On Fri, 2020-06-19 at 10:03 +0000, Anton Louw wrote:
>     
> 
>     
> Hi Artur,
> 
>  
> 
> Sure, please see below output:
> 
>  
> 
> [root@virt ~]# curl -vvv -H "Accept:application/json" '
> https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password&username=myuser&password=mypass&scope=ovirt-app-api'
> 
> * About to connect() to virt.example.co.za port 443 (#0)
> 
> *   Trying 127.0.0.1...
> 
> * Connected to virt.example.co.za (127.0.0.1) port 443 (#0)
> 
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> 
> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
> 
>   CApath: none
> 
> * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> 
> * Server certificate:
> 
> *       subject: CN=*.example.co.za,OU=Domain Control Validated
> 
> *       start date: Sep 25 07:46:12 2019 GMT
> 
> *       expire date: Oct 02 07:39:01 2020 GMT
> 
> *       common name: *.example.co.za
> 
> *       issuer: CN=Starfield Secure Certificate Authority - G2,OU=
> http://certs.starfieldtech.com/repository/,O="Starfield Technologies,
> Inc.",L=Scottsdale,ST=Arizona,C=US
> 
> > GET /ovirt-
> engine/sso/oauth/token?grant_type=password&username=myuser&password=mypass&sco
> pe=ovirt-app-api HTTP/1.1
> 
> > User-Agent: curl/7.29.0
> 
> > Host: virt.example.co.za
> 
> > Accept:application/json
> 
> > 
> 
> < HTTP/1.1 400 Bad Request
> 
> < Date: Fri, 19 Jun 2020 09:52:11 GMT
> 
> < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
> 
> < Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647;
> Expires=Wed, 07-Jul-2088 13:06:18 GMT
> 
> < X-XSS-PROTECTION: 1; MODE=BLOCK
> 
> < X-CONTENT-TYPE-OPTIONS: NOSNIFF
> 
> < X-FRAME-OPTIONS: SAMEORIGIN
> 
> < Content-Type: application/json
> 
> < Content-Length: 233
> 
> < Connection: close
> 
> < 
> 
> * Closing connection 0
> 
> {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> info:public-authz-search ovirt-ext=token-info:validate ovirt-
> ext=token:password-access."}
> 
>  
> 
> 1) Test connection using python script (from the blog post ) using sdk. I
> suspect it will not work either.
> 
> Testing from Python gives me the same error as well.
> 
>  
> 
> 2) I saw some errors in the log on revoking token. Please go to keycloak admin
> panel, and under users kill all its active sessions. Then, please without
> logging in to engine admin UI, use that curl
>  to obtain token.
> 
> Tested this again, but still getting the below:
> 
> {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> info:public-authz-search ovirt-ext=token-info:validate
>  ovirt-ext=token:password-access."}
> 
>  
Thanks for these test ... unfortunately nothing helped

> 3) Does it work without OVN integration enabled?
> 
> Can you explain a bit more? How can I disable OVN integration to test this?

I had in mind reverting OVN vs Keycloak integration done according to
"Configuring OVN" chapter in 
https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
   Unless, of course, you skipped it. 
Most likely you found a bug.  Have you ever been able to obtain token for api
access with keycloak integration (even with you previous environments)? I am now
trying to understand what happened and how to reproduce it before submitting the
bug into http://bugzilla.redhat.com id="-x-evo-selection-start-marker">
>  
> Thanks
>  
>     
> 
>   
>   
>   
>     Anton Louw
>      
>   
>     Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
>     
>   
>   
>     T:  087 805 0000 | D: 087 805 1572
> M: N/A
> 
>     E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
>     www.vox.co.za
>   
>     
>     
> 
>     
>     
>       
>       
>       
>       
>       
>     
>     
>     
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Artur Socha <aso...@redhat.com>
> 
> 
> Sent: 19 June 2020 11:40
> 
> To: Anton Louw <anton.l...@voxtelecom.co.za>; users@ovirt.org
> 
> Cc: Stephen Hutchinson <stephen.hutchin...@voxtelecom.co.za>
> 
> Subject: Re: [ovirt-users] KeyCloak Integration
> 
> 
>  
> 
> On Fri, 2020-06-19 at 08:34 +0000, Anton Louw wrote:
> 
> >  
> > Hi Artur,
> >  
> > Thank you for the quick response. 
> >  
> > I have actually tried creating another user, but I still get the same error.
> > I have attached the output of curl -vvv as well as the logs the engine and
> > keycloak logs.
> 
>  
> 
> 
> This `curl -vvv ...` is actually is incorrect because it is missing -H before
> 'Accept' header. However, previous attempts that led to this error seemed to
> be fine. Could you just re-send output of
>  the correct curl? 
> 
> 
>  
> 
> 
> There are few things we can test to try to narrow down the root cause:
> 
> 
>  
> 
> 
> 1) Test connection using python script (from the blog post ) using sdk. I
> suspect it will not work either.
> 
> 
>  
> 
> 
> 2) I saw some errors in the log on revoking token. Please go to keycloak admin
> panel, and under users kill all its active sessions. Then, please without
> logging in to engine admin UI, use that curl
>  to obtain token.
> 
> 
>  
> 
> 
> 3) Does it work without OVN integration enabled?
> 
> 
>  
> 
> 
> Artur
> 
> 
>  
> 
> 
>  
> 
> >  
> > Thank you
> >  
> >  
> > 
> > 
> > 
> > 
> > Anton Louw
> > 
> > 
> > 
> > 
> > Cloud Engineer: Storage and Virtualization
> >  at Vox
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > T:
> >  087 805 0000 |
> > D: 087 805 1572
> > 
> > M: N/A
> > 
> > E:
> > anton.l...@voxtelecom.co.za
> > 
> > A: Rutherford Estate,
> >  1 Scott Street, Waverley, Johannesburg
> > 
> > www.vox.co.za
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > From: Artur Socha <aso...@redhat.com>
> > 
> > 
> > Sent: 19 June 2020 10:23
> > 
> > To: Anton Louw <anton.l...@voxtelecom.co.za>;
> > users@ovirt.org
> > 
> > Subject: Re: [ovirt-users] KeyCloak Integration
> > 
> > 
> >  
> > 
> > O
> > 
> > 
> > n Fri, 2020-06-19 at 07:35 +0000, Anton Louw via Users wrote:
> > 
> > >  
> > > Hi Everybody,
> > 
> >  
> > 
> > 
> > Hi Anton,
> > 
> > >  
> > > So I have implemented KeyCloak into our oVirt environment, which works, up
> > > until a point. So WebUI access works, but when calling the API, using:
> > > 
> > > curl -k -H "Accept: application/json" '
> > > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password&username=admin@openidchttp&password=mypass&scope=ovirt-app-api'
> > >  
> > > I get the below error:
> > >  
> > > {"error_description":"Cannot authenticate user Invalid scopes: ovirt-app-
> > > api ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-
> > > ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-
> > > ext=token:password-access.","error":"access_denied"}
> > >  
> > > If my configs are removed, and I use “admin@internal” for my username,
> > > then it works.
> > >  
> > > I followed the below article step by step, and I double checked that all
> > > the scopes are added into KeyCloak (ovirt-app-api and ovirt-app-admin)
> > > 
> > >  
> > > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
> > >  
> > > Anybody have any ideas?
> > 
> >  
> > 
> > 
> > It is my blind shot but could create & check another user?
> > 
> > 
> >  
> > 
> > 
> > One more thing to check please use curl -vvv to check if there are any
> > redirects along the way.
> > 
> > 
> > 
> > I will check keycloak settings on my setup - perhaps there is something non-
> > obvious that could have been missed.
> > 
> > 
> >  
> > 
> > 
> > Any chance to get a bit more logs from engine.log and even from keycloak?
> > Perhaps there is something there that could help.
> > 
> > 
> >  
> > 
> > 
> > Artur
> > 
> > 
> >  
> > 
> > >  
> > > Thank you
> > >  
> > > 
> > > 
> > > 
> > > 
> > > Anton Louw
> > > 
> > > 
> > > 
> > > 
> > > Cloud Engineer: Storage and Virtualization
> > >  at Vox
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > T:
> > >  087 805 0000 |
> > > D: 087 805 1572
> > > 
> > > M: N/A
> > > 
> > > E:
> > > anton.l...@voxtelecom.co.za
> > > 
> > > A: Rutherford Estate,
> > >  1 Scott Street, Waverley, Johannesburg
> > > 
> > > www.vox.co.za
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > Disclaimer
> > > The contents of this email are confidential to the sender and the intended
> > > recipient. Unless the contents are clearly and entirely of a personal
> > > nature, they are subject to copyright
> > >  in favour of the holding company of the Vox group of companies. Any
> > > recipient who receives this email in error should immediately report the
> > > error to the sender and permanently delete this email from all storage
> > > devices.
> > > 
> > > 
> > > 
> > > This email has been scanned for viruses and malware, and may have been
> > > automatically archived by
> > > Mimecast Ltd, an innovator in Software as a Service (SaaS) for business.
> > > Providing a
> > > safer and more useful place for your human generated data. Specializing
> > > in; Security, archiving and compliance. To find out more
> > > Click Here.
> > >  
> > > _______________________________________________
> > > Users mailing list -- 
> > > users@ovirt.org
> > >  
> > >  
> > >  
> > > To unsubscribe send an email to 
> > > users-le...@ovirt.org
> > >  
> > >  
> > >  
> > > Privacy Statement: 
> > > https://www.ovirt.org/privacy-policy.html
> > >  
> > >  
> > >  
> > > oVirt Code of Conduct: 
> > > https://www.ovirt.org/community/about/community-guidelines/
> > >  
> > >  
> > >  
> > > List Archives: 
> > > https://lists.ovirt.org/archives/list/users@ovirt.org/message/CC54IPZLYJYE2B3NP4LT4TN4CJX4C7BU/
> > >  
> > >  
> > >  
> > 
> >  
> 
> 
> 
> 
> 
> 
> 
>     
> 
> 

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/UZKPAEDUPKOSG6F2K7BSLW6W3VIJKOJA/

Reply via email to