oVirt Keycloak  internal SSO revert procedure:


First of all this is rather a Dev approach and in a real Production environment regular 'restore from previous backup and run setup' approach should be used.

I have tested this only on my very simplified dev environment.


Please make sure to backup any existing setup before proceding


On the engine host:


1. Disable external SSO in oVirt Engine

edit:

 /etc/ovirt-engine/engine.conf.d/12-setup-keycloak.conf

end update the following properties:

KEYCLOAK_BUNDLED=false

ENGINE_SSO_ENABLE_EXTERNAL_SSO=false


2. Disable HTTPD openidc configuration

remove/rename /etc/httpd/conf.d/internalsso-openidc.conf

ie. 

mv  /etc/httpd/conf.d/internalsso-openidc.conf /etc/httpd/conf.d/internalsso-openidc.conf.disabled


3. Update oVirt OVN provider (if configured)

edit 

/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf

and remove or comment out the following property:

ovirt-admin-user-name=admin@ovirt@internalsso


4 Run setup to update all answers and postinstall configurations:

$ engine-setup –offline --otopi-environment="OVESETUP_CONFIG/keycloakEnable=bool:False OVESETUP_CONFIG/keycloakSupported=bool:False"


5. Update Grafana OAuth configuration (if configured on the same host as the engine)


NOTE: ignore this step if you don’t need SSO for the Monitoring Portal.


Update highlighted sections

/etc/grafana/grafana.ini

Locate [auth.generic_oauth] section


[auth.generic_oauth]                                                                                                                                                                                                                      

name = oVirt Engine Auth                                                                                                                                                                                                                  

enabled = true                                                                                                                                                                                                                           

allow_sign_up = false                                                                                                                                                                                                                     

client_id = ovirt-grafana                                                                                                                                                                                                               

client_secret = """wnS3xkK0Rd13kw30EhEEnDqn8lk2hLBDB2jlfSAHgHs"""                                                                                                                                                                        

scopes = ovirt-app-admin,ovirt-app-portal,ovirt-ext=auth:sequence-priority     

role_attribute_path =      

email_attribute_name = email                                                                                                                                                                                                             

auth_url = https://ENGINE/ovirt-engine/sso/openid/authorize                                                                                                                                                                                                                                                                                                                                                       

token_url = https://ENGINE/ovirt-engine/sso/openid/token                                                                                                                                                                               

api_url = https://ENGINE/ovirt-engine/sso/openid/userinfo      

team_ids =      

allowed_organizations =      

tls_skip_verify_insecure = false      

tls_client_cert =      

tls_client_key =      

tls_client_ca = /etc/pki/ovirt-engine/apache-ca.pem      

send_client_credentials_via_post = false   


I was unable to retrieve the originally created client_secret for grafana client id (ovirt-grafana). 

But it is possible to create a new one. Just make sure to backup that secret for future upgrades. 


$ ovirt-register-sso-client-tool --callback-prefix-url='https://ENGINE_FQDN/ovirt-engine-grafana/

            '--client-ca-location={ca_pem} '  #ie.  /etc/pki/ovirt-engine/ca.pem

            '--client-id=ovirt-grafana2 ' # or anything else other than ‘ovirt-grafana’

            '--encrypted-userinfo=false '

            '--conf-file-name={tmp_conf}'  # ie.  /tmp/99-client-register.conf


This command will create and register a new client that can be used for grafana oauth setup.

The necessary configuration details will be store in filesystem under location defined by '--conf-file-name={tmp_conf}'


6. Restart services



7. Login to oVirt Admin Panel using legacy AAA credentials (username: admin, profile: internal, provided password)

and update oVirt OVN provider credentials so that username is 'ovirt@internal'


From side panel choose:

Administration -> Providers -> ovirt-provider-ovn


Click Edit for  ovirt-provider-ovn and update the ‘Username’ field to contain ‘admin@internal’.

If you run engine-setup with the defaults, the password is the same.

Next, scroll down, click ‘Test’ and make sure it is successful before submitting the change.




Up to my best knowledge these steps should be sufficient to fully revert to legacy AAA on the existing Keycloak enabled environment.

Fingers crossed!
Artur





On Thu, Jul 28, 2022 at 8:46 AM Artur Socha <asocha@redhat.com> wrote:
Hi,
I will document the required steps to revert from Keycloak. I only need some time  to test the procedure.
Definitely, it is possible.

Stay tuned, I will post it first here (today)

Artur

On Thu, Jul 28, 2022 at 8:30 AM <markeczzz@gmail.com> wrote:
Ah, I see..
Then, is there any good guide or documentation how to revert from Keycloak to AAA?
All I could find is how to move from AAA to Keycloak, but not reverse.
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6HNKNAXW2ACO5VAJAH2BTMD3T3BKTUHK/


--
Artur Socha
Senior Software Engineer, RHV
Red Hat


--
Artur Socha
Senior Software Engineer, RHV
Red Hat