On Wed, 2020-04-22 at 12:28 +0000, Anton Louw wrote:
>
>
>
> Hi Artur,
>
>
>
> You are a champion! I can access oVirt now. Thank you so much.
>
You're welcome!
I am happy it worked because I had no more ideas what to check next :)
> One last question, can I create additional groups in ie. Read Only, etc? And
> then will this be done in KeyCloak or in the oVIrt UI?
This ovirt-administrator group is only for accessing(authentication
& sso)
ovirt engine admin panel and, as far as I understand it, it *** does NOT ***
restrict access to particular engine's admin functions. I think that proper
authorization is done only at the engine's UI level. See 'User
Authorization' under
https://ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html
>
>
> Thank you
>
>
>
>
>
>
>
>
> Anton Louw
>
>
> Cloud Engineer: Storage and Virtualization at Vox
>
>
>
>
>
>
> T: 087 805 0000 | D: 087 805 1572
> M: N/A
>
> E: anton.louw(a)voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
>
www.vox.co.za
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> From: Artur Socha <asocha(a)redhat.com>
>
>
> Sent: 22 April 2020 13:21
>
> To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>; users(a)ovirt.org
>
> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
>
>
> On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote:
>
> > On Wed, 2020-04-22 at 10:42 +0000, Anton Louw wrote:
>
> > >
>
> > > Ok so this is definitely looking better. I get an error, but at least
> now it
>
> > > is saying : “The user admin@openidchttp is not authorized to perform
> login”
>
> > >
>
> > > This is strange though, because admin in by default should be allowed
>
> > > access?
>
> >
>
> > Well, yes and no :)
>
> >
>
> > In order for user to be considered admin (for ovirt engine) it must belong
> to
>
> > keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
>
> > > Groups->Members)
>
>
>
> Small clarification:
>
>
>
> In keycloak admin panel see Manage-> Groups-> 'ovirt-administrator'
->
> Members
>
>
>
> Note that the group must have the exact name: ovirt-administrator
>
>
>
>
>
> >
>
> > I think you are very close to have it up-and-running.
>
> >
>
> >
>
> > >
>
> > > From: Anton Louw
>
> > > Sent: 22 April 2020 12:38
>
> > > To: Artur Socha <asocha(a)redhat.com>;
> users(a)ovirt.org
>
> > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
>
> > >
>
> > > Perfect, I’ll test and let you know.
>
> > >
>
> > > Thanks
>
> > >
>
> > > From: Artur Socha <asocha(a)redhat.com>
>
> > > Sent: 22 April 2020 12:32
>
> > > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>;
> users(a)ovirt.org
>
> > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
> > >
>
> > > + users(a)ovirt.org
>
> > >
>
> > > On Wed, 2020-04-22 at 09:57 +0000, Anton Louw wrote:
>
> > > >
>
> > > >
>
> > > > Hi Artur,
>
> > > >
>
> > > > I would just like to make sure I am following correctly, comparing
> your
>
> > > > entries against mine.
>
> > > >
>
> > > > Your setup:
>
> > > > ...
>
> > > > config.mapAuthRecord.regex.pattern =
>
> > > >
^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
>
> > > > ...
>
> > > >
>
> > > >
>
> > > > My setup:
>
> > > > …
>
> > > > config.mapAuthRecord.regex.pattern =
>
> > > >
^(?<user>.*?)((\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
>
> > > > …
>
> > > >
>
> > > > Should I add the additional 2 “\\” in on my side?
>
> > >
>
> > >
>
> > > Yes, please try adding it. In my case I learned about this issue by
>
> > > debugging
>
> > > the code because the real exception generated by incorrect regexp syntax
> was
>
> > > hidden behind generic error message giving no clues about the true
> cause.
>
> > >
>
> > > >
>
> > > > Your setup:
>
> > > > ...
>
> > > > <LocationMatch ^/ovirt-engine/sso/(interactive-login-
>
> > > > negotiate|oauth/token-
>
> > > > http-auth)|^/ovirt-engine/callback>
>
> > > > <If "req('Authorization') !~
/^(Bearer|Basic)/i">
>
> > > >
>
> > > > Require valid-user
>
> > > > AuthType openid-connect
>
> > > >
>
> > > > ErrorDocument 401 "<html><meta
http-equiv=\"refresh\"content=\"0;
>
> > > >
url=/ovirt-engine/sso/login-unauthorized\"/><body><ahref=\"/ovirt-
>
> > > >
engine/sso/login-unauthorized\">Here</a></body></html>"
>
> > > > </If>
>
> > > > </LocationMatch>
>
> > > > …
>
> > > >
>
> > > > My setup:
>
> > > > …
>
> > > > <LocationMatch ^/ovirt-engine/sso/(interactive-login-
>
> > > > negotiate|oauth/token-
>
> > > > http-auth)|^/ovirt-engine/callback>
>
> > > > <If "req('Authorization') !~
/^(Bearer|Basic)/i">
>
> > > >
>
> > > > Require valid-user
>
> > > > AuthType openid-connect
>
> > > >
>
> > > > ErrorDocument 401 "<html><meta
http-equiv='refresh' content='0;
>
> > > > url=/ovirt-engine/sso/login-unauthorized'/><body><a
href='/ovirt-
>
> > > >
engine/sso/login-unauthorized'>Here</a></body></html>"
>
> > > > </If>
>
> > > > </LocationMatch>
>
> > > > …
>
> > > >
>
> > > > I remember I had syntax errors, but mine was changed.
>
> > > >
>
> > > > Does this look fine to you?
>
> > >
>
> > >
>
> > > Yeah, your version looks good too. You have ' instead of " so
that is
> ok.
>
> > >
>
> > >
>
> > > Anton Louw
>
> > > Cloud Engineer: Storage and Virtualization at Vox
>
> > > T: 087 805 0000 | D: 087 805 1572
>
> > > M: N/A
>
> > > E: anton.louw(a)voxtelecom.co.za
>
> > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> > >
>
www.vox.co.za
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > > > Thanks
>
> > > >
>
> > > >
>
> > > >
>
> > > > Anton Louw
>
> > > > Cloud Engineer: Storage and Virtualization at Vox
>
> > > > T: 087 805 0000 | D: 087 805 1572
>
> > > > M: N/A
>
> > > > E: anton.louw(a)voxtelecom.co.za
>
> > > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> > > >
>
www.vox.co.za
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > > From: Anton Louw
>
> > > > Sent: 22 April 2020 10:07
>
> > > > To: Artur Socha <asocha(a)redhat.com>
>
> > > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
>
> > > >
>
> > > > Hi Artur,
>
> > > >
>
> > > > Great, I will try the below and let you know. I appreciate your
> efforts.
>
> > > >
>
> > > > Sure, you may report it, I was in such a rush that I only hit
“reply”
> and
>
> > > > not “Reply All”
>
> > > >
>
> > > > I do recall that I had to make some changes to the below as the it
>
> > > > complained about syntax errors:
>
> > > >
>
> > > > ErrorDocument 401 "<html><meta
http-equiv=\"refresh\"
>
> > > > content=\"0;
url=/ovirt-engine/sso/login-unauthorized\"/><body><a
>
> > > >
href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
>
> > > > </If>
>
> > > > </LocationMatch>
>
> > > >
>
> > > > I will let you know the outcome when I change the below as you
> suggested.
>
> > > >
>
> > > > Cheers
>
> > > >
>
> > > > From: Artur Socha <asocha(a)redhat.com>
>
>
> > > > Sent: 22 April 2020 09:51
>
> > > > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>
>
> > > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
> > > >
>
> > > > I checked your logs and I did not notice anything suspicious.
>
> > > > However, now I recall I made some changes compared to blog post
>
> > > > example:
>
> > > >
>
> > > > 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties
>
> > > > I added escaping in regexp for '\'
>
> > > > ...
>
> > > > config.mapAuthRecord.regex.pattern =
>
> > > >
^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
>
> > > > ...
>
> > > >
>
> > > > 2) /etc/httpd/ovirt-openidc.conf
>
> > > > Escaping for '"' in error document snippet
>
> > > > ...
>
> > > > <LocationMatch ^/ovirt-engine/sso/(interactive-login-
>
> > > > negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
>
> > > > <If "req('Authorization') !~
/^(Bearer|Basic)/i">
>
> > > >
>
> > > > Require valid-user
>
> > > > AuthType openid-connect
>
> > > >
>
> > > > ErrorDocument 401 "<html><meta
http-equiv=\"refresh\"
>
> > > > content=\"0;
url=/ovirt-engine/sso/login-unauthorized\"/><body><a
>
> > > >
href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
>
> > > > </If>
>
> > > > </LocationMatch>
>
> > > >
>
> > > > ...
>
> > > >
>
> > > > These two issues were most probably caused by the blog site
rendering.
>
> > > >
>
> > > >
>
> > > > You might want to check engine.log (or server.log not really sure
> which
>
> > > > one was that) for aaa extension initialization logs. They should
>
> > > > appear at the beginning just after restarting engine.
>
> > > >
>
> > > > Unfortunately, at the moment I do not have running keycloak setup (I
>
> > > > used to have a local VM) but I will try to find some time to set it
up
>
> > > > again once I'm done with another work item that actually
consumes
>
> > > > almost entire disk space for my 2 machines)
>
> > > >
>
> > > > Please let me know if anything changes after applying these config
>
> > > > changes. It this works for you then I will request the blog post to
be
>
> > > > updated.
>
> > > >
>
> > > > Do you mind if I keep(re-post) this discussion back to users@ovirt
in
>
> > > > case other might have similar issues with keycloak integration?
>
> > > >
>
> > > > A.
>
> > > >
>
> > > > On Wed, 2020-04-22 at 06:35 +0000, Anton Louw wrote:
>
> > > > >
>
> > > > > Hi Artru,
>
> > > > >
>
> > > > > Thank you for the reply. The post [1] is actually the main
source of
>
> > > > > information I worked from in order top get everything
configured. In
>
> > > > > the post[1] I ran through the whole testing section, and
everything
>
> > > > > works as expected. I can see the VMs etc when using the python
>
> > > > > script.
>
> > > > >
>
> > > > > In my case we are not using ldap as a provider, I tried using
>
> > > > > keycloak directly as a provider, I am not sure if that is where
I am
>
> > > > > going wrong?
>
> > > > >
>
> > > > > I have attached the last part of the apache ssl_access_log when
I
>
> > > > > tried logging in this morning. I have also attached the engine
log.
>
> > > > >
>
> > > > > Thanks
>
> > > > >
>
> > > > >
>
> > > > > Anton Louw
>
> > > > > Cloud Engineer: Storage and Virtualization at Vox
>
> > > > > T: 087 805 0000 | D: 087 805 1572
>
> > > > > M: N/A
>
> > > > > E: anton.louw(a)voxtelecom.co.za
>
> > > > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> > > > >
>
www.vox.co.za
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > > From: Artru Socha <asocha(a)redhat.com>
>
>
> > > > > Sent: 21 April 2020 15:20
>
> > > > > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>;
> users(a)ovirt.org
>
> > > > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
> > > > >
>
> > > > > On Tue, 2020-04-21 at 12:48 +0000, Anton Louw wrote:
>
> > > > > >
>
> > > > > > Hi Everybody,
>
> > > > > >
>
> > > > > >
>
> > > > > Hi Anton,
>
> > > > >
>
> > > > > > Has anybody gone the route of using KeyCloak to login to
oVirt?
>
> > > > > > KeyCloak has been configured and the neccesary configs have
also
>
> > > > > been
>
> > > > > > done on the engine. It redirects perfectly from the oVirt
Web
> Login
>
> > > > > > page to KeyCloak, but after logging into KeyCloak, I get
> redirected
>
> > > > > > back to the oVirt Web Login. When trying to login again, I
get the
>
> > > > > > below error:
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > > server_error: Missing parameter: 'params'
>
> > > > > >
>
> > > > >
>
> > > > > Not so long ago I managed to setup ovirt engine with keyloack
(using
>
> > > > > ldap as users provider). Hopefully, I would be able to help you
with
>
> > > > > it.
>
> > > > >
>
> > > > > There is excellent blog post[1] available. You might also check
>
> > > > > keycloak+ldap post [2], however, when I was working on the
>
> > > > > integration
>
> > > > > I was not aware of if and did not test it.
>
> > > > >
>
> > > > > The error you mentioned does not really indicate what exactly
is
>
> > > > > wrong
>
> > > > > but it might suggest that there is some sort of
misconfiguration
> with
>
> > > > > apache (you need to install and configure mod_auth_openidc as
>
> > > > > described
>
> > > > > at [1]). At least that happened in my case.
>
> > > > >
>
> > > > > In case you have already gone through it you could probably
check
>
> > > > > apache logs.
>
> > > > >
>
> > > > > Under [1] there is a python script that can be used to check
api
>
> > > > > calls,
>
> > > > > please update username/password and test it against your
> environment.
>
> > > > >
>
> > > > >
>
> > > > > Would it be possible post relevant piece of apache logs
together
> with
>
> > > > > engine.log ?
>
> > > > >
>
> > > > >
>
> > > > > [1]
>
> > > > >
>
> > > >
>
https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-o...
>
> > > > > [2]
>
> > > > >
>
> > > >
>
https://blogs.ovirt.org/2018/08/ovirt-saml-with-keyloak-using-389ds-user-...
>
> > > > > Artur
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > > > I have checked all the logs, but nothing is telling me
what
> exactly
>
> > > > > > the issue is.
>
> > > > > >
>
> > > > > > If anybody has any idea, please let me know.
>
> > > > > >
>
> > > > > > Thanks
>
> > > > > >
>
> > > > > > Anton Louw
>
> > > > > > Cloud Engineer: Storage and Virtualization at Vox
>
> > > > > > T: 087 805 0000 | D: 087 805 1572
>
> > > > > > M: N/A
>
> > > > > > E: anton.louw(a)voxtelecom.co.za
>
> > > > > > A: Rutherford Estate, 1 Scott Street, Waverley,
Johannesburg
>
> > > > > >
>
www.vox.co.za
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > > Disclaimer
>
> > > > > > The contents of this email are confidential to the sender
and the
>
> > > > > > intended recipient. Unless the contents are clearly and
entirely
> of
>
> > > > > a
>
> > > > > > personal nature, they are subject to copyright in favour of
the
>
> > > > > > holding company of the Vox group of companies. Any
recipient who
>
> > > > > > receives this email in error should immediately report the
error
> to
>
> > > > > > the sender and permanently delete this email from all
storage
>
> > > > > > devices.
>
> > > > > >
>
> > > > > > This email has been scanned for viruses and malware, and
may have
>
> > > > > > been automatically archived by Mimecast Ltd, an innovator
in
>
> > > > > Software
>
> > > > > > as a Service (SaaS) for business. Providing a safer and
more
> useful
>
> > > > > > place for your human generated data. Specializing in;
Security,
>
> > > > > > archiving and compliance. To find out more Click Here.
>
> > > > > >
>
> > > > > >
>
> > > > > > _______________________________________________
>
> > > > > > Users mailing list -- users(a)ovirt.org
>
> > > > > > To unsubscribe send an email to
> users-leave(a)ovirt.org
>
> > > > > > Privacy Statement:
>
https://www.ovirt.org/privacy-policy.html
>
> > > > > > oVirt Code of Conduct:
>
> > > > > >
>
https://www.ovirt.org/community/about/community-guidelines/
>
> > > > > > List Archives:
>
> > > > > >
>
> > > >
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/S4I2I3MID4A...
>
> > > >
>
>
>
>
>
>
>
>
>
>