Hi Theo,
The thing you mentioned - ovirt-administrator groups is a special construct
with a purpose of having bootstrapped ovirt admin user for the new oVirt
installations. This explains why Keycloak users assigned to that group, can
for example, create new VMs.
Keycloak server bundled into oVirt setup serves only authentication purpose
as opposed to the authorization, therefore, it is not required to create
Keycloak group 'ovirt-student' and match it with oVirt counterpart.
If I understood correctly - users defined in keycloak can actually login to
oVirt Admin panel and/or to ovirt vm portal, right?
If that's the case - you're simply missing some (group?) permissions -
these permissions are only managed from within oVirt admin panel.
One more thing worth mentioning. In order to have some users under group
defined in oVirt (via admin panel) you have to manually assign them
there. User & group association defined in Keycloak is not propagated to
oVirt. Although, it could be a nice feature to have!
Perhaps this documentation will help a bit:
https://www.ovirt.org/documentation/virtual_machine_management_guide/inde...
cheers!
Artur
pt., 13 sty 2023 o 08:46 <theo.pirkl(a)hesge.ch> napisał(a):
Hi there,
We've decided to use oVirt for our school datacenter and I'm setting up a
PoC to show it could work for our needs.
So far, I've managed to deploy a single hosted engine to iSCSI by using
the hosted-engine deploy script. So far, so good, I can create VMs, I've
had a few problems, but nothing I couldn't figure out.
What got me confused is the KeyCloak link with oVirt. My goal is to allow
students to register to oVirt so that they can spin up VMs, images, and so
on.
I've created a group in KeyCloak named "ovirt-student" that is
automatically assigned to new users.
I have also linked oVirt to this group by going into the engine web UI and
adding the group to oVirt's group list.
I have given system permissions to the ovirt-student group such as
VMCreator. I've then tried to connect to a dummy user called "test". My
results are as follows :
- The user does not seem to have the correct rights as it cannot create
new VMs in the VM portal;
- The admin interface does not suggest the user is a part of the
ovirt-student group;
However, when I add the test user to the ovirt-administrator group, no
problem at all, the user is an admin, alright.
My question is as follows : what do I need to do so that the groups in
KeyCloak and oVirt are synced ?
Thanks a lot,
TP
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement:
https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7VIJCGCGX7C...