On Fri, 2020-06-19 at 10:21 +0000, Anton Louw wrote: > > > > Yes I didn’t get to the OVN part yet, as I first wanted to test the if the > token can be obtained. > > > > This is the first time we are testing KeyCloak in any environment, so we have > never been able to obtain a token for API access. > > Please post the exact versions of: - ovirt-engine* : yum list --installed | grep ovirt-engine yum list --intalled | grep ovirt-engine-extension-aaa-misc
yum list --installed | grep mod_auth_openidc - keycloak - OS cat /etc/*elease I'll submit a bug ... which, most likely, I will assign to myself anyway :) Artur > Thanks > > > > From: Artur Socha <aso...@redhat.com> > > > Sent: 19 June 2020 12:16 > > To: Anton Louw <anton.l...@voxtelecom.co.za>; users@ovirt.org > > Cc: Stephen Hutchinson <stephen.hutchin...@voxtelecom.co.za> > > Subject: Re: [ovirt-users] KeyCloak Integration > > > > > On Fri, 2020-06-19 at 10:03 +0000, Anton Louw wrote: > > > > > Hi Artur, > > > > Sure, please see below output: > > > > [root@virt ~]# curl -vvv -H "Accept:application/json" ' > > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password&username=myuser&password=mypass&scope=ovirt-app-api' > > * About to connect() to > > virt.example.co.za port 443 (#0) > > * Trying > > 127.0.0.1... > > * Connected to > > virt.example.co.za (127.0.0.1) port 443 (#0) > > * Initializing NSS with certpath: sql:/etc/pki/nssdb > > * CAfile: /etc/pki/tls/certs/ca-bundle.crt > > CApath: none > > * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > > * Server certificate: > > * subject: CN=*.example.co.za,OU=Domain Control Validated > > * start date: Sep 25 07:46:12 2019 GMT > > * expire date: Oct 02 07:39:01 2020 GMT > > * common name: *example.co.za > > * issuer: CN=Starfield Secure Certificate Authority - G2,OU= > > http://certs.starfieldtech.com/repository/,O="Starfield Technologies, > > Inc.",L=Scottsdale,ST=Arizona,C=US > > > GET /ovirt- > > engine/sso/oauth/token?grant_type=password&username=myuser&password=mypass&s > > cope=ovirt-app-api HTTP/1.1 > > > User-Agent: curl/7.29.0 > > > Host: > > virt.example.co.za > > > Accept:application/json > > > > > < HTTP/1.1 400 Bad Request > > < Date: Fri, 19 Jun 2020 09:52:11 GMT > > < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips > > < Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647; > > Expires=Wed, 07-Jul-2088 13:06:18 GMT > > < X-XSS-PROTECTION: 1; MODE=BLOCK > > < X-CONTENT-TYPE-OPTIONS: NOSNIFF > > < X-FRAME-OPTIONS: SAMEORIGIN > > < Content-Type: application/json > > < Content-Length: 233 > > < Connection: close > > < > > * Closing connection 0 > > {"error_code":"access_denied","error":"Cannot authenticate user Invalid > > scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token- > > info:public-authz-search ovirt-ext=token-info:validate ovirt- > > ext=token:password-access."} > > > > 1) Test connection using python script (from the blog post ) using sdk. I > > suspect it will not work either. > > Testing from Python gives me the same error as well. > > > > 2) I saw some errors in the log on revoking token. Please go to keycloak > > admin panel, and under users kill all its active sessions. Then, please > > without logging in to engine admin UI, use that curl > > to obtain token. > > Tested this again, but still getting the below: > > {"error_code":"access_denied","error":"Cannot authenticate user Invalid > > scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token- > > info:public-authz-search ovirt-ext=token-info:validate > > ovirt-ext=token:password-access."} > > > > Thanks for these test ... unfortunately nothing helped > > > > > > > > > 3) Does it work without OVN integration enabled? > > Can you explain a bit more? How can I disable OVN integration to test this? > > > > > I had in mind reverting OVN vs Keycloak integration done according to > "Configuring OVN" chapter in > > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/ > > > > Unless, of course, you skipped it. > > > > > > > Most likely you found a bug. Have you ever been able to obtain token for api > access with keycloak integration (even with you previous environments)? > > > I am now trying to understand what happened and how to reproduce it before > submitting the bug into > > http://bugzilla.redhat.com > > > > > > > > > Anton Louw > > > Cloud Engineer: Storage and Virtualization at Vox > > > > > > > T: 087 805 0000 | D: 087 805 1572 > M: N/A > > E: anton.l...@voxtelecom.co.za > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > Anton Louw > > > > > > > > > > Cloud Engineer: Storage and Virtualization > > at Vox > > > > > > > > > > > > > > > > > > > > > > > > T: > > 087 805 0000 | > > D: 087 805 1572 > > > > M: N/A > > > > E: > > anton.l...@voxtelecom.co.za > > > > A: Rutherford Estate, > > 1 Scott Street, Waverley, Johannesburg > > > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Artur Socha <aso...@redhat.com> > > > > > > Sent: 19 June 2020 11:40 > > > > To: Anton Louw <anton.l...@voxtelecom.co.za>; > > users@ovirt.org > > > > Cc: Stephen Hutchinson <stephen.hutchin...@voxtelecom.co.za> > > > > Subject: Re: [ovirt-users] KeyCloak Integration > > > > > > > > > > On Fri, 2020-06-19 at 08:34 +0000, Anton Louw wrote: > > > > > > > > Hi Artur, > > > > > > Thank you for the quick response. > > > > > > I have actually tried creating another user, but I still get the same > > > error. I have attached the output of curl -vvv as well as the logs the > > > engine and keycloak logs. > > > > > > > > > > This `curl -vvv ...` is actually is incorrect because it is missing -H > > before 'Accept' header. However, previous attempts that led to this error > > seemed to be fine. Could you just re-send output of > > the correct curl? > > > > > > > > > > > > There are few things we can test to try to narrow down the root cause: > > > > > > > > > > > > 1) Test connection using python script (from the blog post ) using sdk. I > > suspect it will not work either. > > > > > > > > > > > > 2) I saw some errors in the log on revoking token. Please go to keycloak > > admin panel, and under users kill all its active sessions. Then, please > > without logging in to engine admin UI, use that curl > > to obtain token. > > > > > > > > > > > > 3) Does it work without OVN integration enabled? > > > > > > > > > > > > Artur > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > > > > > > > > Anton Louw > > > > > > > > > > > > > > > Cloud Engineer: Storage and Virtualization > > > at Vox > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > T: > > > 087 805 0000 | > > > D: 087 805 1572 > > > > > > M: N/A > > > > > > E: > > > anton.l...@voxtelecom.co.za > > > > > > A: Rutherford Estate, > > > 1 Scott Street, Waverley, Johannesburg > > > > > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Artur Socha <aso...@redhat.com> > > > > > > > > > Sent: 19 June 2020 10:23 > > > > > > To: Anton Louw <anton.l...@voxtelecom.co.za>; > > > users@ovirt.org > > > > > > Subject: Re: [ovirt-users] KeyCloak Integration > > > > > > > > > > > > > > > O > > > > > > > > > n Fri, 2020-06-19 at 07:35 +0000, Anton Louw via Users wrote: > > > > > > > > > > > Hi Everybody, > > > > > > > > > > > > > > > Hi Anton, > > > > > > > > > > > So I have implemented KeyCloak into our oVirt environment, which works, > > > > up until a point. So WebUI access works, but when calling the API, > > > > using: > > > > > > > > curl -k -H "Accept: application/json" ' > > > > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password&username=admin@openidchttp&password=mypass&scope=ovirt-app-api' > > > > > > > > I get the below error: > > > > > > > > {"error_description":"Cannot authenticate user Invalid scopes: ovirt- > > > > app-api ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search > > > > ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate > > > > ovirt-ext=token:password-access.","error":"access_denied"} > > > > > > > > If my configs are removed, and I use “admin@internal” for my username, > > > > then it works. > > > > > > > > I followed the below article step by step, and I double checked that all > > > > the scopes are added into KeyCloak (ovirt-app-api and ovirt-app-admin) > > > > > > > > > > > > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/ > > > > > > > > Anybody have any ideas? > > > > > > > > > > > > > > > It is my blind shot but could create & check another user? > > > > > > > > > > > > > > > > > > One more thing to check please use curl -vvv to check if there are any > > > redirects along the way. > > > > > > > > > > > > I will check keycloak settings on my setup - perhaps there is something > > > non-obvious that could have been missed. > > > > > > > > > > > > > > > > > > Any chance to get a bit more logs from engine.log and even from keycloak? > > > Perhaps there is something there that could help. > > > > > > > > > > > > > > > > > > Artur > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > > > > > > > > > > > Anton Louw > > > > > > > > > > > > > > > > > > > > Cloud Engineer: Storage and Virtualization > > > > at Vox > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > T: > > > > 087 805 0000 | > > > > D: 087 805 1572 > > > > > > > > M: N/A > > > > > > > > E: > > > > anton.l...@voxtelecom.co.za > > > > > > > > A: Rutherford Estate, > > > > 1 Scott Street, Waverley, Johannesburg > > > > > > > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Disclaimer > > > > The contents of this email are confidential to the sender and the > > > > intended recipient. Unless the contents are clearly and entirely of a > > > > personal nature, they are subject to copyright > > > > in favour of the holding company of the Vox group of companies. Any > > > > recipient who receives this email in error should immediately report the > > > > error to the sender and permanently delete this email from all storage > > > > devices. > > > > > > > > > > > > > > > > This email has been scanned for viruses and malware, and may have been > > > > automatically archived by > > > > Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. > > > > Providing a > > > > safer and more useful place for your human generated data. Specializing > > > > in; Security, archiving and compliance. To find out more > > > > Click Here. > > > > > > > > _______________________________________________ > > > > Users mailing list -- > > > > > > > > users@ovirt.org > > > > > > > > > > > > > > > > > > > > To unsubscribe send an email to > > > > > > > > users-le...@ovirt.org > > > > > > > > > > > > > > > > > > > > Privacy Statement: > > > > > > > > https://www.ovirt.org/privacy-policy.html > > > > > > > > > > > > > > > > > > > > oVirt Code of Conduct: > > > > > > > > https://www.ovirt.org/community/about/community-guidelines/ > > > > > > > > > > > > > > > > > > > > List Archives: > > > > > > > > https://lists.ovirt.org/archives/list/users@ovirt.org/message/CC54IPZLYJYE2B3NP4LT4TN4CJX4C7BU/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/UQX5FDI7KNKX7ZP62RWGVLRM5DKDFOQH/