[Ovirt-devel] ovirt and freeipa

[Ian Main]

On Thu, 9 Apr 2009 14:11:21 -0500 (CDT)
Mike McGrath <mmcgrath at redhat.com> wrote:

> So if we have an organization that, for any reason, cannot run freeipa.
> They cannot use ovirt.  Freeipa is a false requirement for cloud and
> virtualization.
> 
> The web frontend already uses basic auth, by doing this it makes it easy
> to swap auth out with many of the apache mod_auth modules allowing people
> to pick whatever auth mechanism they want.
> 
> Use case:
> 
> 1) Admin uses mod_auth_postgres
> 2) User exists in postgres logs in to ovirtwui
> 3) ovirt creates the user if it doesn't exist
> 4) admin can then create permissions and things for the user
> 
> How hard would it to be the above?

The other issue is that the qpid infrastructure is currently set up
to require kerberos authentication.  However, it's kind of silly in
a way because the default roll out has it grabbing the ticket from
the web server specified in the DNS SRV records, which means that no
authentication of nodes really takes place.  The right way to securely
connect nodes is to copy the ticket to some persistent storage on the
node before deployment.

The thing this protects against is malicious nodes.. note that a VM
could also register as a node so you have to trust your VMs too..
this is actually a problem with the current default config.  Note
that you don't need a node image booted, you just need the ovirt
scripts to register with the ovirt server etc.  The danger of a rogue
node is that it gives that node access to whatever VMs happen to get
created on it (take snapshot, scp it to home computer or such - image
stealing).

I think it would be a good idea to enable the qpid infrastructure to
work without kerberos for demoing/testing/evaluating.

If we could have a mode where we get rid of the freeipa and dns
requirements, it would definitely make it much easier to deploy for
evaluation etc.  It would be good for developers to get up and running
as well which may also be advantageous.

 Ian