[Ovirt-devel] ovirt and freeipa

Michael DeHaan mdehaan at redhat.com
Thu Apr 9 19:37:45 UTC 2009 

Ian Main wrote:
> On Thu, 9 Apr 2009 14:11:21 -0500 (CDT)
> Mike McGrath <mmcgrath at redhat.com> wrote:
>
>   
>> So if we have an organization that, for any reason, cannot run freeipa.
>> They cannot use ovirt.  Freeipa is a false requirement for cloud and
>> virtualization.
>>
>> The web frontend already uses basic auth, by doing this it makes it easy
>> to swap auth out with many of the apache mod_auth modules allowing people
>> to pick whatever auth mechanism they want.
>>
>> Use case:
>>
>> 1) Admin uses mod_auth_postgres
>> 2) User exists in postgres logs in to ovirtwui
>> 3) ovirt creates the user if it doesn't exist
>> 4) admin can then create permissions and things for the user
>>
>> How hard would it to be the above?
>>     
>
> The other issue is that the qpid infrastructure is currently set up
> to require kerberos authentication.  However, it's kind of silly in
> a way because the default roll out has it grabbing the ticket from
> the web server specified in the DNS SRV records, which means that no
> authentication of nodes really takes place.  The right way to securely
> connect nodes is to copy the ticket to some persistent storage on the
> node before deployment.
>
> The thing this protects against is malicious nodes.. note that a VM
> could also register as a node so you have to trust your VMs too..
> this is actually a problem with the current default config.  Note
> that you don't need a node image booted, you just need the ovirt
> scripts to register with the ovirt server etc.  The danger of a rogue
> node is that it gives that node access to whatever VMs happen to get
> created on it (take snapshot, scp it to home computer or such - image
> stealing).
>
> I think it would be a good idea to enable the qpid infrastructure to
> work without kerberos for demoing/testing/evaluating.
>   

I'm really going to want this, especially speaking out to libvirt-qmf. 
Not just in OVirt context,
but in general. IIRC this does support anything GSSAPI though, so we're 
really just talking about
internal QMF to ovirt requiring kerberos?

Yes, anything that makes life easier on developers would be a huge plus. 
Requiring kerberos
(but not IPA) in the installed environment seems reasonable though... 
but one shouldn't assume
the kerb source is IPA or that folks need to have an LDAP server.

--Michael

More information about the ovirt-devel mailing list