> On 8 Nov 2018, at 16:53, Greg Sheremeta <[email protected]> wrote: > > > > On Thu, Nov 8, 2018 at 9:25 AM Ravi Shankar Nori <[email protected] > <mailto:[email protected]>> wrote: > Hi All, > > Please find design document [1] for integrating ovirt-engine with Keycloak > using mod_auth_openidc. Engine can be configured to use external IDP to > handle user authentication while still supporting Rest API bearer > authentication. > > There are some changes to how clients will obtain tokens to use for bearer > authentication. All clients need to request tokens from the external IDP and > use it to access engine. When external authentication is enabled > admin@internal and all internal profiles for authentication are disabled. > Please see the design document for more details. > > Thanks > > Ravi > > [1] > https://docs.google.com/document/d/1Wio7bQNeNinx7Luj5t-KpsSYQ2Z1Y0I8UhUyJAZOjxE/edit?usp=sharing > > <https://docs.google.com/document/d/1Wio7bQNeNinx7Luj5t-KpsSYQ2Z1Y0I8UhUyJAZOjxE/edit?usp=sharing> > > Integration Issues that need attention > > 1. Ovirt-engine Python, Java and Ruby SDKs need to be modified to obtain > token from either engine SSO or external OpenID Connect IDP. > 2. OVN if we are not using SDK needs to be modified to obtain token from > either engine SSO or external OpenID Connect IDP. > 3. OVN changes needed to config user admin@internal. admin@internal access > will be disabled if external integration is enabled. So OVN needs to be > configurable to use another user for REST API access. > 4. Ansible is using SDK, if SDK is fixed to use a file the file needs to > passed from ansible to SDK. > 5. Cloudforms and Satellite are using Ruby SDK, we need to file a bug to fix > the issue. The file with the details of external IDP URL and client-id and > client-secret needs to be passed to SDK. > 6. REST API SDK V3 is not going to work with password and negotiate > authentication > 7. VM Single Sign-on will not work as we don’t have a password. > > We are currently (re)implementing VM SSO in VM Portal. Will our > implementation break? > cc'ing Michal and Bohdan.
it’s already broken since 3.6, external auths don’t work with SPICE SSO. I suppose it doesn’t change anything for the internal authentication where we still have the pwd and use it, right, Ravi? > > 8. VM Console needs to work, if VM console is using token and bearer > authentication everything should work > > Let's be sure to consider and test VM Portal too. > > _______________________________________________ > Devel mailing list -- [email protected] <mailto:[email protected]> > To unsubscribe send an email to [email protected] > <mailto:[email protected]> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > <https://www.ovirt.org/site/privacy-policy/> > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > <https://www.ovirt.org/community/about/community-guidelines/> > List Archives: > https://lists.ovirt.org/archives/list/[email protected]/message/4UJ3DDT2BGIXJDHLTFS66A3X4VXEGE6U/ > > <https://lists.ovirt.org/archives/list/[email protected]/message/4UJ3DDT2BGIXJDHLTFS66A3X4VXEGE6U/> > > > -- > GREG SHEREMETA > SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX > Red Hat NA > > <https://www.redhat.com/> > [email protected] <mailto:[email protected]> IRC: gshereme > > <https://red.ht/sig>
_______________________________________________ Devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/5N5IRPDPF24SOCO7MT6O7BIVHKKORQCM/
