oVirt 3.6 introduced new extension called ovirt-engine-extension-aaa-jdbc. If you upgrade from older version or if you install fresh new 3.6 you will have this extension installed and configured. With this extension you can store you users/group in database. Very good for people who don't need much users and don't want to deploy LDAP. Note that your admin@internal will now be part of this extension, this migration is done transparently by engine-setup.
Auth[zn] files for internal extension can be found in etc/ovirt-engine/extensions.d/internal-authz.properties and etc/ovirt-engine/extensions.d/internal-authn.properties. Nothing interesting can be found those two files. In common configuration of auth[zn] you can then find database connection settings, which you will find in etc/ovirt-engine/aaa/internal.properties. Content of the file looks like:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| config.datasource.jdbcurl=jdbc:postgresql://localhost:5432/engine?sslfactory=org.postgresql.ssl.NonValidatingFactory | |
| config.datasource.dbuser=engine | |
| config.datasource.dbpassword=***** | |
| config.datasource.jdbcdriver=org.postgresql.Driver | |
| config.datasource.schemaname=aaa_jdbc |
Exploring tables
Wanna check the data aaa-jdbc extension store? You can do as follows:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ su postgres | |
| bash-4.3$ psql -d engine | |
| engine=# \dt aaa_jdbc.*; | |
| List of relations | |
| Schema | Name | Type | Owner | |
| ----------+-----------------------+-------+-------- | |
| aaa_jdbc | failed_logins | table | engine | |
| aaa_jdbc | group_attributes | table | engine | |
| aaa_jdbc | group_groups | table | engine | |
| aaa_jdbc | groups | table | engine | |
| aaa_jdbc | schema_version | table | engine | |
| aaa_jdbc | settings | table | engine | |
| aaa_jdbc | user_attributes | table | engine | |
| aaa_jdbc | user_groups | table | engine | |
| aaa_jdbc | user_password_history | table | engine | |
| aaa_jdbc | users | table | engine | |
| (10 rows) | |
| engine=# select name, valid_from, valid_to from aaa_jdbc.users; | |
| name | valid_from | valid_to | |
| -------+----------------------------+---------------------------- | |
| admin | 2015-10-01 10:38:32.361+02 | 2215-10-01 10:38:32.361+02 | |
| (1 row) |
Well, this is not too comfortable to work with your users. The extension provide CLI tool to manage the users more comfortable way.
CLI tool
Cli too name is ovirt-aaa-jdbc-tool. Not much I can say about this tool, since it has good documentation in help.So whenever you are in doubt what to use just append --help to your args. Please note that by default use the command user @internal extension. If you want to use different one just pass --db-config=/path/to/db/settings.properties of your configuration.
Adding user via CLI tool
If you explored help of this tool you can see there is user module, which you can use to manage users. So we will add some users, which we will use later in this blog post. Please note that by default freshly added users don't have set password, so you need to set it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ovirt-aaa-jdbc-tool user add user1 | |
| $ ovirt-aaa-jdbc-tool user password-reset user1 --password=pass:123456 --password-valid-to="2100-01-01 00:00:00Z" |
Changing settings via CLI tool
As there is user module there is also settings module to change settings of aaa-jdbc extension. To see what you can change simply run 'ovirt-aaa-jdbc-tool settings show'. There are lot of stuff you can change, the most important/interesting I will show you later.Policies
Password history limit
You can use setting option PASSWORD_HISTORY_LIMIT to prohibit user to set same password as he used before. Limit can be integer value, by default it's 3. That means user can't change password to last three passwords he used before.To change it, use command below(set it to 5):
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ovirt-aaa-jdbc-tool settings set --name PASSWORD_HISTORY_LIMIT --value 5 |
Password complexity
Minimal lenght
To set minimal lenght of password you have to change MIN_LENGTH option. By default it's 6.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ovirt-aaa-jdbc-tool settings set --name MIN_LENGTH --value 8 |
To set complexity of password you have to change PASSWORD_COMPLEXITY option. You can create different complexity groups. By default there is no restriction. So if you want to for example your user force to have at least one upper case letter, lower case letter and number in his password run the command below:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ovirt-aaa-jdbc-tool settings set --name PASSWORD_COMPLEXITY --value "UPPERCASE:chars=ABCDEFGHIJKLMNOPQRSTUVWXYZ::min=1::LOWERCASE:chars=abcdefghijklmnopqrstuvwxyz::min=1::NUMBERS:chars=0123456789::min=1::" |
Account & login policy
Non locking policy after failed login
To prevent brute force attacks to your account and at the same time prevent denial of your account you can set non locking policy when there is too many attempts to guess password to your user account. To set it use MAX_FAILURES_PER_MINUTE option. By default it's set to 6.
Locking of account after failed login
You account can be locked after X failed logins. There are two options to configure that.
First possibility is to set MAX_FAILURES_SINCE_SUCCESS this option means that user account is locked after X unsuccessfull login attempts to your account after last successfull login.
The second possibility is to set MAX_FAILURES_PER_INTERVAL this options means that your user account will be locked after X unsuccesfull login attempts to your account in X hours. The value of hours can be set in option INTERVAL_HOURS.
Your accounts are locked to X minutes. The amount of minutes can be changed by value of option LOCK_MINUTES. Or you can unlock your user by running cli command:
$ ovirt-aaa-jdbc-tool user unlock user1
Removing of failed login
Failed login can be automatically removed during house keeping. All failed login which are older then X days specified in option FAILED_LOGINS_OLD_DAYS will be removed.
Other
Max login minutes
With MAX_LOGIN_MINUTES option you can set how long your user can be logged in. If time exceeds, he will be automatically logged out.Many others
There are many other options. You can explore them by yourself, just run:$ ovirt-aaa-jdbc-tool settings show
