Hi Artur,

 

Great, thanks a lot! 😊

 


Anton Louw
Cloud Engineer: Storage and Virtualization at Vox

T:  087 805 0000 | D: 087 805 1572
M: N/A
E: anton.louw@voxtelecom.co.za
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
www.vox.co.za

F
 
T
 
I
 
L
 
Y
 

From: Artur Socha <asocha@redhat.com>
Sent: 22 June 2020 11:23
To: Anton Louw <Anton.Louw@voxtelecom.co.za>; users@ovirt.org
Cc: Stephen Hutchinson <Stephen.Hutchinson@voxtelecom.co.za>
Subject: Re: [ovirt-users] KeyCloak Integration

 

Hi Anton,

Thanks for the specs. I have create BZ issue for tracking:

https://bugzilla.redhat.com/show_bug.cgi?id=1849569

Feel free to add comments/change it when needed.

 

Artur

 

On Fri, 2020-06-19 at 10:57 +0000, Anton Louw wrote:

 

Hi Artur,

 

Please see below:

 

ovirt-engine.noarch                     4.3.10.4-1.el7    @ovirt-4.3

ovirt-engine-extension-aaa-misc.noarch  1.0.4-1.el7       @ovirt-4.3

mod_auth_openidc.x86_64                 1.8.8-5.el7       @base

 

[root@virt ~]# cat /etc/*elease

CentOS Linux release 7.7.1908 (Core)

NAME="CentOS Linux"

VERSION="7 (Core)"

ID="centos"

ID_LIKE="rhel fedora"

VERSION_ID="7"

PRETTY_NAME="CentOS Linux 7 (Core)"

ANSI_COLOR="0;31"

CPE_NAME="cpe:/o:centos:centos:7"

HOME_URL="https://www.centos.org/"

BUG_REPORT_URL="https://bugs.centos.org/"

 

CENTOS_MANTISBT_PROJECT="CentOS-7"

CENTOS_MANTISBT_PROJECT_VERSION="7"

REDHAT_SUPPORT_PRODUCT="centos"

REDHAT_SUPPORT_PRODUCT_VERSION="7"

 

CentOS Linux release 7.7.1908 (Core)

CentOS Linux release 7.7.1908 (Core)

 

KeyCloak –

 

Server Version

10.0.1

 

Thanks a lot for your help Artur. Please let me know if you need anything else.

 

From: Artur Socha <asocha@redhat.com>
Sent: 19 June 2020 12:39
To: Anton Louw <Anton.Louw@voxtelecom.co.za>; users@ovirt.org
Cc: Stephen Hutchinson <Stephen.Hutchinson@voxtelecom.co.za>
Subject: Re: [ovirt-users] KeyCloak Integration

 

On Fri, 2020-06-19 at 10:21 +0000, Anton Louw wrote:

 

Yes I didn’t get to the OVN part yet, as I first wanted to test the if the token can be obtained.

 

This is the first time we are testing KeyCloak in any environment, so we have never been able to obtain a token for API access.

 

Please post the exact versions of:

- ovirt-engine* :   

yum list --installed | grep ovirt-engine 

yum list --intalled | grep ovirt-engine-extension-aaa-misc

yum list --installed | grep mod_auth_openidc

- keycloak

- OS

cat /etc/*elease    

 

I'll submit a bug ... which, most likely, I will assign to myself anyway :)

 

Artur

 

 

Anton Louw

Cloud Engineer: Storage and Virtualization at Vox


T:  087 805 0000 | D: 087 805 1572
M: N/A
E: anton.louw@voxtelecom.co.za
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
www.vox.co.za

 

F

 

T

 

I

 

L

 

Y

 

 

Thanks

 

From: Artur Socha <asocha@redhat.com>
Sent: 19 June 2020 12:16
To: Anton Louw <Anton.Louw@voxtelecom.co.za>; users@ovirt.org
Cc: Stephen Hutchinson <Stephen.Hutchinson@voxtelecom.co.za>
Subject: Re: [ovirt-users] KeyCloak Integration

 

On Fri, 2020-06-19 at 10:03 +0000, Anton Louw wrote:

 

Hi Artur,

 

Sure, please see below output:

 

[root@virt ~]# curl -vvv -H "Accept:application/json" 'https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password&username=myuser&password=mypass&scope=ovirt-app-api'

* About to connect() to virt.example.co.za port 443 (#0)

*   Trying 127.0.0.1...

* Connected to virt.example.co.za (127.0.0.1) port 443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

* Server certificate:

*       subject: CN=*.example.co.za,OU=Domain Control Validated

*       start date: Sep 25 07:46:12 2019 GMT

*       expire date: Oct 02 07:39:01 2020 GMT

*       common name: *example.co.za

*       issuer: CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US

> GET /ovirt-engine/sso/oauth/token?grant_type=password&username=myuser&password=mypass&scope=ovirt-app-api HTTP/1.1

> User-Agent: curl/7.29.0

> Host: virt.example.co.za

> Accept:application/json

< HTTP/1.1 400 Bad Request

< Date: Fri, 19 Jun 2020 09:52:11 GMT

< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips

< Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647; Expires=Wed, 07-Jul-2088 13:06:18 GMT

< X-XSS-PROTECTION: 1; MODE=BLOCK

< X-CONTENT-TYPE-OPTIONS: NOSNIFF

< X-FRAME-OPTIONS: SAMEORIGIN

< Content-Type: application/json

< Content-Length: 233

< Connection: close

* Closing connection 0

{"error_code":"access_denied","error":"Cannot authenticate user Invalid scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access."}

 

1) Test connection using python script (from the blog post ) using sdk. I suspect it will not work either.

Testing from Python gives me the same error as well.

 

2) I saw some errors in the log on revoking token. Please go to keycloak admin panel, and under users kill all its active sessions. Then, please without logging in to engine admin UI, use that curl to obtain token.

Tested this again, but still getting the below:

{"error_code":"access_denied","error":"Cannot authenticate user Invalid scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access."}

 

Thanks for these test ... unfortunately nothing helped

 

 

3) Does it work without OVN integration enabled?

Can you explain a bit more? How can I disable OVN integration to test this?

 

I had in mind reverting OVN vs Keycloak integration done according to "Configuring OVN" chapter in https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/

Unless, of course, you skipped it.

 

Most likely you found a bug. Have you ever been able to obtain token for api access with keycloak integration (even with you previous environments)? 

I am now trying to understand what happened and how to reproduce it before submitting the bug into http://bugzilla.redhat.com

 

 

Anton Louw

Cloud Engineer: Storage and Virtualization at Vox


T:  087 805 0000 | D: 087 805 1572
M: N/A
E: anton.louw@voxtelecom.co.za
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
www.vox.co.za

 

F

 

T

 

I

 

L

 

Y

 

 

 

Thanks

 

 

Anton Louw

Cloud Engineer: Storage and Virtualization at Vox


T:  087 805 0000 | D: 087 805 1572
M: N/A
E: anton.louw@voxtelecom.co.za
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
www.vox.co.za

 

F

 

T

 

I

 

L

 

Y

 

 

From: Artur Socha <asocha@redhat.com>
Sent: 19 June 2020 11:40
To: Anton Louw <Anton.Louw@voxtelecom.co.za>; users@ovirt.org
Cc: Stephen Hutchinson <Stephen.Hutchinson@voxtelecom.co.za>
Subject: Re: [ovirt-users] KeyCloak Integration

 

On Fri, 2020-06-19 at 08:34 +0000, Anton Louw wrote:

 

Hi Artur,

 

Thank you for the quick response.

 

I have actually tried creating another user, but I still get the same error. I have attached the output of curl -vvv as well as the logs the engine and keycloak logs.

 

This `curl -vvv ...` is actually is incorrect because it is missing -H before 'Accept' header. However, previous attempts that led to this error seemed to be fine. Could you just re-send output of the correct curl?

 

There are few things we can test to try to narrow down the root cause:

 

1) Test connection using python script (from the blog post ) using sdk. I suspect it will not work either.

 

2) I saw some errors in the log on revoking token. Please go to keycloak admin panel, and under users kill all its active sessions. Then, please without logging in to engine admin UI, use that curl to obtain token.

 

3) Does it work without OVN integration enabled?

 

Artur

 

 

 

Thank you

 

 

Anton Louw

Cloud Engineer: Storage and Virtualization at Vox


T:  087 805 0000 | D: 087 805 1572
M: N/A
E: anton.louw@voxtelecom.co.za
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
www.vox.co.za

 

F

 

T

 

I

 

L

 

Y

 

 

From: Artur Socha <asocha@redhat.com>
Sent: 19 June 2020 10:23
To: Anton Louw <
Anton.Louw@voxtelecom.co.za>; users@ovirt.org
Subject: Re: [ovirt-users] KeyCloak Integration

 

O

n Fri, 2020-06-19 at 07:35 +0000, Anton Louw via Users wrote:

 

Hi Everybody,

 

Hi Anton,

 

So I have implemented KeyCloak into our oVirt environment, which works, up until a point. So WebUI access works, but when calling the API, using:

curl -k -H "Accept: application/json" 'https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password&username=admin@openidchttp&password=mypass&scope=ovirt-app-api'

 

I get the below error:

 

{"error_description":"Cannot authenticate user Invalid scopes: ovirt-app-api ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access.","error":"access_denied"}

 

If my configs are removed, and I use “admin@internal” for my username, then it works.

 

I followed the below article step by step, and I double checked that all the scopes are added into KeyCloak (ovirt-app-api and ovirt-app-admin)

 

https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/

 

Anybody have any ideas?

 

It is my blind shot but could create & check another user?

 

One more thing to check please use curl -vvv to check if there are any redirects along the way.

I will check keycloak settings on my setup - perhaps there is something non-obvious that could have been missed.

 

Any chance to get a bit more logs from engine.log and even from keycloak? Perhaps there is something there that could help.

 

Artur

 

 

Thank you

 

Anton Louw

Cloud Engineer: Storage and Virtualization at Vox


T:  087 805 0000 | D: 087 805 1572
M: N/A
E: anton.louw@voxtelecom.co.za
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
www.vox.co.za

 

F

 

T

 

I

 

L

 

Y

 

 

#VoxBrand


Disclaimer

The contents of this email are confidential to the sender and the intended recipient. Unless the contents are clearly and entirely of a personal nature, they are subject to copyright in favour of the holding company of the Vox group of companies. Any recipient who receives this email in error should immediately report the error to the sender and permanently delete this email from all storage devices.

This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more
Click Here.

 

_______________________________________________
Users mailing list -- 

users@ovirt.org

 

 

 

 

 

 
To unsubscribe send an email to 

users-leave@ovirt.org

 

 

 

 

 

 
Privacy Statement: 

https://www.ovirt.org/privacy-policy.html

 

 

 

 

 

 
oVirt Code of Conduct: 

https://www.ovirt.org/community/about/community-guidelines/

 

 

 

 

 

 
List Archives: 

https://lists.ovirt.org/archives/list/users@ovirt.org/message/CC54IPZLYJYE2B3NP4LT4TN4CJX4C7BU/