[ovirt-users] Re: KeyCloak Integration

Hi Artur, Please see below: ovirt-engine.noarch 4.3.10.4-1.el7 @ovirt-4.3 ovirt-engine-extension-aaa-misc.noarch 1.0.4-1.el7 @ovirt-4.3 mod_auth_openidc.x86_64 1.8.8-5.el7 @base [root@virt ~]# cat /etc/*elease CentOS Linux release 7.7.1908 (Core) NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" CentOS Linux release 7.7.1908 (Core) CentOS Linux release 7.7.1908 (Core) KeyCloak – Server Version 10.0.1 Thanks a lot for your help Artur. Please let me know if you need anything else. From: Artur Socha <asocha(a)redhat.com&gt; Sent: 19 June 2020 12:39 To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>; users(a)ovirt.org Cc: Stephen Hutchinson <Stephen.Hutchinson(a)voxtelecom.co.za&gt; Subject: Re: [ovirt-users] KeyCloak Integration On Fri, 2020-06-19 at 10:21 +0000, Anton Louw wrote: > > Yes I didn’t get to the OVN part yet, as I first wanted to test the if the > token can be obtained. > > This is the first time we are testing KeyCloak in any environment, so we > have never been able to obtain a token for API access. > Please post the exact versions of: - ovirt-engine* : yum list --installed | grep ovirt-engine yum list --intalled | grep ovirt-engine-extension-aaa-misc yum list --installed | grep mod_auth_openidc - keycloak - OS cat /etc/*elease I'll submit a bug ... which, most likely, I will assign to myself anyway :) Artur Anton Louw Cloud Engineer: Storage and Virtualization at Vox T: 087 805 0000 | D: 087 805 1572 M: N/A E: anton.louw(a)voxtelecom.co.za A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg www.vox.co.za > Thanks > > > > From: Artur Socha <asocha(a)redhat.com&gt; > > > Sent: 19 June 2020 12:16 > > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>; > users(a)ovirt.org > > Cc: Stephen Hutchinson <Stephen.Hutchinson(a)voxtelecom.co.za&gt; > > Subject: Re: [ovirt-users] KeyCloak Integration > > > > > On Fri, 2020-06-19 at 10:03 +0000, Anton Louw wrote: > > > > > Hi Artur, > > > > Sure, please see below output: > > > > [root@virt ~]# curl -vvv -H "Accept:application/json" ' > > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=passwo... > > * About to connect() to > > virt.example.co.za port 443 (#0) > > * Trying > > 127.0.0.1... > > * Connected to > > virt.example.co.za (127.0.0.1) port 443 (#0) > > * Initializing NSS with certpath: sql:/etc/pki/nssdb > > * CAfile: /etc/pki/tls/certs/ca-bundle.crt > > CApath: none > > * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > > * Server certificate: > > * subject: CN=*.example.co.za,OU=Domain Control Validated > > * start date: Sep 25 07:46:12 2019 GMT > > * expire date: Oct 02 07:39:01 2020 GMT > > * common name: *example.co.za > > * issuer: CN=Starfield Secure Certificate Authority - G2,OU= > > http://certs.starfieldtech.com/repository/,O="Starfield Technologies, > > Inc.",L=Scottsdale,ST=Arizona,C=US > > > GET /ovirt- > > engine/sso/oauth/token?grant_type=password&username=myuser&password=mypass > > &scope=ovirt-app-api HTTP/1.1 > > > User-Agent: curl/7.29.0 > > > Host: > > virt.example.co.za > > > Accept:application/json > > > > > < HTTP/1.1 400 Bad Request > > < Date: Fri, 19 Jun 2020 09:52:11 GMT > > < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips > > < Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647; > > Expires=Wed, 07-Jul-2088 13:06:18 GMT > > < X-XSS-PROTECTION: 1; MODE=BLOCK > > < X-CONTENT-TYPE-OPTIONS: NOSNIFF > > < X-FRAME-OPTIONS: SAMEORIGIN > > < Content-Type: application/json > > < Content-Length: 233 > > < Connection: close > > < > > * Closing connection 0 > > {"error_code":"access_denied","error":"Cannot authenticate user Invalid > > scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token- > > info:public-authz-search ovirt-ext=token-info:validate ovirt- > > ext=token:password-access."} > > > > 1) Test connection using python script (from the blog post ) using sdk. I > > suspect it will not work either. > > Testing from Python gives me the same error as well. > > > > 2) I saw some errors in the log on revoking token. Please go to keycloak > > admin panel, and under users kill all its active sessions. Then, please > > without logging in to engine admin UI, use that curl > > to obtain token. > > Tested this again, but still getting the below: > > {"error_code":"access_denied","error":"Cannot authenticate user Invalid > > scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token- > > info:public-authz-search ovirt-ext=token-info:validate > > ovirt-ext=token:password-access."} > > > > Thanks for these test ... unfortunately nothing helped > > > > > > > > > 3) Does it work without OVN integration enabled? > > Can you explain a bit more? How can I disable OVN integration to test > > this? > > > > > I had in mind reverting OVN vs Keycloak integration done according to > "Configuring OVN" chapter in > > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-o... > > > > Unless, of course, you skipped it. > > > > > > > Most likely you found a bug. Have you ever been able to obtain token for api > access with keycloak integration (even with you previous environments)? > > > I am now trying to understand what happened and how to reproduce it before > submitting the bug into > > http://bugzilla.redhat.com > > > > > > > > > Anton Louw > > > > > Cloud Engineer: Storage and Virtualization > at Vox > > > > > > > > > > > > T: > 087 805 0000 | > D: 087 805 1572 > > M: N/A > > E: > anton.louw(a)voxtelecom.co.za > > A: Rutherford Estate, > 1 Scott Street, Waverley, Johannesburg > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > Anton Louw > > > > > > > > > > Cloud Engineer: Storage and Virtualization > > at Vox > > > > > > > > > > > > > > > > > > > > > > > > T: > > 087 805 0000 | > > D: 087 805 1572 > > > > M: N/A > > > > E: > > anton.louw(a)voxtelecom.co.za > > > > A: Rutherford Estate, > > 1 Scott Street, Waverley, Johannesburg > > > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Artur Socha <asocha(a)redhat.com&gt; > > > > > > Sent: 19 June 2020 11:40 > > > > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>; > > users(a)ovirt.org > > > > Cc: Stephen Hutchinson <Stephen.Hutchinson(a)voxtelecom.co.za&gt; > > > > Subject: Re: [ovirt-users] KeyCloak Integration > > > > > > > > > > On Fri, 2020-06-19 at 08:34 +0000, Anton Louw wrote: > > > > > > > > Hi Artur, > > > > > > Thank you for the quick response. > > > > > > I have actually tried creating another user, but I still get the same > > > error. I have attached the output of curl -vvv as well as the logs the > > > engine and keycloak logs. > > > > > > > > > > This `curl -vvv ...` is actually is incorrect because it is missing -H > > before 'Accept' header. However, previous attempts that led to this error > > seemed to be fine. Could you just re-send output of > > the correct curl? > > > > > > > > > > > > There are few things we can test to try to narrow down the root cause: > > > > > > > > > > > > 1) Test connection using python script (from the blog post ) using sdk. I > > suspect it will not work either. > > > > > > > > > > > > 2) I saw some errors in the log on revoking token. Please go to keycloak > > admin panel, and under users kill all its active sessions. Then, please > > without logging in to engine admin UI, use that curl > > to obtain token. > > > > > > > > > > > > 3) Does it work without OVN integration enabled? > > > > > > > > > > > > Artur > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > > > > > > > > Anton Louw > > > > > > > > > > > > > > > Cloud Engineer: Storage and Virtualization > > > at Vox > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > T: > > > 087 805 0000 | > > > D: 087 805 1572 > > > > > > M: N/A > > > > > > E: > > > anton.louw(a)voxtelecom.co.za > > > > > > A: Rutherford Estate, > > > 1 Scott Street, Waverley, Johannesburg > > > > > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Artur Socha <asocha(a)redhat.com&gt; > > > > > > > > > Sent: 19 June 2020 10:23 > > > > > > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>; > > > users(a)ovirt.org > > > > > > Subject: Re: [ovirt-users] KeyCloak Integration > > > > > > > > > > > > > > > O > > > > > > > > > n Fri, 2020-06-19 at 07:35 +0000, Anton Louw via Users wrote: > > > > > > > > > > > Hi Everybody, > > > > > > > > > > > > > > > Hi Anton, > > > > > > > > > > > So I have implemented KeyCloak into our oVirt environment, which > > > > works, up until a point. So WebUI access works, but when calling the > > > > API, using: > > > > > > > > curl -k -H "Accept: application/json" ' > > > > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=passwo... > > > > > > > > I get the below error: > > > > > > > > {"error_description":"Cannot authenticate user Invalid scopes: ovirt- > > > > app-api ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search > > > > ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate > > > > ovirt-ext=token:password-access.","error":"access_denied"} > > > > > > > > If my configs are removed, and I use “admin@internal” for my username, > > > > then it works. > > > > > > > > I followed the below article step by step, and I double checked that > > > > all the scopes are added into KeyCloak (ovirt-app-api and ovirt-app- > > > > admin) > > > > > > > > > > > > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-o... > > > > > > > > Anybody have any ideas? > > > > > > > > > > > > > > > It is my blind shot but could create & check another user? > > > > > > > > > > > > > > > > > > One more thing to check please use curl -vvv to check if there are any > > > redirects along the way. > > > > > > > > > > > > I will check keycloak settings on my setup - perhaps there is something > > > non-obvious that could have been missed. > > > > > > > > > > > > > > > > > > Any chance to get a bit more logs from engine.log and even from > > > keycloak? Perhaps there is something there that could help. > > > > > > > > > > > > > > > > > > Artur > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > > > > > > > > > > > Anton Louw > > > > > > > > > > > > > > > > > > > > Cloud Engineer: Storage and Virtualization > > > > at Vox > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > T: > > > > 087 805 0000 | > > > > D: 087 805 1572 > > > > > > > > M: N/A > > > > > > > > E: > > > > anton.louw(a)voxtelecom.co.za > > > > > > > > A: Rutherford Estate, > > > > 1 Scott Street, Waverley, Johannesburg > > > > > > > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Disclaimer > > > > The contents of this email are confidential to the sender and the > > > > intended recipient. Unless the contents are clearly and entirely of a > > > > personal nature, they are subject to copyright > > > > in favour of the holding company of the Vox group of companies. Any > > > > recipient who receives this email in error should immediately report > > > > the error to the sender and permanently delete this email from all > > > > storage devices. > > > > > > > > > > > > > > > > This email has been scanned for viruses and malware, and may have been > > > > automatically archived by > > > > Mimecast Ltd, an innovator in Software as a Service (SaaS) for > > > > business. Providing a > > > > safer and more useful place for your human generated data. > > > > Specializing in; Security, archiving and compliance. To find out more > > > > Click Here. > > > > > > > > _______________________________________________ > > > > Users mailing list -- > > > > > > > > users(a)ovirt.org > > > > > > > > > > > > > > > > > > > > > > > > To unsubscribe send an email to > > > > > > > > users-leave(a)ovirt.org > > > > > > > > > > > > > > > > > > > > > > > > Privacy Statement: > > > > > > > > https://www.ovirt.org/privacy-policy.html > > > > > > > > > > > > > > > > > > > > > > > > oVirt Code of Conduct: > > > > > > > > https://www.ovirt.org/community/about/community-guidelines/ > > > > > > > > > > > > > > > > > > > > > > > > List Archives: > > > > > > > > https://lists.ovirt.org/archives/list/users@ovirt.org/message/CC54IPZLYJY... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >