Hi All,
Please find design document [1] for integrating ovirt-engine with Keycloak
using mod_auth_openidc. Engine can be configured to use external IDP to
handle user authentication while still supporting Rest API bearer
authentication.
There are some changes to how
clients will obtain tokens to use for bearer authentication. All clients
need to request tokens from the external IDP and use it to access
engine. When external authentication is enabled admin@internal and all
internal profiles for authentication are disabled. Please see the design
document for more details.
Thanks
Ravi
Integration Issues that need attention
1.
Ovirt-engine Python, Java and Ruby SDKs need to be modified to obtain
token from either engine SSO or external OpenID Connect IDP.
2. OVN if we are not using SDK needs to be modified to obtain token from either engine SSO or external OpenID Connect IDP.
3.
OVN changes needed to config user admin@internal. admin@internal access
will be disabled if external integration is enabled. So OVN needs to be
configurable to use another user for REST API access.
4. Ansible is using SDK, if SDK is fixed to use a file the file needs to passed from ansible to SDK.
5.
Cloudforms and Satellite are using Ruby SDK, we need to file a bug to
fix the issue. The file with the details of external IDP URL and
client-id and client-secret needs to be passed to SDK.
6. REST API SDK V3 is not going to work with password and negotiate authentication
7. VM Single Sign-on will not work as we don’t have a password.
