From asocha at redhat.com Wed Apr 22 11:21:00 2020 Content-Type: multipart/mixed; boundary="===============7261424843187519431==" MIME-Version: 1.0 From: Artur Socha To: users at ovirt.org Subject: [ovirt-users] Re: oVirt and KeyCloak intergration Date: Wed, 22 Apr 2020 13:20:43 +0200 Message-ID: <0a9fd22985e84f9bca0c49b567ff3d01667789d6.camel@redhat.com> In-Reply-To: 5e54dbcb70be20560261c16aa987ca1966476c7b.camel@redhat.com --===============7261424843187519431== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote: > On Wed, 2020-04-22 at 10:42 +0000, Anton Louw wrote: > > = > > Ok so this is definitely looking better. I get an error, but at least n= ow it > > is saying : =E2=80=9CThe user admin(a)openidchttp is not authorized to = perform login=E2=80=9D > > = > > This is strange though, because admin in by default should be allowed > > access? > = > Well, yes and no :) > = > In order for user to be considered admin (for ovirt engine) it must belon= g to > keycloak's ovirt-administrator group (in keycloak admin panel see Manage- > > Groups->Members) Small clarification: In keycloak admin panel see Manage-> Groups-> 'ovirt-administrator' -> Mem= bers Note that the group must have the exact name: ovirt-administrator = > = > I think you are very close to have it up-and-running. > = > = > > = > > From: Anton Louw = > > Sent: 22 April 2020 12:38 > > To: Artur Socha ; users(a)ovirt.org > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration > > = > > Perfect, I=E2=80=99ll test and let you know. > > = > > Thanks > > = > > From: Artur Socha = > > Sent: 22 April 2020 12:32 > > To: Anton Louw ; users(a)ovirt.org > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration > > = > > + users(a)ovirt.org > > = > > On Wed, 2020-04-22 at 09:57 +0000, Anton Louw wrote: > > > = > > > = > > > Hi Artur, > > > = > > > I would just like to make sure I am following correctly, comparing yo= ur > > > entries against mine. > > > = > > > Your setup: > > > ... > > > config.mapAuthRecord.regex.pattern =3D > > > ^(?.*?)((\\\\(?@)(?.*?)@.*)|(?@.*))$ > > > ... > > > = > > > = > > > My setup: > > > =E2=80=A6 > > > config.mapAuthRecord.regex.pattern =3D > > > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$ > > > =E2=80=A6 > > > = > > > Should I add the additional 2 =E2=80=9C\\=E2=80=9D in on my side? > > = > > = > > Yes, please try adding it. In my case I learned about this issue by > > debugging > > the code because the real exception generated by incorrect regexp synta= x was > > hidden behind generic error message giving no clues about the true caus= e. > > = > > > = > > > Your setup: > > > ... > > > > > negotiate|oauth/token- > > > http-auth)|^/ovirt-engine/callback> > > > > > > = > > > Require valid-user > > > AuthType openid-connect > > > = > > > ErrorDocument 401 " > > url=3D/ovirt-engine/sso/login-unauthorized\"/> > > engine/sso/login-unauthorized\">Here" > > > > > > > > > =E2=80=A6 > > > = > > > My setup: > > > =E2=80=A6 > > > > > negotiate|oauth/token- > > > http-auth)|^/ovirt-engine/callback> > > > > > > = > > > Require valid-user > > > AuthType openid-connect > > > = > > > ErrorDocument 401 " > > url=3D/ovirt-engine/sso/login-unauthorized'/> > > engine/sso/login-unauthorized'>Here" > > > > > > > > > =E2=80=A6 > > > = > > > I remember I had syntax errors, but mine was changed. > > > = > > > Does this look fine to you? > > = > > = > > Yeah, your version looks good too. You have ' instead of " so that is o= k. = > > = > > = > > Anton Louw > > Cloud Engineer: Storage and Virtualization at Vox > > T: 087 805 0000 | D: 087 805 1572 > > M: N/A > > E: anton.louw(a)voxtelecom.co.za > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > www.vox.co.za > > = > > = > > = > > = > > = > > = > > = > > = > > = > > = > > = > > = > > > Thanks > > > = > > > = > > > = > > > Anton Louw > > > Cloud Engineer: Storage and Virtualization at Vox > > > T: 087 805 0000 | D: 087 805 1572 > > > M: N/A > > > E: anton.louw(a)voxtelecom.co.za > > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > > www.vox.co.za > > > = > > > = > > > = > > > = > > > = > > > = > > > = > > > = > > > = > > > = > > > = > > > = > > > From: Anton Louw = > > > Sent: 22 April 2020 10:07 > > > To: Artur Socha > > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration > > > = > > > Hi Artur, > > > = > > > Great, I will try the below and let you know. I appreciate your effor= ts. > > > = > > > Sure, you may report it, I was in such a rush that I only hit =E2=80= =9Creply=E2=80=9D and > > > not =E2=80=9CReply All=E2=80=9D > > > = > > > I do recall that I had to make some changes to the below as the it > > > complained about syntax errors: > > > = > > > ErrorDocument 401 " > > content=3D\"0; url=3D/ovirt-engine/sso/login-unauthorized\"/> > > href=3D\"/ovirt-engine/sso/login-unauthorized\">Here" > > > > > > > > > = > > > I will let you know the outcome when I change the below as you sugges= ted. > > > = > > > Cheers > > > = > > > From: Artur Socha = > > > Sent: 22 April 2020 09:51 > > > To: Anton Louw > > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration > > > = > > > I checked your logs and I did not notice anything suspicious. = > > > However, now I recall I made some changes compared to blog post > > > example: > > > = > > > 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties = > > > I added escaping in regexp for '\' > > > ... > > > config.mapAuthRecord.regex.pattern =3D > > > ^(?.*?)((\\\\(?@)(?.*?)@.*)|(?@.*))$ > > > ... > > > = > > > 2) /etc/httpd/ovirt-openidc.conf > > > Escaping for '"' in error document snippet > > > ... > > > > > negotiate|oauth/token-http-auth)|^/ovirt-engine/callback> > > > > > > = > > > Require valid-user > > > AuthType openid-connect > > > = > > > ErrorDocument 401 " > > content=3D\"0; url=3D/ovirt-engine/sso/login-unauthorized\"/> > > href=3D\"/ovirt-engine/sso/login-unauthorized\">Here" > > > > > > > > > = > > > ... > > > = > > > These two issues were most probably caused by the blog site rendering. > > > = > > > = > > > You might want to check engine.log (or server.log not really sure whi= ch > > > one was that) for aaa extension initialization logs. They should = > > > appear at the beginning just after restarting engine. > > > = > > > Unfortunately, at the moment I do not have running keycloak setup (I > > > used to have a local VM) but I will try to find some time to set it up > > > again once I'm done with another work item that actually consumes > > > almost entire disk space for my 2 machines) > > > = > > > Please let me know if anything changes after applying these config > > > changes. It this works for you then I will request the blog post to be > > > updated. > > > = > > > Do you mind if I keep(re-post) this discussion back to users(a)ovirt = in > > > case other might have similar issues with keycloak integration? > > > = > > > A. > > > = > > > On Wed, 2020-04-22 at 06:35 +0000, Anton Louw wrote: > > > > = > > > > Hi Artru, > > > > = > > > > Thank you for the reply. The post [1] is actually the main source of > > > > information I worked from in order top get everything configured. In > > > > the post[1] I ran through the whole testing section, and everything > > > > works as expected. I can see the VMs etc when using the python > > > > script. > > > > = > > > > In my case we are not using ldap as a provider, I tried using > > > > keycloak directly as a provider, I am not sure if that is where I am > > > > going wrong? > > > > = > > > > I have attached the last part of the apache ssl_access_log when I > > > > tried logging in this morning. I have also attached the engine log. > > > > = > > > > Thanks > > > > = > > > > = > > > > Anton Louw > > > > Cloud Engineer: Storage and Virtualization at Vox > > > > T: 087 805 0000 | D: 087 805 1572 > > > > M: N/A > > > > E: anton.louw(a)voxtelecom.co.za > > > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > > > www.vox.co.za > > > > = > > > > = > > > > = > > > > = > > > > = > > > > = > > > > = > > > > = > > > > = > > > > = > > > > = > > > > = > > > > From: Artru Socha = > > > > Sent: 21 April 2020 15:20 > > > > To: Anton Louw ; users(a)ovirt.org > > > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration > > > > = > > > > On Tue, 2020-04-21 at 12:48 +0000, Anton Louw wrote: > > > > > = > > > > > Hi Everybody, > > > > > = > > > > > = > > > > Hi Anton, > > > > = > > > > > Has anybody gone the route of using KeyCloak to login to oVirt? > > > > > KeyCloak has been configured and the neccesary configs have also > > > > been > > > > > done on the engine. It redirects perfectly from the oVirt Web Log= in > > > > > page to KeyCloak, but after logging into KeyCloak, I get redirect= ed > > > > > back to the oVirt Web Login. When trying to login again, I get the > > > > > below error: > > > > > = > > > > > = > > > > > = > > > > > server_error: Missing parameter: 'params' > > > > > = > > > > = > > > > Not so long ago I managed to setup ovirt engine with keyloack (using > > > > ldap as users provider). Hopefully, I would be able to help you with > > > > it. = > > > > = > > > > There is excellent blog post[1] available. You might also check > > > > keycloak+ldap post [2], however, when I was working on the > > > > integration > > > > I was not aware of if and did not test it. > > > > = > > > > The error you mentioned does not really indicate what exactly is > > > > wrong > > > > but it might suggest that there is some sort of misconfiguration wi= th > > > > apache (you need to install and configure mod_auth_openidc as > > > > described > > > > at [1]). At least that happened in my case. > > > > = > > > > In case you have already gone through it you could probably check > > > > apache logs. > > > > = > > > > Under [1] there is a python script that can be used to check api > > > > calls, > > > > please update username/password and test it against your environmen= t. > > > > = > > > > = > > > > Would it be possible post relevant piece of apache logs together wi= th > > > > engine.log ? > > > > = > > > > = > > > > [1] = > > > > = > > > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-= to-openid-connect-infrastructure/ > > > > [2] = > > > > = > > > https://blogs.ovirt.org/2018/08/ovirt-saml-with-keyloak-using-389ds-u= ser-federation/ > > > > Artur > > > > = > > > > = > > > > = > > > > > I have checked all the logs, but nothing is telling me what exact= ly > > > > > the issue is. = > > > > > = > > > > > If anybody has any idea, please let me know. > > > > > = > > > > > Thanks > > > > > = > > > > > Anton Louw > > > > > Cloud Engineer: Storage and Virtualization at Vox > > > > > T: 087 805 0000 | D: 087 805 1572 > > > > > M: N/A > > > > > E: anton.louw(a)voxtelecom.co.za > > > > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > > > > www.vox.co.za > > > > > = > > > > > = > > > > > = > > > > > = > > > > > = > > > > > = > > > > > = > > > > > = > > > > > = > > > > > = > > > > > = > > > > > = > > > > > = > > > > > Disclaimer > > > > > The contents of this email are confidential to the sender and the > > > > > intended recipient. Unless the contents are clearly and entirely = of > > > > a > > > > > personal nature, they are subject to copyright in favour of the > > > > > holding company of the Vox group of companies. Any recipient who > > > > > receives this email in error should immediately report the error = to > > > > > the sender and permanently delete this email from all storage > > > > > devices. > > > > > = > > > > > This email has been scanned for viruses and malware, and may have > > > > > been automatically archived by Mimecast Ltd, an innovator in > > > > Software > > > > > as a Service (SaaS) for business. Providing a safer and more usef= ul > > > > > place for your human generated data. Specializing in; Security, > > > > > archiving and compliance. To find out more Click Here. > > > > > = > > > > > = > > > > > _______________________________________________ > > > > > Users mailing list -- users(a)ovirt.org > > > > > To unsubscribe send an email to users-leave(a)ovirt.org > > > > > Privacy Statement: https://www.ovirt.org/privacy-policy.html > > > > > oVirt Code of Conduct: = > > > > > https://www.ovirt.org/community/about/community-guidelines/ > > > > > List Archives: = > > > > > = > > > https://lists.ovirt.org/archives/list/users(a)ovirt.org/message/S4I2I= 3MID4A4AYXVOLWKU55563DFKEFQ/ > > > =20 --===============7261424843187519431== Content-Type: application/pgp-signature MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRRXpCQUFCQ0FBZEZpRUU1eUFoeWNKUU5X ZkhRU253QmhsOEh5eDZnWTRGQWw2Z0tJc0FDZ2tRQmhsOEh5eDYKZ1k1dGlBZi9Za0JFQTczcGQz NlBRdjJpMmc1SUJNWWZGWjIyYll6VzRQdktlTTZVdm52ZDllQ1pBSmVwWUc1UApZalprc2xUREM3 aytGS2dQd2NWajVmNlFTT1lPejg3YlVpWGw4cVF3MzlqY1Y4ZWRsWUt2ajRvTDJWRXc2Y0hJCmZG SmV2RTArTXd0aUxSbkNKcnkzQkk0aGV2TmpZb1NEd2JDMllsQ0tnVUpqY3FVVXR0c2xOSUl5aHdQ L1RqTUsKeEVnVGY3bDQ5dnpWOEgwbVh3WThwY21meHlHNUlVVmxzZUVpZy9rMnFLWXpSYVRHMDha b3VOSkNTK05waHZrMwp0MW5ZdDN5Y0FNZ0w1bUE2ZS9ISTRHMEgwNE1vK3FVV0U5MlNQemdoRGg5 Y0kzV1pydjBLN3BVbGxuUzVTditQCjliZE1saW1kRFZVOVdObWhMejRmVWptb2RMTzRGQT09Cj1I Ykp1Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============7261424843187519431==--