Hi Theo,

The thing you mentioned - ovirt-administrator groups is a special construct with a purpose of having bootstrapped ovirt admin user for the new oVirt installations. This explains why Keycloak users assigned to that group, can for example, create new VMs.

Keycloak server bundled into oVirt setup serves only authentication purpose as opposed to the authorization, therefore, it is not required to create Keycloak group 'ovirt-student' and match it with oVirt counterpart.

If I understood correctly - users defined in keycloak can actually login to oVirt Admin panel and/or to ovirt vm portal, right?

If that's the case - you're simply missing some (group?) permissions - these permissions are only managed from within oVirt admin panel.

One more thing worth mentioning. In order to have some users under group defined in oVirt (via admin panel) you have to manually assign them there. User & group association defined in Keycloak is not propagated to oVirt. Although, it could be a nice feature to have!

Perhaps this documentation will help a bit:

https://www.ovirt.org/documentation/virtual_machine_management_guide/index.html#sect-Virtual_Machines_and_Permissions

cheers!

Artur

pt., 13 sty 2023 o 08:46 <theo.pirkl@hesge.ch> napisał(a):

Hi there,

We've decided to use oVirt for our school datacenter and I'm setting up a PoC to show it could work for our needs.
So far, I've managed to deploy a single hosted engine to iSCSI by using the hosted-engine deploy script. So far, so good, I can create VMs, I've had a few problems, but nothing I couldn't figure out.

What got me confused is the KeyCloak link with oVirt. My goal is to allow students to register to oVirt so that they can spin up VMs, images, and so on.
I've created a group in KeyCloak named "ovirt-student" that is automatically assigned to new users.
I have also linked oVirt to this group by going into the engine web UI and adding the group to oVirt's group list.

I have given system permissions to the ovirt-student group such as VMCreator. I've then tried to connect to a dummy user called "test". My results are as follows :
- The user does not seem to have the correct rights as it cannot create new VMs in the VM portal;
- The admin interface does not suggest the user is a part of the ovirt-student group;

However, when I add the test user to the ovirt-administrator group, no problem at all, the user is an admin, alright.

My question is as follows : what do I need to do so that the groups in KeyCloak and oVirt are synced ?

Thanks a lot,

TP
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7VIJCGCGX7CQ6KQKYXX5RSIOISZZKR6Y/