*oVirt Keycloak internal SSO revert procedure:* *First of all this is rather a Dev approach and in a real Production environment regular 'restore from previous backup and run setup' approach should be used. * *I have tested this only on my very simplified dev environment. * *Please make sure to backup any existing setup before proceding* On the engine host: *1. Disable external SSO in oVirt Engine* *edit:* /etc/ovirt-engine/engine.conf.d/12-setup-keycloak.conf end update the following properties: KEYCLOAK_BUNDLED=false ENGINE_SSO_ENABLE_EXTERNAL_SSO=false *2. Disable HTTPD openidc configuration* remove/rename /etc/httpd/conf.d/internalsso-openidc.conf ie. mv /etc/httpd/conf.d/internalsso-openidc.conf /etc/httpd/conf.d/internalsso-openidc.conf.disabled *3. Update oVirt OVN provider (if configured)* edit /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf and remove or comment out the following property: ovirt-admin-user-name=admin@ovirt@internalsso *4 Run setup to update all answers and postinstall configurations:* $ engine-setup –offline --otopi-environment="OVESETUP_CONFIG/keycloakEnable=bool:False OVESETUP_CONFIG/keycloakSupported=bool:False" *5. Update Grafana OAuth configuration (if configured on the same host as the engine)* *NOTE: ignore this step if you don’t need SSO for the Monitoring Portal.* Update highlighted sections /etc/grafana/grafana.ini Locate [auth.generic_oauth] section [auth.generic_oauth] name = oVirt Engine Auth enabled = true allow_sign_up = false client_id = ovirt-grafana client_secret = """wnS3xkK0Rd13kw30EhEEnDqn8lk2hLBDB2jlfSAHgHs """ scopes = ovirt-app-admin,ovirt-app-portal,ovirt-ext=auth:sequence-priority role_attribute_path = email_attribute_name = email auth_url = https://ENGINE/ovirt-engine/sso/openid/authorize token_url = https://ENGINE/ovirt-engine/sso/openid/token api_url = https://ENGINE/ovirt-engine/sso/openid/userinfo team_ids = allowed_organizations = tls_skip_verify_insecure = false tls_client_cert = tls_client_key = tls_client_ca = /etc/pki/ovirt-engine/apache-ca.pem send_client_credentials_via_post = false I was unable to retrieve the originally created client_secret for grafana client id (ovirt-grafana). But it is possible to create a new one. Just make sure to backup that secret for future upgrades. $ ovirt-register-sso-client-tool --callback-prefix-url=' https://ENGINE_FQDN/ovirt-engine-grafana/’ '--client-ca-location={ca_pem} ' #ie. /etc/pki/ovirt-engine/ca.pem '--client-id=ovirt-grafana2 ' # or anything else other than ‘ovirt-grafana’ '--encrypted-userinfo=false ' '--conf-file-name={tmp_conf}' # ie. /tmp/99-client-register.conf This command will create and register a new client that can be used for grafana oauth setup. The necessary configuration details will be store in filesystem under location defined by '--conf-file-name={tmp_conf}' *6. Restart services* - ovirt-engine - httpd - ovirt-provider-ovn (if configured) - grafana-server (if configured on the same host as oVirt Engine) *7. Login to oVirt Admin Panel using legacy AAA credentials (username: admin, profile: internal, provided password) * *and update oVirt OVN provider credentials so that username is 'ovirt@internal'* From side panel choose: Administration -> Providers -> ovirt-provider-ovn Click Edit for ovirt-provider-ovn and update the ‘Username’ field to contain ‘admin@internal’. If you run engine-setup with the defaults, the password is the same. Next, scroll down, click ‘Test’ and make sure it is successful before submitting the change. Up to my best knowledge these steps should be sufficient to fully revert to legacy AAA on the existing Keycloak enabled environment. Fingers crossed! Artur On Thu, Jul 28, 2022 at 8:46 AM Artur Socha <asocha@redhat.com> wrote:

Hi, I will document the required steps to revert from Keycloak. I only need some time to test the procedure. Definitely, it is possible.

Stay tuned, I will post it first here (today)

Artur

On Thu, Jul 28, 2022 at 8:30 AM <markeczzz@gmail.com> wrote:

...

Ah, I see.. Then, is there any good guide or documentation how to revert from Keycloak to AAA? All I could find is how to move from AAA to Keycloak, but not reverse. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6HNKNAXW2ACO5V...

-- Artur Socha Senior Software Engineer, RHV Red Hat

-- Artur Socha Senior Software Engineer, RHV Red Hat

Cool! I'm glad this worked for you. I tested it on a non-HE environment so I forgot to mention a maintenance mode requirement. cheer, Artur On Fri, Jul 29, 2022 at 11:15 AM <markeczzz@gmail.com> wrote:

Thanks!

i did try it, and now everything works! If anyone else is gonna do this, before doing steps above, you have to enable Global Maintenance mode (Compute -> Hosts -> ... -> Enable Global HA Maintenance ) or else you will get errors during engine-setup . Also, during engine-setup, even if you will be asked to provide new admin password, that password will not work if you changed it before via ovirt-aaa-jdbc-tool tool. Use password that you configured with that tool.

Regards, _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/EAQBIPA3YS54C6...

-- Artur Socha Senior Software Engineer, RHV Red Hat