On Thu, Nov 8, 2018 at 9:25 AM Ravi Shankar Nori <[email protected]> wrote:
> Hi All, > > Please find design document [1] for integrating ovirt-engine with Keycloak > using mod_auth_openidc. Engine can be configured to use external IDP to > handle user authentication while still supporting Rest API bearer > authentication. > > There are some changes to how clients will obtain tokens to use for bearer > authentication. All clients need to request tokens from the external IDP > and use it to access engine. When external authentication is enabled > admin@internal and all internal profiles for authentication are disabled. > Please see the design document for more details. > > Thanks > > Ravi > > [1] > https://docs.google.com/document/d/1Wio7bQNeNinx7Luj5t-KpsSYQ2Z1Y0I8UhUyJAZOjxE/edit?usp=sharing > > Integration Issues that need attention > > 1. Ovirt-engine Python, Java and Ruby SDKs need to be modified to obtain > token from either engine SSO or external OpenID Connect IDP. > 2. OVN if we are not using SDK needs to be modified to obtain token from > either engine SSO or external OpenID Connect IDP. > 3. OVN changes needed to config user admin@internal. admin@internal > access will be disabled if external integration is enabled. So OVN needs to > be configurable to use another user for REST API access. > 4. Ansible is using SDK, if SDK is fixed to use a file the file needs to > passed from ansible to SDK. > 5. Cloudforms and Satellite are using Ruby SDK, we need to file a bug to > fix the issue. The file with the details of external IDP URL and client-id > and client-secret needs to be passed to SDK. > 6. REST API SDK V3 is not going to work with password and negotiate > authentication > 7. VM Single Sign-on will not work as we don’t have a password. > We are currently (re)implementing VM SSO in VM Portal. Will our implementation break? cc'ing Michal and Bohdan. > 8. VM Console needs to work, if VM console is using token and bearer > authentication everything should work > Let's be sure to consider and test VM Portal too. > _______________________________________________ > Devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/[email protected]/message/4UJ3DDT2BGIXJDHLTFS66A3X4VXEGE6U/ > -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA <https://www.redhat.com/> [email protected] IRC: gshereme <https://red.ht/sig>
_______________________________________________ Devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/ICGUGF4RDE2I6VPLCUC6SU5TANJ7VP4I/
