Hi,
With Ovirt 4.5.1 release [1], the Keycloak based authentication is enabled
by default for fresh/new installations.
Here [2] you can find some usage scenarios describing when/how it is
enabled.
In short - if you just want to login to oVirt Admin / VM / Monitoring
portal, please use 'admin@ovirt' user and the password provided during
engine-setup.
There is ongoing work to make it more explicit [3] and it will be addressed
soon.
For Rest API access, the full user with profile name is required as
username: admin@ovirt@internalsso
Here is a sample 'curl' illustrating the flow:
$ curl -k -H "Accept: application/json" '
https://ENGINE_FQDN/ovirt-engine/sso/oauth/token?grant_type=password&...
'
And the token response:
{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEdS10MlVQd0JaZ0gtRU1JUkRTRHFxNFZIOUhZbnc4Nkk5QUlGOERxZ1l3In0.eyJleHAiOjE2NTcyMTY5MzAsImlhdCI6MTY1NzE5OTY1MCwianRpIjoiNTAwOWVkMmItMjc3ZS00YjVmLWEwOTItMjI4MDhkMWFhMWJjIiwiaXNzIjoiaHR0cHM6Ly9kZXYzLmRvbS9vdmlydC1lbmdpbmUtYXV0aC9yZWFsbXMvb3ZpcnQtaW50ZXJuYWwiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiMjczMTlkODMtYjdkYy00MzU2LTllMmQtYjJmNzg5NWI3YjczIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib3ZpcnQtZW5naW5lLWludGVybmFsIiwic2Vzc2lvbl9zdGF0ZSI6IjNmODM5NjY2LTQyNzUtNDRhNC1hNDRhLTM3Njc5MzgxNDRiOCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cHM6Ly9kZXYzLmRvbSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1vdmlydC1pbnRlcm5hbCIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im92aXJ0LWV4dD10b2tlbi1pbmZvOnB1YmxpYy1hdXRoei1zZWFyY2ggb3ZpcnQtYXBwLWFwaSBvdmlydC1leHQ9dG9rZW46cGFzc3dvcmQtYWNjZXNzIG92aXJ0LWV4dD10b2tlbi1pbmZvOmF1dGh6LXNlYXJjaCBvdmlydC1leHQ9dG9rZW4taW5mbzp2YWxpZGF0ZSBlbWFpbCBwcm9maWxlIiwic2lkIjoiM2Y4Mzk2NjYtNDI3NS00NGE0LWE0NGEtMzc2NzkzODE0NGI4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJncm91cHMiOlsiL292aXJ0LWFkbWluaXN0cmF0b3IiXSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW5Ab3ZpcnQiLCJlbWFpbCI6ImFkbWluQGxvY2FsaG9zdCJ9.Ov2IJ-ghtXSB6eb7osWZgT_yeb4prBgVzUU9vAY_VMoDr-ie5bMYBUyinYvNHWpBbYaFGNjg6bC7PHz3-s5H1rxXN1wH13wtIlO4obUbPt8wEb58Slrr42kXBoLLLDrXE3Af9LlabtNjJ0z-a5reSUZmOdVYiJl9sEF4YwG9177mwUSJz7VLQAI1hKN1pg6Ox1sJj2fBwdBqjIiRXsw-KBwoMQx9JmuMk9wCr5-gI5f8I-9Vqizb8Lf5ZJ4SMf35Wy3R8dwQeXXau_7t5zDe9wO9wnc9RfOMCuDCc359-oLDFmtrahgrMjmDx5YrQHol6jC43S_7gQ_2IPLE_TlqiQ","scope":"ovirt-app-api
ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search
ovirt-ext=token-info:validate
ovirt-ext=token:password-access","exp":"9223372036854775807","token_type":"bearer"}%
Now lets use access token to authenticate and fetch hosts:
$ curl -k -H "Accept: application/json" -H "Authorization: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEdS10MlVQd0JaZ0gtRU1JUkRTRHFxNFZIOUhZbnc4Nkk5QUlGOERxZ1l3In0.eyJleHAiOjE2NTcyMTY5MzAsImlhdCI6MTY1NzE5OTY1MCwianRpIjoiNTAwOWVkMmItMjc3ZS00YjVmLWEwOTItMjI4MDhkMWFhMWJjIiwiaXNzIjoiaHR0cHM6Ly9kZXYzLmRvbS9vdmlydC1lbmdpbmUtYXV0aC9yZWFsbXMvb3ZpcnQtaW50ZXJuYWwiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiMjczMTlkODMtYjdkYy00MzU2LTllMmQtYjJmNzg5NWI3YjczIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib3ZpcnQtZW5naW5lLWludGVybmFsIiwic2Vzc2lvbl9zdGF0ZSI6IjNmODM5NjY2LTQyNzUtNDRhNC1hNDRhLTM3Njc5MzgxNDRiOCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cHM6Ly9kZXYzLmRvbSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1vdmlydC1pbnRlcm5hbCIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im92aXJ0LWV4dD10b2tlbi1pbmZvOnB1YmxpYy1hdXRoei1zZWFyY2ggb3ZpcnQtYXBwLWFwaSBvdmlydC1leHQ9dG9rZW46cGFzc3dvcmQtYWNjZXNzIG92aXJ0LWV4dD10b2tlbi1pbmZvOmF1dGh6LXNlYXJjaCBvdmlydC1leHQ9dG9rZW4taW5mbzp2YWxpZGF0ZSBlbWFpbCBwcm9maWxlIiwic2lkIjoiM2Y4Mzk2NjYtNDI3NS00NGE0LWE0NGEtMzc2NzkzODE0NGI4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJncm91cHMiOlsiL292aXJ0LWFkbWluaXN0cmF0b3IiXSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW5Ab3ZpcnQiLCJlbWFpbCI6ImFkbWluQGxvY2FsaG9zdCJ9.Ov2IJ-ghtXSB6eb7osWZgT_yeb4prBgVzUU9vAY_VMoDr-ie5bMYBUyinYvNHWpBbYaFGNjg6bC7PHz3-s5H1rxXN1wH13wtIlO4obUbPt8wEb58Slrr42kXBoLLLDrXE3Af9LlabtNjJ0z-a5reSUZmOdVYiJl9sEF4YwG9177mwUSJz7VLQAI1hKN1pg6Ox1sJj2fBwdBqjIiRXsw-KBwoMQx9JmuMk9wCr5-gI5f8I-9Vqizb8Lf5ZJ4SMf35Wy3R8dwQeXXau_7t5zDe9wO9wnc9RfOMCuDCc359-oLDFmtrahgrMjmDx5YrQHol6jC43S_7gQ_2IPLE_TlqiQ"
'https://ENGINE_FQDN/ovirt-engine/api/hosts'
In order to change default Keycloak configuration or set up any additional
identity providers you need to access the Keycloak Administration Panel (
https://YOUR_ENGINE_FQDN/ovirt-engine-auth/admin).
By default, on a fresh installation, you can login using 'admin' and the
password provided during engine-setup.
Keycloak allows to easily use all the features that were previously
supported by oVirt in-house authentication implementation plus many more
almost for free - multi factor authentication, 3rd party identity
providers (ie. github, google, facebook etc.) just to name a few.
For more information please see the Keycloak's documentation [4].
[1]
https://www.ovirt.org/release/4.5.1/#keycloak-sso-setup-for-ovirt-engine
[2]
https://github.com/oVirt/ovirt-engine-keycloak/blob/master/keycloak_usage.md
[3]
https://bugzilla.redhat.com/show_bug.cgi?id=2101474
[4]
https://www.keycloak.org/archive/documentation-15.0.html
Please, let us know if you have any questions/concerns.
Last, but not least, any contributions or bug reports are more than
welcomed!
thanks!
Artur
--
Artur Socha
Senior Software Engineer, RHV
Red Hat