If Keycloak/external auth is enabled we disable admin@internal and all
internal profiles on engine side.
I tested VM Portal and it seemed to work fine when external auth was
On Thu, Nov 8, 2018 at 11:49 AM Michal Skrivanek <mskrivan(a)redhat.com>
On 8 Nov 2018, at 16:53, Greg Sheremeta <gshereme(a)redhat.com> wrote:
On Thu, Nov 8, 2018 at 9:25 AM Ravi Shankar Nori <rnori(a)redhat.com> wrote:
> Hi All,
> Please find design document  for integrating ovirt-engine with
> Keycloak using mod_auth_openidc. Engine can be configured to use
> external IDP to handle user authentication while still supporting Rest API
> bearer authentication.
> There are some changes to how clients will obtain tokens to use for
> bearer authentication. All clients need to request tokens from the external
> IDP and use it to access engine. When external authentication is enabled
> admin@internal and all internal profiles for authentication are
> disabled. Please see the design document for more details.
> Integration Issues that need attention
> 1. Ovirt-engine Python, Java and Ruby SDKs need to be modified to obtain
> token from either engine SSO or external OpenID Connect IDP.
> 2. OVN if we are not using SDK needs to be modified to obtain token from
> either engine SSO or external OpenID Connect IDP.
> 3. OVN changes needed to config user admin@internal. admin@internal
> access will be disabled if external integration is enabled. So OVN needs to
> be configurable to use another user for REST API access.
> 4. Ansible is using SDK, if SDK is fixed to use a file the file needs to
> passed from ansible to SDK.
> 5. Cloudforms and Satellite are using Ruby SDK, we need to file a bug to
> fix the issue. The file with the details of external IDP URL and client-id
> and client-secret needs to be passed to SDK.
> 6. REST API SDK V3 is not going to work with password and negotiate
> 7. VM Single Sign-on will not work as we don’t have a password.
We are currently (re)implementing VM SSO in VM Portal. Will our
cc'ing Michal and Bohdan.
it’s already broken since 3.6, external auths don’t work with SPICE SSO.
I suppose it doesn’t change anything for the internal authentication where
we still have the pwd and use it, right, Ravi?
> 8. VM Console needs to work, if VM console is using token and bearer
> authentication everything should work
Let's be sure to consider and test VM Portal too.
> Devel mailing list -- devel(a)ovirt.org
> To unsubscribe send an email to devel-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> List Archives:
SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
Red Hat NA
gshereme(a)redhat.com IRC: gshereme