On 8 Nov 2018, at 16:53, Greg Sheremeta <gshereme@redhat.com> wrote:



On Thu, Nov 8, 2018 at 9:25 AM Ravi Shankar Nori <rnori@redhat.com> wrote:
Hi All,

Please find design document [1] for integrating ovirt-engine with Keycloak using mod_auth_openidc. Engine can be configured to use external IDP to handle user authentication while still supporting Rest API bearer authentication.

There are some changes to how clients will obtain tokens to use for bearer authentication. All clients need to request tokens from the external IDP and use it to access engine. When external authentication is enabled admin@internal and all internal profiles for authentication are disabled. Please see the design document for more details.

Thanks

Ravi


Integration Issues that need attention

1. Ovirt-engine Python, Java and Ruby SDKs need to be modified to obtain token from either engine SSO or external OpenID Connect IDP.
2. OVN if we are not using SDK needs to be modified to obtain token from either engine SSO or external OpenID Connect IDP.
3. OVN changes needed to config user admin@internal. admin@internal access will be disabled if external integration is enabled. So OVN needs to be configurable to use another user for REST API access.
4. Ansible is using SDK, if SDK is fixed to use a file the file needs to passed from ansible to SDK.
5. Cloudforms and Satellite are using Ruby SDK, we need to file a bug to fix the issue. The file with the details of external IDP URL and client-id and client-secret needs to be passed to SDK.
6. REST API SDK V3 is not going to work with password and negotiate authentication
7. VM Single Sign-on will not work as we don’t have a password.

We are currently (re)implementing VM SSO in VM Portal. Will our implementation break?
cc'ing Michal and Bohdan.

it’s already broken since 3.6, external auths don’t work with SPICE SSO.
I suppose it doesn’t change anything for the internal authentication where we still have the pwd and use it, right, Ravi?


 
8. VM Console needs to work, if VM console is using token and bearer authentication everything should work

Let's be sure to consider and test VM Portal too.
 
_______________________________________________
Devel mailing list -- devel@ovirt.org
To unsubscribe send an email to devel-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/4UJ3DDT2BGIXJDHLTFS66A3X4VXEGE6U/


-- 
GREG SHEREMETA

SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX

gshereme@redhat.com    IRC: gshereme