oVirt Keycloak internal SSO revert procedure:

First of all this is rather a Dev approach and in a real Production environment regular 'restore from previous backup and run setup' approach should be used.

I have tested this only on my very simplified dev environment.

Please make sure to backup any existing setup before proceding

On the engine host:

1. Disable external SSO in oVirt Engine

edit:

/etc/ovirt-engine/engine.conf.d/12-setup-keycloak.conf

end update the following properties:

KEYCLOAK_BUNDLED=false

ENGINE_SSO_ENABLE_EXTERNAL_SSO=false

2. Disable HTTPD openidc configuration

remove/rename /etc/httpd/conf.d/internalsso-openidc.conf

ie.

mv /etc/httpd/conf.d/internalsso-openidc.conf /etc/httpd/conf.d/internalsso-openidc.conf.disabled

3. Update oVirt OVN provider (if configured)

edit

/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf

and remove or comment out the following property:

ovirt-admin-user-name=admin@ovirt@internalsso

4 Run setup to update all answers and postinstall configurations:

$ engine-setup –offline --otopi-environment="OVESETUP_CONFIG/keycloakEnable=bool:False OVESETUP_CONFIG/keycloakSupported=bool:False"

5. Update Grafana OAuth configuration (if configured on the same host as the engine)

NOTE: ignore this step if you don’t need SSO for the Monitoring Portal.

Update highlighted sections

/etc/grafana/grafana.ini

Locate [auth.generic_oauth] section

[auth.generic_oauth]

name = oVirt Engine Auth

enabled = true

allow_sign_up = false

client_id = ovirt-grafana

client_secret = """wnS3xkK0Rd13kw30EhEEnDqn8lk2hLBDB2jlfSAHgHs"""

scopes = ovirt-app-admin,ovirt-app-portal,ovirt-ext=auth:sequence-priority

role_attribute_path =

email_attribute_name = email

auth_url = https://ENGINE/ovirt-engine/sso/openid/authorize

token_url = https://ENGINE/ovirt-engine/sso/openid/token

api_url = https://ENGINE/ovirt-engine/sso/openid/userinfo

team_ids =

allowed_organizations =

tls_skip_verify_insecure = false

tls_client_cert =

tls_client_key =

tls_client_ca = /etc/pki/ovirt-engine/apache-ca.pem

send_client_credentials_via_post = false

I was unable to retrieve the originally created client_secret for grafana client id (ovirt-grafana).

But it is possible to create a new one. Just make sure to backup that secret for future upgrades.

$ ovirt-register-sso-client-tool --callback-prefix-url='https://ENGINE_FQDN/ovirt-engine-grafana/’

'--client-ca-location={ca_pem} ' #ie. /etc/pki/ovirt-engine/ca.pem

'--client-id=ovirt-grafana2 ' # or anything else other than ‘ovirt-grafana’

'--encrypted-userinfo=false '

'--conf-file-name={tmp_conf}' # ie. /tmp/99-client-register.conf

This command will create and register a new client that can be used for grafana oauth setup.

The necessary configuration details will be store in filesystem under location defined by '--conf-file-name={tmp_conf}'

6. Restart services

ovirt-engine
httpd
ovirt-provider-ovn (if configured)
grafana-server (if configured on the same host as oVirt Engine)

7. Login to oVirt Admin Panel using legacy AAA credentials (username: admin, profile: internal, provided password)

and update oVirt OVN provider credentials so that username is 'ovirt@internal'

From side panel choose:

Administration -> Providers -> ovirt-provider-ovn

Click Edit for ovirt-provider-ovn and update the ‘Username’ field to contain ‘admin@internal’.

If you run engine-setup with the defaults, the password is the same.

Next, scroll down, click ‘Test’ and make sure it is successful before submitting the change.

Up to my best knowledge these steps should be sufficient to fully revert to legacy AAA on the existing Keycloak enabled environment.

Fingers crossed!

Artur