oVirt Keycloak internal SSO revert procedure:
First of all this is rather a Dev approach and in a real Production environment regular 'restore from previous backup and run setup' approach should be used.
I have tested this only on my very simplified dev environment.
Please make sure to backup any existing setup before proceding
On the engine host:
1. Disable external SSO in oVirt Engine
edit:
/etc/ovirt-engine/engine.conf.d/12-setup-keycloak.conf
end update the following properties:
KEYCLOAK_BUNDLED=false
ENGINE_SSO_ENABLE_EXTERNAL_SSO=false
2. Disable HTTPD openidc configuration
remove/rename /etc/httpd/conf.d/internalsso-openidc.conf
ie.
mv /etc/httpd/conf.d/internalsso-openidc.conf /etc/httpd/conf.d/internalsso-openidc.conf.disabled
3. Update oVirt OVN provider (if configured)
edit
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
and remove or comment out the following property:
ovirt-admin-user-name=admin@ovirt@internalsso
4 Run setup to update all answers and postinstall configurations:
$ engine-setup –offline --otopi-environment="OVESETUP_CONFIG/keycloakEnable=bool:False OVESETUP_CONFIG/keycloakSupported=bool:False"
5. Update Grafana OAuth configuration (if configured on the same host as the engine)
NOTE: ignore this step if you don’t need SSO for the Monitoring Portal.
Update highlighted sections
/etc/grafana/grafana.ini
Locate [auth.generic_oauth] section
[auth.generic_oauth]
name = oVirt Engine Auth
enabled = true
allow_sign_up = false
client_id = ovirt-grafana
client_secret = """wnS3xkK0Rd13kw30EhEEnDqn8lk2hLBDB2jlfSAHgHs"""
scopes = ovirt-app-admin,ovirt-app-portal,ovirt-ext=auth:sequence-priority
role_attribute_path =
email_attribute_name = email
auth_url = https://ENGINE/ovirt-engine/sso/openid/authorize
token_url = https://ENGINE/ovirt-engine/sso/openid/token
api_url = https://ENGINE/ovirt-engine/sso/openid/userinfo
team_ids =
allowed_organizations =
tls_skip_verify_insecure = false
tls_client_cert =
tls_client_key =
tls_client_ca = /etc/pki/ovirt-engine/apache-ca.pem
send_client_credentials_via_post = false
I was unable to retrieve the originally created client_secret for grafana client id (ovirt-grafana).
But it is possible to create a new one. Just make sure to backup that secret for future upgrades.
$ ovirt-register-sso-client-tool --callback-prefix-url='https://ENGINE_FQDN/ovirt-engine-grafana/’
'--client-ca-location={ca_pem} ' #ie. /etc/pki/ovirt-engine/ca.pem
'--client-id=ovirt-grafana2 ' # or anything else other than ‘ovirt-grafana’
'--encrypted-userinfo=false '
'--conf-file-name={tmp_conf}' # ie. /tmp/99-client-register.conf
This command will create and register a new client that can be used for grafana oauth setup.
The necessary configuration details will be store in filesystem under location defined by '--conf-file-name={tmp_conf}'
6. Restart services
ovirt-engine
httpd
ovirt-provider-ovn (if configured)
grafana-server (if configured on the same host as oVirt Engine)
7. Login to oVirt Admin Panel using legacy AAA credentials (username: admin, profile: internal, provided password)
and update oVirt OVN provider credentials so that username is 'ovirt@internal'
From side panel choose:
Administration -> Providers -> ovirt-provider-ovn
Click Edit for ovirt-provider-ovn and update the ‘Username’ field to contain ‘admin@internal’.
If you run engine-setup with the defaults, the password is the same.
Next, scroll down, click ‘Test’ and make sure it is successful before submitting the change.
Hi,I will document the required steps to revert from Keycloak. I only need some time to test the procedure.Definitely, it is possible.Stay tuned, I will post it first here (today)ArturOn Thu, Jul 28, 2022 at 8:30 AM <markeczzz@gmail.com> wrote:Ah, I see..
Then, is there any good guide or documentation how to revert from Keycloak to AAA?
All I could find is how to move from AAA to Keycloak, but not reverse.
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6HNKNAXW2ACO5VAJAH2BTMD3T3BKTUHK/
--Artur Socha
Senior Software Engineer, RHV
Red Hat