If Keycloak/external auth is enabled we disable admin@internal and all internal profiles on engine side.
I tested VM Portal and it seemed to work fine when external auth was enabled. On Thu, Nov 8, 2018 at 11:49 AM Michal Skrivanek <[email protected]> wrote: > > > On 8 Nov 2018, at 16:53, Greg Sheremeta <[email protected]> wrote: > > > > On Thu, Nov 8, 2018 at 9:25 AM Ravi Shankar Nori <[email protected]> wrote: > >> Hi All, >> >> Please find design document [1] for integrating ovirt-engine with >> Keycloak using mod_auth_openidc. Engine can be configured to use >> external IDP to handle user authentication while still supporting Rest API >> bearer authentication. >> >> There are some changes to how clients will obtain tokens to use for >> bearer authentication. All clients need to request tokens from the external >> IDP and use it to access engine. When external authentication is enabled >> admin@internal and all internal profiles for authentication are >> disabled. Please see the design document for more details. >> >> Thanks >> >> Ravi >> >> [1] >> https://docs.google.com/document/d/1Wio7bQNeNinx7Luj5t-KpsSYQ2Z1Y0I8UhUyJAZOjxE/edit?usp=sharing >> >> Integration Issues that need attention >> >> 1. Ovirt-engine Python, Java and Ruby SDKs need to be modified to obtain >> token from either engine SSO or external OpenID Connect IDP. >> 2. OVN if we are not using SDK needs to be modified to obtain token from >> either engine SSO or external OpenID Connect IDP. >> 3. OVN changes needed to config user admin@internal. admin@internal >> access will be disabled if external integration is enabled. So OVN needs to >> be configurable to use another user for REST API access. >> 4. Ansible is using SDK, if SDK is fixed to use a file the file needs to >> passed from ansible to SDK. >> 5. Cloudforms and Satellite are using Ruby SDK, we need to file a bug to >> fix the issue. The file with the details of external IDP URL and client-id >> and client-secret needs to be passed to SDK. >> 6. REST API SDK V3 is not going to work with password and negotiate >> authentication >> 7. VM Single Sign-on will not work as we don’t have a password. >> > > We are currently (re)implementing VM SSO in VM Portal. Will our > implementation break? > cc'ing Michal and Bohdan. > > > it’s already broken since 3.6, external auths don’t work with SPICE SSO. > I suppose it doesn’t change anything for the internal authentication where > we still have the pwd and use it, right, Ravi? > > > > >> 8. VM Console needs to work, if VM console is using token and bearer >> authentication everything should work >> > > Let's be sure to consider and test VM Portal too. > > >> _______________________________________________ >> Devel mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/[email protected]/message/4UJ3DDT2BGIXJDHLTFS66A3X4VXEGE6U/ >> > > > -- > GREG SHEREMETA > > SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX > Red Hat NA > > <https://www.redhat.com/> > > [email protected] IRC: gshereme > <https://red.ht/sig> > > >
_______________________________________________ Devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/YE6PBJJPSNMZIEY5NYRYVOJAHCDDKJWL/
