From asocha at redhat.com Wed Apr 22 11:11:15 2020
Content-Type: multipart/mixed; boundary="===============4105355384098398338=="
MIME-Version: 1.0
From: Artur Socha <asocha at redhat.com>
To: users at ovirt.org
Subject: [ovirt-users] Re: oVirt and KeyCloak intergration
Date: Wed, 22 Apr 2020 13:09:06 +0200
Message-ID: <5e54dbcb70be20560261c16aa987ca1966476c7b.camel@redhat.com>
In-Reply-To: JN2P275MB0347F40D4EA2E126CBFF8429A0D20@JN2P275MB0347.ZAFP275.PROD.OUTLOOK.COM

--===============4105355384098398338==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On Wed, 2020-04-22 at 10:42 +0000, Anton Louw wrote:
> =

> =

> Ok so this is definitely looking better. I get an error, but at least now=
 it
> is saying : =E2=80=9CThe user admin(a)openidchttp is not authorized to pe=
rform login=E2=80=9D
>  =

> This is strange though, because admin in by default should be allowed acc=
ess?

Well, yes and no :)

In order for user to be considered admin (for ovirt engine) it must belong =
to
keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
>Groups->Members)

I think you are very close to have it up-and-running.


>  =

> From: Anton Louw =

> Sent: 22 April 2020 12:38
> To: Artur Socha <asocha(a)redhat.com>; users(a)ovirt.org
> Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
>  =

> Perfect, I=E2=80=99ll test and let you know.
>  =

> Thanks
>  =

> From: Artur Socha <asocha(a)redhat.com> =

> Sent: 22 April 2020 12:32
> To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>; users(a)ovirt.org
> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>  =

> + users(a)ovirt.org
>  =

> On Wed, 2020-04-22 at 09:57 +0000, Anton Louw wrote:
> >  =

> > =

> > Hi Artur,
> >  =

> > I would just like to make sure I am following correctly, comparing your
> > entries against mine.
> >  =

> > Your setup:
> > ...
> > config.mapAuthRecord.regex.pattern =3D
> > ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
> > ...
> > =

> > =

> > My setup:
> > =E2=80=A6
> > config.mapAuthRecord.regex.pattern =3D
> > ^(?<user>.*?)((\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
> > =E2=80=A6
> >  =

> > Should I add the additional 2 =E2=80=9C\\=E2=80=9D in on my side?
> =

>  =

> Yes, please try adding it. In my case I learned about this issue by debug=
ging
> the code because the real exception generated by incorrect regexp syntax =
was
> hidden behind generic error message giving no clues about the true cause.
>  =

> >  =

> > Your setup:
> > ...
> > <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/to=
ken-
> > http-auth)|^/ovirt-engine/callback>
> > <If "req('Authorization') !~ /^(Bearer|Basic)/i">
> >  =

> > Require valid-user
> > AuthType openid-connect
> > =

> > ErrorDocument 401 "<html><meta http-equiv=3D\"refresh\"content=3D\"0;
> > url=3D/ovirt-engine/sso/login-unauthorized\"/><body><ahref=3D\"/ovirt-
> > engine/sso/login-unauthorized\">Here</a></body></html>"
> > </If>
> > </LocationMatch>
> > =E2=80=A6
> >  =

> > My setup:
> > =E2=80=A6
> > <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/to=
ken-
> > http-auth)|^/ovirt-engine/callback>
> >     <If "req('Authorization') !~ /^(Bearer|Basic)/i">
> >  =

> >       Require valid-user
> >       AuthType openid-connect
> >  =

> >       ErrorDocument 401 "<html><meta http-equiv=3D'refresh' content=3D'=
0;
> > url=3D/ovirt-engine/sso/login-unauthorized'/><body><a href=3D'/ovirt-
> > engine/sso/login-unauthorized'>Here</a></body></html>"
> >     </If>
> > </LocationMatch>
> > =E2=80=A6
> >  =

> > I remember I had syntax errors, but mine was changed.
> >  =

> > Does this look fine to you?
> =

>  =

> Yeah, your version looks good too. You have ' instead of " so that is ok. =

>  =

> =

> Anton Louw
> Cloud Engineer: Storage and Virtualization at Vox
> T:  087 805 0000 | D: 087 805 1572
> M: N/A
> E: anton.louw(a)voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
> =

> =

>  	=

> =

>  	=

> =

>  	=

> =

>  	=

> =

>  =

> =

> > Thanks
> >  =

> >  =

> >  =

> > Anton Louw
> > Cloud Engineer: Storage and Virtualization at Vox
> > T:  087 805 0000 | D: 087 805 1572
> > M: N/A
> > E: anton.louw(a)voxtelecom.co.za
> > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > www.vox.co.za
> >  =

> >  =

> >  =

> >  =

> >  =

> >  =

> >  =

> >  =

> >  =

> >  =

> >  =

> >  =

> > From: Anton Louw =

> > Sent: 22 April 2020 10:07
> > To: Artur Socha <asocha(a)redhat.com>
> > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> >  =

> > Hi Artur,
> >  =

> > Great, I will try the below and let you know. I appreciate your efforts.
> >  =

> > Sure, you may report it, I was in such a rush that I only hit =E2=80=9C=
reply=E2=80=9D and
> > not =E2=80=9CReply All=E2=80=9D
> >  =

> > I do recall that I had to make some changes to the below as the it
> > complained about syntax errors:
> >  =

> > ErrorDocument 401 "<html><meta http-equiv=3D\"refresh\"
> > content=3D\"0; url=3D/ovirt-engine/sso/login-unauthorized\"/><body><a
> > href=3D\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
> > </If>
> > </LocationMatch>
> >  =

> > I will let you know the outcome when I change the below as you suggeste=
d.
> >  =

> > Cheers
> >  =

> > From: Artur Socha <asocha(a)redhat.com> =

> > Sent: 22 April 2020 09:51
> > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>
> > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> >  =

> > I checked your logs and I did not notice anything suspicious. =

> > However, now I recall I made some changes compared to blog post
> > example:
> > =

> > 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties =

> > I added escaping in regexp for '\'
> > ...
> > config.mapAuthRecord.regex.pattern =3D
> > ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
> > ...
> > =

> > 2) /etc/httpd/ovirt-openidc.conf
> > Escaping for '"' in error document snippet
> > ...
> > <LocationMatch ^/ovirt-engine/sso/(interactive-login-
> > negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
> > <If "req('Authorization') !~ /^(Bearer|Basic)/i">
> > =

> > Require valid-user
> > AuthType openid-connect
> > =

> > ErrorDocument 401 "<html><meta http-equiv=3D\"refresh\"
> > content=3D\"0; url=3D/ovirt-engine/sso/login-unauthorized\"/><body><a
> > href=3D\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
> > </If>
> > </LocationMatch>
> > =

> > ...
> > =

> > These two issues were most probably caused by the blog site rendering.
> > =

> > =

> > You might want to check engine.log (or server.log not really sure which
> > one was that) for aaa extension initialization logs. They should =

> > appear at the beginning just after restarting engine.
> > =

> > Unfortunately, at the moment I do not have running keycloak setup (I
> > used to have a local VM) but I will try to find some time to set it up
> > again once I'm done with another work item that actually consumes
> > almost entire disk space for my 2 machines)
> > =

> > Please let me know if anything changes after applying these config
> > changes. It this works for you then I will request the blog post to be
> > updated.
> > =

> > Do you mind if I keep(re-post) this discussion back to users(a)ovirt in
> > case other might have similar issues with keycloak integration?
> > =

> > A.
> > =

> > On Wed, 2020-04-22 at 06:35 +0000, Anton Louw wrote:
> > > =

> > > =

> > > Hi Artru,
> > > =

> > > Thank you for the reply. The post [1] is actually the main source of
> > > information I worked from in order top get everything configured. In
> > > the post[1] I ran through the whole testing section, and everything
> > > works as expected. I can see the VMs etc when using the python
> > > script.
> > > =

> > > In my case we are not using ldap as a provider, I tried using
> > > keycloak directly as a provider, I am not sure if that is where I am
> > > going wrong?
> > > =

> > > I have attached the last part of the apache ssl_access_log when I
> > > tried logging in this morning. I have also attached the engine log.
> > > =

> > > Thanks
> > > =

> > > =

> > > Anton Louw
> > > Cloud Engineer: Storage and Virtualization at Vox
> > > T: 087 805 0000 | D: 087 805 1572
> > > M: N/A
> > > E: anton.louw(a)voxtelecom.co.za
> > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > > www.vox.co.za
> > > =

> > > =

> > > =

> > > =

> > > =

> > > =

> > > =

> > > =

> > > =

> > > =

> > > =

> > > =

> > > From: Artru Socha <asocha(a)redhat.com> =

> > > Sent: 21 April 2020 15:20
> > > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>; users(a)ovirt.org
> > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> > > =

> > > On Tue, 2020-04-21 at 12:48 +0000, Anton Louw wrote:
> > > > =

> > > > =

> > > > Hi Everybody,
> > > > =

> > > > =

> > > Hi Anton,
> > > =

> > > > Has anybody gone the route of using KeyCloak to login to oVirt?
> > > > KeyCloak has been configured and the neccesary configs have also
> > > been
> > > > done on the engine. It redirects perfectly from the oVirt Web Login
> > > > page to KeyCloak, but after logging into KeyCloak, I get redirected
> > > > back to the oVirt Web Login. When trying to login again, I get the
> > > > below error:
> > > > =

> > > > =

> > > > =

> > > > server_error: Missing parameter: 'params'
> > > > =

> > > =

> > > Not so long ago I managed to setup ovirt engine with keyloack (using
> > > ldap as users provider). Hopefully, I would be able to help you with
> > > it. =

> > > =

> > > There is excellent blog post[1] available. You might also check
> > > keycloak+ldap post [2], however, when I was working on the
> > > integration
> > > I was not aware of if and did not test it.
> > > =

> > > The error you mentioned does not really indicate what exactly is
> > > wrong
> > > but it might suggest that there is some sort of misconfiguration with
> > > apache (you need to install and configure mod_auth_openidc as
> > > described
> > > at [1]). At least that happened in my case.
> > > =

> > > In case you have already gone through it you could probably check
> > > apache logs.
> > > =

> > > Under [1] there is a python script that can be used to check api
> > > calls,
> > > please update username/password and test it against your environment.
> > > =

> > > =

> > > Would it be possible post relevant piece of apache logs together with
> > > engine.log ?
> > > =

> > > =

> > > [1] =

> > > =

> > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to=
-openid-connect-infrastructure/
> > > [2] =

> > > =

> > https://blogs.ovirt.org/2018/08/ovirt-saml-with-keyloak-using-389ds-use=
r-federation/
> > > =

> > > Artur
> > > =

> > > =

> > > =

> > > > I have checked all the logs, but nothing is telling me what exactly
> > > > the issue is. =

> > > > =

> > > > If anybody has any idea, please let me know.
> > > > =

> > > > Thanks
> > > > =

> > > > Anton Louw
> > > > Cloud Engineer: Storage and Virtualization at Vox
> > > > T: 087 805 0000 | D: 087 805 1572
> > > > M: N/A
> > > > E: anton.louw(a)voxtelecom.co.za
> > > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > > > www.vox.co.za
> > > > =

> > > > =

> > > > =

> > > > =

> > > > =

> > > > =

> > > > =

> > > > =

> > > > =

> > > > =

> > > > =

> > > > =

> > > > =

> > > > Disclaimer
> > > > The contents of this email are confidential to the sender and the
> > > > intended recipient. Unless the contents are clearly and entirely of
> > > a
> > > > personal nature, they are subject to copyright in favour of the
> > > > holding company of the Vox group of companies. Any recipient who
> > > > receives this email in error should immediately report the error to
> > > > the sender and permanently delete this email from all storage
> > > > devices.
> > > > =

> > > > This email has been scanned for viruses and malware, and may have
> > > > been automatically archived by Mimecast Ltd, an innovator in
> > > Software
> > > > as a Service (SaaS) for business. Providing a safer and more useful
> > > > place for your human generated data. Specializing in; Security,
> > > > archiving and compliance. To find out more Click Here.
> > > > =

> > > > =

> > > > _______________________________________________
> > > > Users mailing list -- users(a)ovirt.org
> > > > To unsubscribe send an email to users-leave(a)ovirt.org
> > > > Privacy Statement: https://www.ovirt.org/privacy-policy.html
> > > > oVirt Code of Conduct: =

> > > > https://www.ovirt.org/community/about/community-guidelines/
> > > > List Archives: =

> > > > =

> > > =

> > https://lists.ovirt.org/archives/list/users(a)ovirt.org/message/S4I2I3M=
ID4A4AYXVOLWKU55563DFKEFQ/
> > >
> >  =

> =

>=20

--===============4105355384098398338==
Content-Type: application/pgp-signature
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRRXpCQUFCQ0FBZEZpRUU1eUFoeWNKUU5X
ZkhRU253QmhsOEh5eDZnWTRGQWw2Z0pkSUFDZ2tRQmhsOEh5eDYKZ1k0Q3RRZi9hYlV2VU5HNmFz
UkRWaGZBOWFMZVVGYURzU1JRd1dJZ0h4MGlyZXVPRDZUNDBsNER3RGhkVDVUUgp3bzZ1U3AyOGVJ
Q0xMKzJtSXA0M29QOHo4Z3VIVHZIZElKVmhubnVFTXdWS0hzMXprWFNDVXVGU2t3Zi8yNnBoCjBD
aEVkYzNUSExER2VoV2dMTHZqV0pnNnVNZWlraEpqREhqcVZsRC9KNFlKcVFlZkxjaUlDWHpSaHBy
SWt0QWcKQ2lHeEs2MGhUWi90bm9FZFJTczA3U2NlR3N5RTdnN3A2cVIvRUErT2liOW51UVoraVpz
Z0FIYlE4MlI5TVJIbApQS1RkU1R3cnQ1eHZBY0t5U213Y0k0YWZiQjZ3TVYzeDZMZUZkTjBpODBD
NEtjc3VKSEhKcE9rR3lpVzk2SThBCkd5MUk5OWZJdlZ5Mnl4aHlueTdYRzQ4YUp6L1pIUT09Cj1w
bjRpCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============4105355384098398338==--