/ovirt-engine-extension-aaa-jdbc

This is a mirror for http://gerrit.ovirt.org, for issues use http://bugzilla.redhat.com
  1. Java 88.4%
  2. Shell 7.5%
  3. PLpgSQL 3.9%
  4. Makefile 0.2%
Switch branches/tags
Nothing to show
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching Xcode...

If nothing happens, download Xcode and try again.

Launching Visual Studio...

If nothing happens, download the GitHub extension for Visual Studio and try again.

@sandrobonazzola
sandrobonazzola automation: fix fedora package listing 
Use dnf-utils on fedora instead of yum-utils.

Change-Id: I4ed8ac6e7b0d360e77575b830c06c4ba09142321
Signed-off-by: Sandro Bonazzola <sbonazzo@redhat.com>
Latest commit 320ddb3 May 30, 2018
Permalink
Failed to load latest commit information.
automation
examples
packaging
src
.gitignore
COPYING
Makefile
README.admin
README.developer
build.xml
ovirt-engine-extension-aaa-jdbc.spec.in

README.admin 

I. Introduction

oVirt aaa-jdbc extension is a part of oVirt since 3.6.0. By default 'internal'
profile (sometimes also called domain) is provided by aaa-jdbc extension in
oVirt 3.6 (during upgrade from oVirt 3.5 'internal' profile is converted from
legacy provider to the new aaa-jdbc provider).

It's also possible to configure additional profiles provided by aaa-jdbc, but
configuration and upgrade of these profiles have to be done manually (see
below).



II. Configuration of 'internal' aaa-jdbc profile

Configuration is completely handled by engine-setup, there are no manual steps
required.



III. Configuration of a new custom aaa-jdbc profile

To configure a new custom profile which uses aaa-jdbc extension please execute
following steps:

1. Setup database for aaa-jdbc extension

   Please replace DB_NAME, DB_USER and DB_PASSWORD with real values:

   su - postgres -c "psql -d template1 << __EOF__
    create user DB_USER password 'DB_PASSWORD';
    create database DB_NAME owner DB_USER template template0
        encoding 'UTF8' lc_collate 'en_US.UTF-8' lc_ctype 'en_US.UTF-8';
   __EOF__
   "

2. Configure PostgreSQL

   Please add following line into /var/lib/pgsql/data/pg_hba.conf (please
   replace DB_NAME and DB_USER with real values):

     host    DB_NAME    DB_USER    0.0.0.0/0       md5
     host    DB_NAME    DB_USER    ::0/0           md5

   These line must be located prior to following lines:

     host    all        all        127.0.0.1/32    ident
     host    all        all        ::1/128         ident

   After that please restart postgresql service.

3. Populate database for aaa-jdbc extension

   Please replace DB_HOST, DB_NAME, DB_USER and DB_PASSWORD with
   real values:

   PGPASSWORD="DB_PASSWORD" \
       /usr/share/ovirt-engine-extension-aaa-jdbc/dbscripts/schema.sh \
       -s DB_HOST \
       -p DB_PORT \
       -d DB_NAME \
       -u DB_USER \
       -c apply

4. Setup AAA profile

   Select name of your profile (it will be visible to users during login) and
   replace PROFILE with selected value:

   # Copy example configuration files and rename according to PROFILE
   cp /usr/share/ovirt-engine-extension-aaa-jdbc/examples/extension.d/authn.properties \
       /etc/ovirt-engine/extensions.d/PROFILE-authn.properties
   cp /usr/share/ovirt-engine-extension-aaa-jdbc/examples/extension.d/authz.properties \
       /etc/ovirt-engine/extensions.d/PROFILE-authz.properties

   # Create /etc/ovirt-engine/aaa directory if necessary
   cp /usr/share/ovirt-engine-extension-aaa-jdbc/examples/aaa/profile.properties \
       /etc/ovirt-engine/aaa/PROFILE.properties

   Edit created PROFILE*.properties files and replace variables surrounded by
   @ with real values.

5. Restart ovirt-engine service and check /var/log/ovirt-engine/engine.log
   to see if extension is initialized successfully according to PROFILE.

6. Setup users and groups

   Setup your users and groups using ovirt-aaa-jdbc-tool and specify database
   configuration using --db-config command line option:

     ovirt-aaa-jdbc-tool \
         --db-config=/etc/ovirt-engine/aaa/PROFILE.properties \
         OPTIONS

7. Login to webadmin using existing administrator account and assign desired
   permissions to users/groups defined in your PROFILE



IV. Upgrading 'internal' profile

aaa-jdbc package and 'internal' profile is automatically upgraded during
engine-setup execution, no manual action is required.

ATTENTION: If your setup contains also custom aaa-jdbc profiles (more info
in chapter III. Configuration of a new custom aaa-jdbc profile), please
continue with steps described in chapter V. Upgrading custom profiles.



V. Upgrading custom profiles

To upgrade custom aaa-jdbc profiles please do following steps:

1. Stop oVirt engine service

     EL6:          service ovirt-engine stop
     EL7/Fedora:   systemctl stop ovirt-engine

2. For each existing custom aaa-jdbc profile please execute following command:

     PGPASSWORD="DB_PASSWORD" \
       /usr/share/ovirt-engine-extension-aaa-jdbc/dbscripts/schema.sh \
       -s DB_HOST \
       -p DB_PORT \
       -d DB_NAME \
       -u DB_USER \
       -e DB_SCHEMA \
       -c apply

   Please replace DB_HOST, DB_NAME, DB_USER, DB_PASSWORD and DB_SCHEMA (if
   profile was configured with different than 'public' schema) with values
   that are specified in database configuration for each profile (usually
   located in /etc/ovirt-engine/aaa/PROFILE_NAME.properties).

3. Start oVirt engine service

     EL6:          service ovirt-engine start
     EL7/Fedora:   systemctl start ovirt-engine