Hi,

as mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=2021497 from oVirt 4.5.1 for new installations we are configuring internal instance of Keycloak to provide authentication for oVirt engine.

oVirt AAA providers has been deprecated and even though they continue to work and there are no plans at the moment to remove them, it's advised to plan the switch to Keycloak. So here are possible scenarios:

1. New oVirt 4.5.1+ deployments -> it's advised use either internal or external Keycloak to provide authentication

2. New oVirt 4.5.1+ deployment with AAA -> it's possible during engine-setup phase of installation process to choose to use AAA instead of Keycloak

3. Upgrade of older oVirt releases to 4.5.1+

a. If old installation used AAA, then during upgrade nothing changes and upgraded setup will continue to use AAA

b. If old installation used Keycloak, then during upgrade nothing changes and upgraded setup will continue to use Keycloak

4. If administrators wants to switch from AAA to internal Keycloak in oVirt 4.5.1+, there is automated way to do it using engine-setup https://github.com/oVirt/ovirt-engine-keycloak/blob/master/keycloak_usage.md#reconfiguration-from-ovirt-451-and-above

5. If administrators wants to switcht from AAA to external Keycloak, there is manual procedure described in https://www.ovirt.org/documentation/administration_guide/index.html#Configuring_Red_Hat_SSO and https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/

For now the documentation around internal Keycloak instance is available at https://github.com/oVirt/ovirt-engine-keycloak/blob/master/keycloak_usage.md and in the near future it will be incorporated into official oVirt documentation at https://www.ovirt.org/documentation/

For Keycloak related documentation please refer to https://www.keycloak.org/documentation

Regards,

Martin