Hi,

With Ovirt 4.5.1 release [1], the Keycloak based authentication is enabled by default for fresh/new installations.

Here [2] you can find some usage scenarios describing when/how it is enabled.

In short - if you just want to login to oVirt Admin / VM / Monitoring portal, please use 'admin@ovirt' user and the password provided during engine-setup.

There is ongoing work to make it more explicit [3] and it will be addressed soon.

For  Rest API access, the full user with profile name is required as username:  admin@ovirt@internalsso

Here is a sample 'curl' illustrating the flow:

$ curl -k -H "Accept: application/json" 'https://ENGINE_FQDN/ovirt-engine/sso/oauth/token?grant_type=password&username=admin@ovirt@internalsso&password=SECRET&scope=ovirt-app-api'

And the token response:

{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEdS10MlVQd0JaZ0gtRU1JUkRTRHFxNFZIOUhZbnc4Nkk5QUlGOERxZ1l3In0.eyJleHAiOjE2NTcyMTY5MzAsImlhdCI6MTY1NzE5OTY1MCwianRpIjoiNTAwOWVkMmItMjc3ZS00YjVmLWEwOTItMjI4MDhkMWFhMWJjIiwiaXNzIjoiaHR0cHM6Ly9kZXYzLmRvbS9vdmlydC1lbmdpbmUtYXV0aC9yZWFsbXMvb3ZpcnQtaW50ZXJuYWwiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiMjczMTlkODMtYjdkYy00MzU2LTllMmQtYjJmNzg5NWI3YjczIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib3ZpcnQtZW5naW5lLWludGVybmFsIiwic2Vzc2lvbl9zdGF0ZSI6IjNmODM5NjY2LTQyNzUtNDRhNC1hNDRhLTM3Njc5MzgxNDRiOCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cHM6Ly9kZXYzLmRvbSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1vdmlydC1pbnRlcm5hbCIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im92aXJ0LWV4dD10b2tlbi1pbmZvOnB1YmxpYy1hdXRoei1zZWFyY2ggb3ZpcnQtYXBwLWFwaSBvdmlydC1leHQ9dG9rZW46cGFzc3dvcmQtYWNjZXNzIG92aXJ0LWV4dD10b2tlbi1pbmZvOmF1dGh6LXNlYXJjaCBvdmlydC1leHQ9dG9rZW4taW5mbzp2YWxpZGF0ZSBlbWFpbCBwcm9maWxlIiwic2lkIjoiM2Y4Mzk2NjYtNDI3NS00NGE0LWE0NGEtMzc2NzkzODE0NGI4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJncm91cHMiOlsiL292aXJ0LWFkbWluaXN0cmF0b3IiXSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW5Ab3ZpcnQiLCJlbWFpbCI6ImFkbWluQGxvY2FsaG9zdCJ9.Ov2IJ-ghtXSB6eb7osWZgT_yeb4prBgVzUU9vAY_VMoDr-ie5bMYBUyinYvNHWpBbYaFGNjg6bC7PHz3-s5H1rxXN1wH13wtIlO4obUbPt8wEb58Slrr42kXBoLLLDrXE3Af9LlabtNjJ0z-a5reSUZmOdVYiJl9sEF4YwG9177mwUSJz7VLQAI1hKN1pg6Ox1sJj2fBwdBqjIiRXsw-KBwoMQx9JmuMk9wCr5-gI5f8I-9Vqizb8Lf5ZJ4SMf35Wy3R8dwQeXXau_7t5zDe9wO9wnc9RfOMCuDCc359-oLDFmtrahgrMjmDx5YrQHol6jC43S_7gQ_2IPLE_TlqiQ","scope":"ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access","exp":"9223372036854775807","token_type":"bearer"}%

Now lets use access token to authenticate and fetch hosts:

$ curl -k -H  "Accept: application/json"  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEdS10MlVQd0JaZ0gtRU1JUkRTRHFxNFZIOUhZbnc4Nkk5QUlGOERxZ1l3In0.eyJleHAiOjE2NTcyMTY5MzAsImlhdCI6MTY1NzE5OTY1MCwianRpIjoiNTAwOWVkMmItMjc3ZS00YjVmLWEwOTItMjI4MDhkMWFhMWJjIiwiaXNzIjoiaHR0cHM6Ly9kZXYzLmRvbS9vdmlydC1lbmdpbmUtYXV0aC9yZWFsbXMvb3ZpcnQtaW50ZXJuYWwiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiMjczMTlkODMtYjdkYy00MzU2LTllMmQtYjJmNzg5NWI3YjczIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib3ZpcnQtZW5naW5lLWludGVybmFsIiwic2Vzc2lvbl9zdGF0ZSI6IjNmODM5NjY2LTQyNzUtNDRhNC1hNDRhLTM3Njc5MzgxNDRiOCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cHM6Ly9kZXYzLmRvbSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1vdmlydC1pbnRlcm5hbCIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im92aXJ0LWV4dD10b2tlbi1pbmZvOnB1YmxpYy1hdXRoei1zZWFyY2ggb3ZpcnQtYXBwLWFwaSBvdmlydC1leHQ9dG9rZW46cGFzc3dvcmQtYWNjZXNzIG92aXJ0LWV4dD10b2tlbi1pbmZvOmF1dGh6LXNlYXJjaCBvdmlydC1leHQ9dG9rZW4taW5mbzp2YWxpZGF0ZSBlbWFpbCBwcm9maWxlIiwic2lkIjoiM2Y4Mzk2NjYtNDI3NS00NGE0LWE0NGEtMzc2NzkzODE0NGI4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJncm91cHMiOlsiL292aXJ0LWFkbWluaXN0cmF0b3IiXSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW5Ab3ZpcnQiLCJlbWFpbCI6ImFkbWluQGxvY2FsaG9zdCJ9.Ov2IJ-ghtXSB6eb7osWZgT_yeb4prBgVzUU9vAY_VMoDr-ie5bMYBUyinYvNHWpBbYaFGNjg6bC7PHz3-s5H1rxXN1wH13wtIlO4obUbPt8wEb58Slrr42kXBoLLLDrXE3Af9LlabtNjJ0z-a5reSUZmOdVYiJl9sEF4YwG9177mwUSJz7VLQAI1hKN1pg6Ox1sJj2fBwdBqjIiRXsw-KBwoMQx9JmuMk9wCr5-gI5f8I-9Vqizb8Lf5ZJ4SMf35Wy3R8dwQeXXau_7t5zDe9wO9wnc9RfOMCuDCc359-oLDFmtrahgrMjmDx5YrQHol6jC43S_7gQ_2IPLE_TlqiQ" 'https://ENGINE_FQDN/ovirt-engine/api/hosts'

In order to change default Keycloak configuration or set up any additional identity providers you need to access the Keycloak Administration Panel (https://YOUR_ENGINE_FQDN/ovirt-engine-auth/admin).

By default, on a fresh installation, you can login using 'admin' and the password provided during engine-setup.

Keycloak allows to easily use all the features that were previously supported by oVirt in-house authentication implementation plus many more almost for free - multi factor authentication,  3rd party identity providers (ie. github, google, facebook etc.) just to name a few.

For more information please see the Keycloak's documentation [4].

[1] https://www.ovirt.org/release/4.5.1/#keycloak-sso-setup-for-ovirt-engine

[2] https://github.com/oVirt/ovirt-engine-keycloak/blob/master/keycloak_usage.md

[3] https://bugzilla.redhat.com/show_bug.cgi?id=2101474

[4] https://www.keycloak.org/archive/documentation-15.0.html

Please, let us know if you have any questions/concerns.

Last, but not least, any contributions or bug reports are more than welcomed!

thanks!

Artur

--