Juan Hernandez has uploaded a new change for review.
Change subject: core: Add Kerberos authenticator
......................................................................
core: Add Kerberos authenticator
Change-Id: Ia4004e4a783530767b2f7682be17b3ce1e9a3802
Signed-off-by: Juan Hernandez <juan.hernan...@redhat.com>
---
A
backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosConfiguration.java
A
backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosJaasCallbackHandler.java
A
backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosJaasConfiguration.java
A
backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosPasswordAuthenticator.java
A
backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosPasswordAuthenticatorFactory.java
M
backend/manager/modules/authentication/src/main/resources/META-INF/services/org.ovirt.engine.core.authentication.AuthenticatorFactory
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/KerberosManager.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapBrokerUtils.java
M
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/DetectMixedMode.java
M
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/InstallerConstants.java
M
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosConfigCheck.java
M
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KrbConfCreator.java
12 files changed, 622 insertions(+), 13 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/30/21030/1
diff --git
a/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosConfiguration.java
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosConfiguration.java
new file mode 100644
index 0000000..4052c61
--- /dev/null
+++
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosConfiguration.java
@@ -0,0 +1,230 @@
+package org.ovirt.engine.core.authentication.kerberos;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * This class contains the same information that is usually saved in the
{@code /etc/kerberos.conf} file, and it has the
+ * capability to generate that file.
+ */
+public class KerberosConfiguration {
+ // The log:
+ private static final Logger log =
LoggerFactory.getLogger(KerberosConfiguration.class);
+
+ // The name of the property that indicates the location of the Kerberos
configuration file used by the Kerberos
+ // implementation of the JVM:
+ public static final String PROPERTY = "java.security.krb5.conf";
+
+ // This is a singleton because the Kerberos implementation inside the JVM
doesn't support more than one
+ // configuration file:
+ private static volatile KerberosConfiguration instance;
+
+ /**
+ * Get the singleton instance.
+ */
+ public static KerberosConfiguration getInstance() {
+ if (instance == null) {
+ synchronized (KerberosConfiguration.class) {
+ if (instance == null) {
+ instance = new KerberosConfiguration();
+ }
+ }
+ }
+ return instance;
+ }
+
+ // The sections indexed by name:
+ private List<Section> sections = new LinkedList<>();
+
+ // The temporary file where the configuration will be saved:
+ private File file;
+
+ private KerberosConfiguration() {
+ // Nothing.
+ }
+
+ public Section getSection(String name) {
+ return getSection(name, true);
+ }
+
+ public Section getSection(String name, boolean create) {
+ for (Section section : sections) {
+ if (section.getName().equals(name)) {
+ return section;
+ }
+ }
+ if (create) {
+ Section section = new Section(name);
+ sections.add(section);
+ return section;
+ }
+ return null;
+ }
+
+ /**
+ * Saves the configuration to a temporary file and configures the Kerberos
implementation to use that file.
+ */
+ public synchronized void install() throws IOException {
+ // Create the temporary file:
+ if (file == null) {
+ file = File.createTempFile("krb5.", ".conf");
+ file.deleteOnExit();
+ }
+
+ // Save the configuration to the temporary file:
+ try (PrintWriter writer = new PrintWriter(file, "UTF-8")) {
+ for (Section section : sections) {
+ writeSection(writer, section);
+ }
+ writer.flush();
+ }
+
+ // Configure the Kerberos implementation to use the temporary file:
+ System.setProperty(PROPERTY, file.getAbsolutePath());
+ log.info(
+ "The Kerberos configuration has been saved to file \"{}\" and the
system has been configured to use it.",
+ file.getAbsolutePath()
+ );
+ }
+
+ private void writeSection(PrintWriter writer, Section section) throws
IOException {
+ writer.printf("[%s]\n", section.getName());
+ writeRelations(writer, section.getRelations(), 1);
+ writeSections(writer, section.getSections(), 1);
+ writer.printf("\n");
+ }
+
+ private void writeRelations(PrintWriter writer, List<Relation> relations,
int level) throws IOException {
+ for (Relation relation : relations) {
+ String name = relation.getName();
+ for (String value : relation.getValues()) {
+ writeIndent(writer, level);
+ writer.printf("%s = %s\n", name, value);
+ }
+ }
+ }
+
+ private void writeSections(PrintWriter writer, List<Section> sections, int
level) throws IOException {
+ for (Section section : sections) {
+ writeIndent(writer, level);
+ writer.printf("%s = {\n", section.getName());
+ writeRelations(writer, section.getRelations(), level + 1);
+ writeSections(writer, section.getSections(), level + 1);
+ writeIndent(writer, level);
+ writer.printf("}\n");
+ }
+ }
+
+ private void writeIndent(PrintWriter writer, int level) throws IOException
{
+ while (level > 0) {
+ writer.printf(" ");
+ level--;
+ }
+ }
+
+ public static class Relation {
+ private String name;
+ private List<String> values = new LinkedList<>();
+
+ public Relation(String name, String... values) {
+ this.name = name;
+ for (String value : values) {
+ this.values.add(value);
+ }
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public List<String> getValues() {
+ List<String> copy = new ArrayList<String>(values.size());
+ copy.addAll(values);
+ return Collections.unmodifiableList(copy);
+ }
+
+ public void setValues(String... values) {
+ this.values.clear();
+ for (String value : values) {
+ this.values.add(value);
+ }
+ }
+ }
+
+ public static class Section {
+ private String name;
+ private List<Relation> relations = new LinkedList<>();
+ private List<Section> sections = new LinkedList<>();
+
+ public Section(String name) {
+ this.name = name;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public Relation getRelation(String name) {
+ for (Relation relation : relations) {
+ if (relation.getName().equals(name)) {
+ return relation;
+ }
+ }
+ return null;
+ }
+
+ public void setRelation(String name, String... values) {
+ Relation relation = getRelation(name);
+ if (relation == null) {
+ relation = new Relation(name, values);
+ relations.add(relation);
+ }
+ else {
+ relation.setValues(values);
+ }
+ }
+
+ public List<Relation> getRelations() {
+ List<Relation> copy = new ArrayList<>(relations.size());
+ copy.addAll(relations);
+ return Collections.unmodifiableList(copy);
+ }
+
+ public Section getSection(String name) {
+ return getSection(name, true);
+ }
+
+ public Section getSection(String name, boolean create) {
+ for (Section section : sections) {
+ if (section.getName().equals(name)) {
+ return section;
+ }
+ }
+ if (create) {
+ Section section = new Section(name);
+ sections.add(section);
+ return section;
+ }
+ return null;
+ }
+
+ public List<Section> getSections() {
+ List<Section> copy = new ArrayList<>(sections.size());
+ copy.addAll(sections);
+ return Collections.unmodifiableList(copy);
+ }
+
+ public void clear() {
+ relations.clear();
+ sections.clear();
+ }
+ }
+}
diff --git
a/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosJaasCallbackHandler.java
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosJaasCallbackHandler.java
new file mode 100644
index 0000000..592dd45
--- /dev/null
+++
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosJaasCallbackHandler.java
@@ -0,0 +1,50 @@
+package org.ovirt.engine.core.authentication.kerberos;
+
+import java.io.IOException;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class KerberosJaasCallbackHandler implements CallbackHandler {
+ // The log:
+ private static final Logger log =
LoggerFactory.getLogger(KerberosJaasCallbackHandler.class);
+
+ // The name and password of the user:
+ private String name;
+ private char[] password;
+
+ // The name of the realm:
+ private String realm;
+
+ public KerberosJaasCallbackHandler(String name, char[] password, String
realm) {
+ this.name = name;
+ this.password = password;
+ this.realm = realm;
+ }
+
+ @Override
+ public void handle(Callback[] cbs) throws IOException,
UnsupportedCallbackException {
+ for (Callback cb : cbs) {
+ if (cb instanceof NameCallback) {
+ NameCallback nameCb = (NameCallback) cb;
+ nameCb.setName(name + "@" + realm);
+ }
+ else if (cb instanceof PasswordCallback) {
+ PasswordCallback passwordCb = (PasswordCallback) cb;
+ passwordCb.setPassword(password);
+ }
+ else {
+ log.warn(
+ "Unknown callback type \"{}\" received from Kerberos login
context for realm \"{}\".",
+ cb.getClass(),
+ realm
+ );
+ }
+ }
+ }
+}
diff --git
a/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosJaasConfiguration.java
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosJaasConfiguration.java
new file mode 100644
index 0000000..604cdec
--- /dev/null
+++
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosJaasConfiguration.java
@@ -0,0 +1,53 @@
+package org.ovirt.engine.core.authentication.kerberos;
+
+import java.util.HashMap;
+import java.util.Map;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+
+/**
+ * This class is an extension of the JAAS configuration class that creates
configuration entries without modifying the
+ * JAAS configuration file.
+ */
+public class KerberosJaasConfiguration extends Configuration {
+ // This is a singleton and this is the instance:
+ private static volatile KerberosJaasConfiguration instance;
+
+ /**
+ * Get the singleton instance.
+ */
+ public static KerberosJaasConfiguration getInstance() {
+ if (instance == null) {
+ synchronized(KerberosJaasConfiguration.class) {
+ if (instance == null) {
+ instance = new KerberosJaasConfiguration();
+ }
+ }
+ }
+ return instance;
+ }
+
+ // We will create the configuration entries and store them here so they
are reused:
+ private AppConfigurationEntry[] entries;
+
+ /**
+ * Creates a new configuration that authenticates with the Kerberos login
module.
+ */
+ public KerberosJaasConfiguration() {
+ // Create the entries:
+ Map<String, String> options = new HashMap<>();
+ options.put("client", "true");
+ AppConfigurationEntry entry = new AppConfigurationEntry(
+ "com.sun.security.auth.module.Krb5LoginModule",
+ AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ options
+ );
+ entries = new AppConfigurationEntry[] { entry };
+ }
+
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+ // Note that the name is ignored as we use always the same entries,
regardless of the name.
+ return entries;
+ }
+}
diff --git
a/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosPasswordAuthenticator.java
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosPasswordAuthenticator.java
new file mode 100644
index 0000000..5961138
--- /dev/null
+++
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosPasswordAuthenticator.java
@@ -0,0 +1,88 @@
+package org.ovirt.engine.core.authentication.kerberos;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+import org.ovirt.engine.core.authentication.PasswordAuthenticator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Authenticate an user requesting a ticket from a KDC. If the ticket can be
obtained and decrypted then the user is
+ * authenticated. The ticket is inmediately discarded in any case.
+ */
+public class KerberosPasswordAuthenticator implements PasswordAuthenticator {
+ // The log:
+ private static final Logger log =
LoggerFactory.getLogger(KerberosPasswordAuthenticator.class);
+
+ // The name of the authenticator:
+ private String name;
+
+ // The name of the Kerberos realm:
+ private String realm;
+
+ /**
+ * Create a new Kerberos authenticator.
+ *
+ * @param name the name of the authenticator
+ * @param realm the name of the Kerberos realm
+ */
+ public KerberosPasswordAuthenticator(String name, String realm) {
+ this.name = name;
+ this.realm = realm;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public String getName() {
+ return realm;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public boolean authenticate(final String name, final char[] password) {
+ // Create the callback handler:
+ CallbackHandler handler = new KerberosJaasCallbackHandler(name,
password, realm);
+
+ // Initially we assume that the authentication will fail:
+ boolean result = false;
+
+ // Try to get a ticket, if this success then the user is authenticated:
+ LoginContext ctx = null;
+ try {
+ ctx = new LoginContext(realm, null, handler,
KerberosJaasConfiguration.getInstance());
+ ctx.login();
+ result = true;
+ }
+ catch (LoginException exception) {
+ log.info(
+ "Authentication of user \"{}\" with Kerberos realm \"{}\"
failed.",
+ name,
+ realm,
+ exception
+ );
+ }
+
+ // Discard the ticket:
+ if (ctx != null) {
+ try {
+ ctx.logout();
+ }
+ catch (LoginException exception) {
+ log.warn(
+ "Can't release Kerberos ticket for user \"{}\" and realm
\"{}\".",
+ name,
+ realm,
+ exception
+ );
+ }
+ }
+
+ return result;
+ }
+}
diff --git
a/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosPasswordAuthenticatorFactory.java
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosPasswordAuthenticatorFactory.java
new file mode 100644
index 0000000..f4bb10e
--- /dev/null
+++
b/backend/manager/modules/authentication/src/main/java/org/ovirt/engine/core/authentication/kerberos/KerberosPasswordAuthenticatorFactory.java
@@ -0,0 +1,187 @@
+package org.ovirt.engine.core.authentication.kerberos;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.List;
+
+import org.ovirt.engine.core.authentication.Authenticator;
+import org.ovirt.engine.core.authentication.AuthenticatorFactory;
+import org.ovirt.engine.core.authentication.Configuration;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class KerberosPasswordAuthenticatorFactory implements
AuthenticatorFactory {
+ // The log:
+ private static final Logger log =
LoggerFactory.getLogger(KerberosPasswordAuthenticatorFactory.class);
+
+ // The type supported by this factory:
+ private static final String TYPE = "kerberos";
+
+ // Names of configuration parameters:
+ private static final String DEFAULTS_PARAMETER = "defaults";
+ private static final String FILE_PARAMETER = "file";
+ private static final String KERBEROS_PARAMETER = "kerberos";
+ private static final String NAME_PARAMETER = "name";
+ private static final String KDCS_PARAMETER = "kdcs";
+ private static final String REALM_PARAMETER = "realm";
+
+ // Names of sections of the Kerberos configuration files:
+ private static final String DEFAULTS_SECTION = "libdefaults";
+ private static final String REALMS_SECTION = "realms";
+ private static final String DOMAIN_REALM_SECTION = "domain_realm";
+
+ public KerberosPasswordAuthenticatorFactory() {
+ // Create the Kerberos configuration:
+ KerberosConfiguration conf = KerberosConfiguration.getInstance();
+
+ // Populate the libdefaults section of the Kerberos configuration:
+ KerberosConfiguration.Section defaultsSection =
conf.getSection(DEFAULTS_SECTION);
+ defaultsSection.setRelation("dns_lookup_realm", "false");
+ defaultsSection.setRelation("dns_lookup_kdc", "false");
+ defaultsSection.setRelation("ticket_lifetime", "24h");
+ defaultsSection.setRelation("renew_lifetime", "7d");
+ defaultsSection.setRelation("forwardable", "no");
+ defaultsSection.setRelation("default_tkt_enctypes",
"arcfour-hmac-md5");
+ defaultsSection.setRelation("udp_preference_limit", "1");
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public String getType() {
+ return TYPE;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public Authenticator create(File file, Configuration config) {
+ // Get the name of the authenticator:
+ String name = config.getInheritedString(NAME_PARAMETER);
+ if (name == null) {
+ log.error(
+ "The configuration file \"{}\" doesn't contain the name of the
authenticator.",
+ file.getAbsolutePath()
+ );
+ return null;
+ }
+
+ // Get the Kerberos configuration:
+ Configuration kerberosView =
config.getInheritedView(KERBEROS_PARAMETER);
+ if (kerberosView.isEmpty()) {
+ log.error(
+ "Can't find the Kerberos configuration inside configuration
file \"{}\".",
+ file.getAbsolutePath()
+ );
+ return null;
+ }
+
+ // Get the name of the Kerberos realm:
+ String realm = kerberosView.getString(REALM_PARAMETER);
+ if (realm == null) {
+ log.error(
+ "The parameter \"{}\" hasn't been specified in configuration
file \"{}\", it should contain the name " +
+ "of the Kerberos realm.",
+ kerberosView.getAbsoluteKey(REALM_PARAMETER),
+ file.getAbsolutePath()
+ );
+ return null;
+ }
+
+ // If an existing Kerberos configuration file is explicitly given then
we will use it instead of generating a
+ // new one:
+ String kerberosPath = kerberosView.getString(FILE_PARAMETER);
+ if (kerberosPath != null) {
+ File kerberosFile = new File(kerberosPath);
+ if (!kerberosFile.exists() || !kerberosFile.canRead()) {
+ log.error(
+ "The Kerberos configuration file \"{}\" doesn't exist or
can't be read.",
+ kerberosFile.getAbsolutePath()
+ );
+ return null;
+ }
+ System.setProperty(KerberosConfiguration.PROPERTY,
kerberosFile.getAbsolutePath());
+ }
+ else {
+ // Update the Kerberos configuration:
+ updateDefaultsSection(realm, kerberosView);
+ updateRealmsSection(realm, kerberosView);
+ updateDomainRealmSection(realm, kerberosView);
+
+ // Install the generated Kerberos configuration:
+ try {
+ KerberosConfiguration.getInstance().install();
+ }
+ catch (IOException exception) {
+ log.error(
+ "Can't install the generated Kerberos configuration.",
+ exception
+ );
+ return null;
+ }
+ }
+
+ // We are good, create the authenticator:
+ return new KerberosPasswordAuthenticator(name, realm);
+ }
+
+ /**
+ * Override the Kerberos {@code libdefaults} configuration section whith
whatever is provided in the
+ * {@code kerberos.defaults} view of the authenticator configuration.
+ *
+ * @param realm the name of the Kerberos realm
+ * @param view the view of the configuration of the authenticator that
startis with the {@code kerberos} prefix
+ */
+ private void updateDefaultsSection(String realm, Configuration view) {
+ // Set the realm of this authenticator as the default realm (this is
needed because the Kerberos implementation
+ // requires this parameter, even if we are always to explicitly
provide the realm name when authenticating the
+ // users):
+ KerberosConfiguration.Section defaultsSection =
+
KerberosConfiguration.getInstance().getSection(DEFAULTS_SECTION);
+ defaultsSection.setRelation("default_realm", realm);
+
+ // If there is a defaults view in the authenticator configuration then
copy its content to the libdefaults
+ // section of the Kerberos configuration:
+ Configuration defaultsView = view.getView(DEFAULTS_PARAMETER);
+ if (!defaultsView.isEmpty()) {
+ for (String defaultsKey : defaultsView.getKeys()) {
+ String defaultsValue = defaultsView.getString(defaultsKey);
+ defaultsSection.setRelation(defaultsKey, defaultsValue);
+ }
+ }
+ }
+
+ /**
+ * Update the Kerberos {@code realms} configuration section whith whatever
is provided in the
+ * {@code kerberos} view of the authenticator configuration.
+ *
+ * @param realm the name of the Kerberos realm
+ * @param view the view of the configuration of the authenticator that
startis with the {@code kerberos} prefix
+ */
+ private void updateRealmsSection(String realm, Configuration view) {
+ KerberosConfiguration.Section realmsSection =
KerberosConfiguration.getInstance().getSection(REALMS_SECTION);
+ KerberosConfiguration.Section realmSection =
realmsSection.getSection(realm);
+ realmSection.clear();
+ List<String> kdcs = view.getList(KDCS_PARAMETER);
+ if (kdcs != null) {
+ realmSection.setRelation("kdc", kdcs.toArray(new
String[kdcs.size()]));
+ }
+ }
+
+ /**
+ * Update the Kerberos {@code domain_realm} configuration section whith
whatever is provided in the
+ * {@code kerberos} view of the authenticator configuration.
+ *
+ * @param realm the name of the Kerberos realm
+ * @param view the view of the configuration of the authenticator that
startis with the {@code kerberos} prefix
+ */
+ private void updateDomainRealmSection(String realm, Configuration view) {
+ KerberosConfiguration.Section domainRealmSection =
+
KerberosConfiguration.getInstance().getSection(DOMAIN_REALM_SECTION);
+ String domain = realm.toLowerCase();
+ domainRealmSection.setRelation(domain, realm);
+ domainRealmSection.setRelation("." + domain, realm);
+ }
+}
diff --git
a/backend/manager/modules/authentication/src/main/resources/META-INF/services/org.ovirt.engine.core.authentication.AuthenticatorFactory
b/backend/manager/modules/authentication/src/main/resources/META-INF/services/org.ovirt.engine.core.authentication.AuthenticatorFactory
index 3f8a7a1..2bea66f 100644
---
a/backend/manager/modules/authentication/src/main/resources/META-INF/services/org.ovirt.engine.core.authentication.AuthenticatorFactory
+++
b/backend/manager/modules/authentication/src/main/resources/META-INF/services/org.ovirt.engine.core.authentication.AuthenticatorFactory
@@ -4,4 +4,5 @@
#
org.ovirt.engine.core.authentication.header.HeaderAuthenticatorFactory
org.ovirt.engine.core.authentication.internal.InternalAuthenticatorFactory
+org.ovirt.engine.core.authentication.kerberos.KerberosPasswordAuthenticatorFactory
org.ovirt.engine.core.authentication.nop.NopAuthenticatorFactory
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/KerberosManager.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/KerberosManager.java
index a11fee7..10ce2b8 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/KerberosManager.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/KerberosManager.java
@@ -72,17 +72,17 @@
if (engineEtc == null) {
engineEtc = "/etc/ovirt-engine";
}
- File krb5File = new File(engineEtc, "krb5.conf");
+ File krb5File = new File(engineEtc, "krb.conf");
if (krb5File.exists()) {
if (log.isDebugEnabled()) {
log.debug("Loading kerberos settings from " +
krb5File.getAbsolutePath());
}
- System.setProperty("java.security.krb5.conf",
+ System.setProperty("java.security.krb.conf",
krb5File.getAbsolutePath());
} else {
log.error("Failed loading kerberos setting. File " + krb5File + "
not found.");
}
- System.setProperty("sun.security.krb5.msinterop.kstring","true");
+ System.setProperty("sun.security.krb.msinterop.kstring","true");
}
@SuppressWarnings("restriction")
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapBrokerUtils.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapBrokerUtils.java
index 6f3f9bb..64ac91f 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapBrokerUtils.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapBrokerUtils.java
@@ -321,7 +321,7 @@
if (parts.length != 2) {
// when Kerberos is the auth mechanism we must use UPN to otherwise
- // the default REALM, as confugured in krb5.conf will be picked
+ // the default REALM, as confugured in krb.conf will be picked
return isKerberosAuth ? loginName + "@" + domain.toUpperCase() :
loginName;
}
diff --git
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/DetectMixedMode.java
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/DetectMixedMode.java
index caca5d4..4daf2c8 100644
---
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/DetectMixedMode.java
+++
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/DetectMixedMode.java
@@ -10,7 +10,7 @@
public class DetectMixedMode {
/**
- * Open a krb5.conf file and search a property defining the encryption
types used for kerberos ticket negotiation.
+ * Open a krb.conf file and search a property defining the encryption
types used for kerberos ticket negotiation.
* The property is "default_tkt_enctypes = arcfour-hmac-md5".
*
* @param krbConfPath
@@ -37,8 +37,8 @@
public static void main(String[] args) {
if (args.length == 0) {
- System.out.println("Error: Missing krb5.conf file argument");
- System.out.println("Usage: " + DetectMixedMode.class.getName() + "
krb5.conf");
+ System.out.println("Error: Missing krb.conf file argument");
+ System.out.println("Usage: " + DetectMixedMode.class.getName() + "
krb.conf");
System.exit(1);
}
DetectMixedMode d = new DetectMixedMode();
diff --git
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/InstallerConstants.java
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/InstallerConstants.java
index 0dafc49..a1ce872 100644
---
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/InstallerConstants.java
+++
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/InstallerConstants.java
@@ -2,6 +2,6 @@
public class InstallerConstants {
public static final String ERROR_PREFIX = "Error: ";
- public static final String KRB_FILE_NAME = "krb5.conf";
+ public static final String KRB_FILE_NAME = "krb.conf";
}
diff --git
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosConfigCheck.java
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosConfigCheck.java
index 75c8054..3c9193a 100644
---
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosConfigCheck.java
+++
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosConfigCheck.java
@@ -106,7 +106,7 @@
private void printUsage() {
System.out.println("Usage:");
System.out
- .println("KerberosConfigCheck: -domains=<domains> -user=<user>
-password=<password> -jaas_conf=<jaas conf path> krb5_conf_path=<krb5 conf
path>");
+ .println("KerberosConfigCheck: -domains=<domains> -user=<user>
-password=<password> -jaas_conf=<jaas conf path> krb5_conf_path=<krb conf
path>");
}
private boolean validate(CLIParser parser) {
@@ -198,7 +198,7 @@
// will define
// that JAAS is using kerberos login module
- System.setProperty("java.security.krb5.conf", pathToKrb5File);
+ System.setProperty("java.security.krb.conf", pathToKrb5File);
// Get kdcs for the relevant protocol (tcp or udp) and for the given
// realm
diff --git
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KrbConfCreator.java
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KrbConfCreator.java
index 83e3495..1277b29 100644
---
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KrbConfCreator.java
+++
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KrbConfCreator.java
@@ -16,8 +16,8 @@
import org.ovirt.engine.core.utils.dns.DnsSRVLocator.DnsSRVResult;
/**
- * A tool to create a krb5.conf file from a template using the supplied domain
list. For each domain an SRV DNS request
- * will be made to extract the relevant KDC's. The (configurable) output file
is a valid krb5.conf to by the ENGINE
+ * A tool to create a krb.conf file from a template using the supplied domain
list. For each domain an SRV DNS request
+ * will be made to extract the relevant KDC's. The (configurable) output file
is a valid krb.conf to by the ENGINE
* server.
*/
public class KrbConfCreator {
@@ -70,7 +70,7 @@
}
private void loadSourceFile() throws FileNotFoundException {
- String template = "krb5.conf.template";
+ String template = "krb.conf.template";
sourceFile =
KrbConfCreator.class.getClassLoader().getResourceAsStream(template);
if (sourceFile == null) {
throw new FileNotFoundException(template + " was not found");
--
To view, visit http://gerrit.ovirt.org/21030
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia4004e4a783530767b2f7682be17b3ce1e9a3802
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernan...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
