Authors:

Feature pages are design documents that developers have created while collaborating on oVirt.

Most of them are outdated, but provide historical design context.

They are not user documentation and should not be treated as such.

Documentation is available here.

Kerberos support in the SDKs and the CLI

Summary

This page describes the Kerberos support that will be added to the Python SDK, the Java SDK and the CLI in version 3.6.

Owner

Current status

Status: implementation

Benefit to oVirt

  • Support isntallations where Kerberos has been selected as the authentication mechanism for the engine.

Description

Python SDK

The Kerberos support for the Python SDK will be implemented in two steps:

Once this is implemented the user will be able to specify the use of Kerberos authentication with a new kerberos parameter in the constructor of the API object:

 api = ovirtsdk.api.API(
  url="https://ovirt.example.com/ovirt-engine/api",
  kerberos=True,
  ...
 )

For this to work the Kerberos client has to be correctly configured (the /etc/krb5.conf file has to exist) and the credentials cache has to be already populated (using the kinit command, for example).

Java SDK

The Kerberos support in the Java SDK will be implemented in one step, as the httpcomponents library that we currently use already supports Kerberos authentication. However, to simplify things for users, we will also introduce a new ApiBuilder class to make construction of the API object easier:

Once these two changes are done, the user will use the SDK as follows:

 Api api = new ApiBuilder()
  .url("https://ovirt.example.com/ovirt-engine/api")
  .kerberos(true)
  .build();

For this to work the Kerberos of the Java virtual machine has to be configured correctly. This means that the /etc/krb5.conf file has to exist. This isn’t usually a problem, as it is required by almost any Kerberos client. But it also means that a JAAS configuration file has to be created to configure the Java virtual machine. The location of this JAAS configuration file isn’t important, it just has to be readable by the Java virtual machine. The content should be like this:

com.sun.security.jgss.login {
  com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=true;
};

com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=true;
};

com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=true;
};

In addition the following system properties need to be present, either adding command line options to the java command or using the System.setProperty(...) method:

-Djava.security.auth.login.config=/etc/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false

The Java SDK will not populate the credentials cache, it has to be populated before calling it, using the kinit command, for example.

CLI

As the CLI uses the Python SDK for all its network communication the only change required is a new --kerberos option that will be translated into the new kerberos=True parameter of the constructor of the API object:

After this modification the user will be able to use Kerberos authentication adding the --kerberos option to the ovirt-shell command or adding the kerberos = True option to the .ovirtshellrc file.