4:23 p.m.
Hi All,
Please find design document [1] for integrating ovirt-engine with Keycloak
using mod_auth_openidc. Engine can be configured to use external IDP to
handle user authentication while still supporting Rest API bearer
authentication.
There are some changes to how clients will obtain tokens to use for bearer
authentication. All clients need to request tokens from the external IDP
and use it to access engine. When external authentication is enabled
admin@internal and all internal profiles for authentication are disabled.
Please see the design document for more details.
Thanks
Ravi
[1]
https://docs.google.com/document/d/1Wio7bQNeNinx7Luj5t-KpsSYQ2Z1Y0I8UhUyJ...
Integration Issues that need attention
1. Ovirt-engine Python, Java and Ruby SDKs need to be modified to obtain
token from either engine SSO or external OpenID Connect IDP.
2. OVN if we are not using SDK needs to be modified to obtain token from
either engine SSO or external OpenID Connect IDP.
3. OVN changes needed to config user admin@internal. admin@internal access
will be disabled if external integration is enabled. So OVN needs to be
configurable to use another user for REST API access.
4. Ansible is using SDK, if SDK is fixed to use a file the file needs to
passed from ansible to SDK.
5. Cloudforms and Satellite are using Ruby SDK, we need to file a bug to
fix the issue. The file with the details of external IDP URL and client-id
and client-secret needs to be passed to SDK.
6. REST API SDK V3 is not going to work with password and negotiate
authentication
7. VM Single Sign-on will not work as we don’t have a password.
8. VM Console needs to work, if VM console is using token and bearer
authentication everything should work
5:53 p.m.
On Thu, Nov 8, 2018 at 9:25 AM Ravi Shankar Nori <rnori(a)redhat.com> wrote:
Hi All,
Please find design document [1] for integrating ovirt-engine with Keycloak
using mod_auth_openidc. Engine can be configured to use external IDP to
handle user authentication while still supporting Rest API bearer
authentication.
There are some changes to how clients will obtain tokens to use for bearer
authentication. All clients need to request tokens from the external IDP
and use it to access engine. When external authentication is enabled
admin@internal and all internal profiles for authentication are disabled.
Please see the design document for more details.
Thanks
Ravi
[1]
https://docs.google.com/document/d/1Wio7bQNeNinx7Luj5t-KpsSYQ2Z1Y0I8UhUyJ...
Integration Issues that need attention
1. Ovirt-engine Python, Java and Ruby SDKs need to be modified to obtain
token from either engine SSO or external OpenID Connect IDP.
2. OVN if we are not using SDK needs to be modified to obtain token from
either engine SSO or external OpenID Connect IDP.
3. OVN changes needed to config user admin@internal. admin@internal
access will be disabled if external integration is enabled. So OVN needs to
be configurable to use another user for REST API access.
4. Ansible is using SDK, if SDK is fixed to use a file the file needs to
passed from ansible to SDK.
5. Cloudforms and Satellite are using Ruby SDK, we need to file a bug to
fix the issue. The file with the details of external IDP URL and client-id
and client-secret needs to be passed to SDK.
6. REST API SDK V3 is not going to work with password and negotiate
authentication
7. VM Single Sign-on will not work as we don’t have a password.
We are currently (re)implementing VM SSO in VM Portal. Will our
implementation break?
cc'ing Michal and Bohdan.
8. VM Console needs to work, if VM console is using token and bearer
authentication everything should work
Let's be sure to consider and test VM Portal too.
_______________________________________________
Devel mailing list -- devel(a)ovirt.org
To unsubscribe send an email to devel-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/devel@ovirt.org/message/4UJ3DDT2BGI...
--
GREG SHEREMETA
SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
Red Hat NA
<https://www.redhat.com/>
gshereme(a)redhat.com IRC: gshereme
<https://red.ht/sig>
6:49 p.m.
On 8 Nov 2018, at 16:53, Greg Sheremeta <gshereme(a)redhat.com>
wrote:
On Thu, Nov 8, 2018 at 9:25 AM Ravi Shankar Nori <rnori(a)redhat.com
<mailto:rnori@redhat.com>> wrote:
Hi All,
Please find design document [1] for integrating ovirt-engine with Keycloak using
mod_auth_openidc. Engine can be configured to use external IDP to handle user
authentication while still supporting Rest API bearer authentication.
There are some changes to how clients will obtain tokens to use for bearer
authentication. All clients need to request tokens from the external IDP and use it to
access engine. When external authentication is enabled admin@internal and all internal
profiles for authentication are disabled. Please see the design document for more
details.
Thanks
Ravi
[1]
https://docs.google.com/document/d/1Wio7bQNeNinx7Luj5t-KpsSYQ2Z1Y0I8UhUyJ...
<https://docs.google.com/document/d/1Wio7bQNeNinx7Luj5t-KpsSYQ2Z1Y0I8UhUyJ...
Integration Issues that need attention
1. Ovirt-engine Python, Java and Ruby SDKs need to be modified to obtain token from
either engine SSO or external OpenID Connect IDP.
2. OVN if we are not using SDK needs to be modified to obtain token from either engine
SSO or external OpenID Connect IDP.
3. OVN changes needed to config user admin@internal. admin@internal access will be
disabled if external integration is enabled. So OVN needs to be configurable to use
another user for REST API access.
4. Ansible is using SDK, if SDK is fixed to use a file the file needs to passed from
ansible to SDK.
5. Cloudforms and Satellite are using Ruby SDK, we need to file a bug to fix the issue.
The file with the details of external IDP URL and client-id and client-secret needs to be
passed to SDK.
6. REST API SDK V3 is not going to work with password and negotiate authentication
7. VM Single Sign-on will not work as we don’t have a password.
We are currently (re)implementing VM SSO in VM Portal. Will our implementation break?
cc'ing Michal and Bohdan.
it’s already broken since 3.6, external auths don’t work with SPICE SSO.
I suppose it doesn’t change anything for the internal authentication where we still have
the pwd and use it, right, Ravi?
8. VM Console needs to work, if VM console is using token and bearer authentication
everything should work
Let's be sure to consider and test VM Portal too.
_______________________________________________
Devel mailing list -- devel(a)ovirt.org <mailto:devel@ovirt.org>
To unsubscribe send an email to devel-leave(a)ovirt.org
<mailto:devel-leave@ovirt.org>
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
<https://www.ovirt.org/site/privacy-policy/>
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
<https://www.ovirt.org/community/about/community-guidelines/>
List Archives:
https://lists.ovirt.org/archives/list/devel@ovirt.org/message/4UJ3DDT2BGI...
<https://lists.ovirt.org/archives/list/devel@ovirt.org/message/4UJ3DDT2BGI...
--
GREG SHEREMETA
SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
Red Hat NA
<https://www.redhat.com/>
gshereme(a)redhat.com <mailto:gshereme@redhat.com> IRC: gshereme
<https://red.ht/sig>
7:21 p.m.
If Keycloak/external auth is enabled we disable admin@internal and all
internal profiles on engine side.
I tested VM Portal and it seemed to work fine when external auth was
enabled.
On Thu, Nov 8, 2018 at 11:49 AM Michal Skrivanek <mskrivan(a)redhat.com>
wrote:
On 8 Nov 2018, at 16:53, Greg Sheremeta <gshereme(a)redhat.com> wrote:
On Thu, Nov 8, 2018 at 9:25 AM Ravi Shankar Nori <rnori(a)redhat.com> wrote:
> Hi All,
>
> Please find design document [1] for integrating ovirt-engine with
> Keycloak using mod_auth_openidc. Engine can be configured to use
> external IDP to handle user authentication while still supporting Rest API
> bearer authentication.
>
> There are some changes to how clients will obtain tokens to use for
> bearer authentication. All clients need to request tokens from the external
> IDP and use it to access engine. When external authentication is enabled
> admin@internal and all internal profiles for authentication are
> disabled. Please see the design document for more details.
>
> Thanks
>
> Ravi
>
> [1]
>
https://docs.google.com/document/d/1Wio7bQNeNinx7Luj5t-KpsSYQ2Z1Y0I8UhUyJ...
>
> Integration Issues that need attention
>
> 1. Ovirt-engine Python, Java and Ruby SDKs need to be modified to obtain
> token from either engine SSO or external OpenID Connect IDP.
> 2. OVN if we are not using SDK needs to be modified to obtain token from
> either engine SSO or external OpenID Connect IDP.
> 3. OVN changes needed to config user admin@internal. admin@internal
> access will be disabled if external integration is enabled. So OVN needs to
> be configurable to use another user for REST API access.
> 4. Ansible is using SDK, if SDK is fixed to use a file the file needs to
> passed from ansible to SDK.
> 5. Cloudforms and Satellite are using Ruby SDK, we need to file a bug to
> fix the issue. The file with the details of external IDP URL and client-id
> and client-secret needs to be passed to SDK.
> 6. REST API SDK V3 is not going to work with password and negotiate
> authentication
> 7. VM Single Sign-on will not work as we don’t have a password.
>
We are currently (re)implementing VM SSO in VM Portal. Will our
implementation break?
cc'ing Michal and Bohdan.
it’s already broken since 3.6, external auths don’t work with SPICE SSO.
I suppose it doesn’t change anything for the internal authentication where
we still have the pwd and use it, right, Ravi?
> 8. VM Console needs to work, if VM console is using token and bearer
> authentication everything should work
>
Let's be sure to consider and test VM Portal too.
> _______________________________________________
> Devel mailing list -- devel(a)ovirt.org
> To unsubscribe send an email to devel-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/devel@ovirt.org/message/4UJ3DDT2BGI...
>
--
GREG SHEREMETA
SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
Red Hat NA
<https://www.redhat.com/>
gshereme(a)redhat.com IRC: gshereme
<https://red.ht/sig>
2207
days inactive
2207
days old
3 comments
3 participants
participants (3)
-
Greg Sheremeta -
Michal Skrivanek -
Ravi Shankar Nori