2.doAuth(NonInteractiveAuth.java:51) > at > org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.issueTokenUsingHttpHeaders(OAuthTokenServlet.java:183) > at > org.ovirt.engine.core.sso.servlets.OAuthTokenServlet.service(OAuthTokenServlet.java:72) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:66) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > org.ovirt.engine.core.utils.servlet.HeaderFilter.doFilter(HeaderFilter.java:94) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) > at > io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) > at > io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) > at > io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [rt.jar:1.8.0_121] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [rt.jar:1.8.0_121] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121] > > Right after that, I see in the log: > 2017-07-04 17:50:25,718+02 ERROR > [org.ovirt.engine.core.sso.utils.NegotiateAuthUtils] (default task-2) [] > External Authentication Failed: Cannot resolve principal 'rexecutor' > > and I don't see in the stack the modules you show me in > org.ovirt.engine.core.aaa.filters.doAuth, I think the failure happens latter > and ovirt won't manage to handle other authn modules.
Ok, that's bug, can you please open it? > > > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
