Hi Anton,Thanks for the specs. I have create BZ issue for tracking:
https://bugzilla.redhat.com/show_bug.cgi?id=1849569Feel free to add
comments/change it when needed.
Artur
On Fri, 2020-06-19 at 10:57 +0000, Anton Louw wrote:
>     
> 
>     
> Hi Artur,
>  
> Please see below:
>  
> ovirt-engine.noarch                     4.3.10.4-1.el7    @ovirt-4.3
> ovirt-engine-extension-aaa-misc.noarch  1.0.4-1.el7       @ovirt-4.3
> mod_auth_openidc.x86_64                 1.8.8-5.el7       @base
>  
> [root@virt ~]# cat /etc/*elease
> CentOS Linux release 7.7.1908 (Core)
> NAME="CentOS Linux"
> VERSION="7 (Core)"
> ID="centos"
> ID_LIKE="rhel fedora"
> VERSION_ID="7"
> PRETTY_NAME="CentOS Linux 7 (Core)"
> ANSI_COLOR="0;31"
> CPE_NAME="cpe:/o:centos:centos:7"
> HOME_URL="https://www.centos.org/";
> BUG_REPORT_URL="https://bugs.centos.org/";
>  
> CENTOS_MANTISBT_PROJECT="CentOS-7"
> CENTOS_MANTISBT_PROJECT_VERSION="7"
> REDHAT_SUPPORT_PRODUCT="centos"
> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>  
> CentOS Linux release 7.7.1908 (Core)
> CentOS Linux release 7.7.1908 (Core)
>  
> KeyCloak – 
>  
> 
> 
> 
> 
> 
> Server Version
> 
> 
> 
> 10.0.1
> 
> 
> 
> 
>  
> Thanks a lot for your help Artur. Please let me know if you need anything
> else.
>  
> 
> 
> From: Artur Socha <aso...@redhat.com>
> 
> 
> Sent: 19 June 2020 12:39
> 
> To: Anton Louw <anton.l...@voxtelecom.co.za>; users@ovirt.org
> 
> Cc: Stephen Hutchinson <stephen.hutchin...@voxtelecom.co.za>
> 
> Subject: Re: [ovirt-users] KeyCloak Integration
> 
> 
>  
> 
> On Fri, 2020-06-19 at 10:21 +0000, Anton Louw wrote:
> 
> >  
> > Yes I didn’t get to the OVN part yet, as I first wanted to test the if the
> > token can be obtained.
> >  
> > This is the first time we are testing KeyCloak in any environment, so we
> > have never been able to obtain a token for API access.
> >  
> 
> 
> Please post the exact versions of:
> 
> 
> - ovirt-engine* :   
> 
> 
> yum list --installed | grep ovirt-engine 
> 
> 
> yum list --intalled | grep
> ovirt-engine-extension-aaa-misc
> 
> 
> yum list --installed | grep
> mod_auth_openidc
> 
> 
> - keycloak
> 
> 
> - OS
> 
> 
> cat /etc/*elease    
> 
> 
>  
> 
> 
> I'll submit a bug ... which, most likely, I will assign to myself anyway :)
> 
> 
>  
> 
> 
> Artur
> 
> 
>  
>     
> 
>   
>   
>   
>     Anton Louw
>      
>   
>     Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
>     
>   
>   
>     T:  087 805 0000 | D: 087 805 1572
> M: N/A
> 
>     E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
>     www.vox.co.za
>   
>     
>     
> 
>     
>     
>       
>       
>       
>       
>       
>     
>     
>     
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> > Thanks
> >  
> > 
> > 
> > From: Artur Socha <aso...@redhat.com>
> > 
> > 
> > Sent: 19 June 2020 12:16
> > 
> > To: Anton Louw <anton.l...@voxtelecom.co.za>;
> > users@ovirt.org
> > 
> > Cc: Stephen Hutchinson <stephen.hutchin...@voxtelecom.co.za>
> > 
> > Subject: Re: [ovirt-users] KeyCloak Integration
> > 
> > 
> >  
> > 
> > On Fri, 2020-06-19 at 10:03 +0000, Anton Louw wrote:
> > 
> > >  
> > > Hi Artur,
> > >  
> > > Sure, please see below output:
> > >  
> > > [root@virt ~]# curl -vvv -H "Accept:application/json" '
> > > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password&username=myuser&password=mypass&scope=ovirt-app-api'
> > > * About to connect() to 
> > > virt.example.co.za port 443 (#0)
> > > *   Trying 
> > > 127.0.0.1...
> > > * Connected to 
> > > virt.example.co.za (127.0.0.1) port 443 (#0)
> > > * Initializing NSS with certpath: sql:/etc/pki/nssdb
> > > *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
> > >   CApath: none
> > > * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> > > * Server certificate:
> > > *       subject: CN=*.example.co.za,OU=Domain Control Validated
> > > *       start date: Sep 25 07:46:12 2019 GMT
> > > *       expire date: Oct 02 07:39:01 2020 GMT
> > > *       common name: *example.co.za
> > > *       issuer: CN=Starfield Secure Certificate Authority - G2,OU=
> > > http://certs.starfieldtech.com/repository/,O="Starfield Technologies,
> > >  Inc.",L=Scottsdale,ST=Arizona,C=US
> > > > GET /ovirt-
> > > engine/sso/oauth/token?grant_type=password&username=myuser&password=mypass
> > > &scope=ovirt-app-api HTTP/1.1
> > > > User-Agent: curl/7.29.0
> > > > Host: 
> > > virt.example.co.za
> > > > Accept:application/json
> > > > 
> > > < HTTP/1.1 400 Bad Request
> > > < Date: Fri, 19 Jun 2020 09:52:11 GMT
> > > < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
> > > < Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647;
> > > Expires=Wed, 07-Jul-2088 13:06:18 GMT
> > > < X-XSS-PROTECTION: 1; MODE=BLOCK
> > > < X-CONTENT-TYPE-OPTIONS: NOSNIFF
> > > < X-FRAME-OPTIONS: SAMEORIGIN
> > > < Content-Type: application/json
> > > < Content-Length: 233
> > > < Connection: close
> > > < 
> > > * Closing connection 0
> > > {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> > > scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> > > info:public-authz-search ovirt-ext=token-info:validate ovirt-
> > > ext=token:password-access."}
> > >  
> > > 1) Test connection using python script (from the blog post ) using sdk. I
> > > suspect it will not work either.
> > > Testing from Python gives me the same error as well.
> > >  
> > > 2) I saw some errors in the log on revoking token. Please go to keycloak
> > > admin panel, and under users kill all its active sessions. Then, please
> > > without logging in to engine admin UI, use that curl
> > >  to obtain token.
> > > Tested this again, but still getting the below:
> > > {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> > > scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> > > info:public-authz-search ovirt-ext=token-info:validate
> > >  ovirt-ext=token:password-access."}
> > >  
> > 
> > Thanks for these test ... unfortunately nothing helped
> > 
> > 
> >  
> > 
> > 
> >  
> > 
> > > 3) Does it work without OVN integration enabled?
> > > Can you explain a bit more? How can I disable OVN integration to test
> > > this?
> > 
> >  
> > 
> > 
> > I had in mind reverting OVN vs Keycloak integration done according to
> > "Configuring OVN" chapter in
> > 
> > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
> > 
> > 
> > 
> > Unless, of course, you skipped it.
> > 
> > 
> > 
> >  
> > 
> > 
> > Most likely you found a bug. Have you ever been able to obtain token for api
> > access with keycloak integration (even with you previous environments)? 
> > 
> > 
> > I am now trying to understand what happened and how to reproduce it before
> > submitting the bug into
> > 
> > http://bugzilla.redhat.com
> > 
> > 
> >  
> >  
> > 
> > 
> > 
> > 
> > Anton Louw
> > 
> > 
> > 
> > 
> > Cloud Engineer: Storage and Virtualization
> >  at Vox
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > T:
> >  087 805 0000 |
> > D: 087 805 1572
> > 
> > M: N/A
> > 
> > E:
> > anton.l...@voxtelecom.co.za
> > 
> > A: Rutherford Estate,
> >  1 Scott Street, Waverley, Johannesburg
> > 
> > www.vox.co.za
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > >  
> > > Thanks
> > >  
> > >  
> > > 
> > > 
> > > 
> > > 
> > > Anton Louw
> > > 
> > > 
> > > 
> > > 
> > > Cloud Engineer: Storage and Virtualization
> > >  at Vox
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > T:
> > >  087 805 0000 |
> > > D: 087 805 1572
> > > 
> > > M: N/A
> > > 
> > > E:
> > > anton.l...@voxtelecom.co.za
> > > 
> > > A: Rutherford Estate,
> > >  1 Scott Street, Waverley, Johannesburg
> > > 
> > > www.vox.co.za
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > From: Artur Socha <aso...@redhat.com>
> > > 
> > > 
> > > Sent: 19 June 2020 11:40
> > > 
> > > To: Anton Louw <anton.l...@voxtelecom.co.za>;
> > > users@ovirt.org
> > > 
> > > Cc: Stephen Hutchinson <stephen.hutchin...@voxtelecom.co.za>
> > > 
> > > Subject: Re: [ovirt-users] KeyCloak Integration
> > > 
> > > 
> > >  
> > > 
> > > On Fri, 2020-06-19 at 08:34 +0000, Anton Louw wrote:
> > > 
> > > >  
> > > > Hi Artur,
> > > >  
> > > > Thank you for the quick response. 
> > > >  
> > > > I have actually tried creating another user, but I still get the same
> > > > error. I have attached the output of curl -vvv as well as the logs the
> > > > engine and keycloak logs.
> > > 
> > >  
> > > 
> > > 
> > > This `curl -vvv ...` is actually is incorrect because it is missing -H
> > > before 'Accept' header. However, previous attempts that led to this error
> > > seemed to be fine. Could you just re-send output of
> > >  the correct curl? 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > There are few things we can test to try to narrow down the root cause:
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 1) Test connection using python script (from the blog post ) using sdk. I
> > > suspect it will not work either.
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 2) I saw some errors in the log on revoking token. Please go to keycloak
> > > admin panel, and under users kill all its active sessions. Then, please
> > > without logging in to engine admin UI, use that curl
> > >  to obtain token.
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 3) Does it work without OVN integration enabled?
> > > 
> > > 
> > >  
> > > 
> > > 
> > > Artur
> > > 
> > > 
> > >  
> > > 
> > > 
> > >  
> > > 
> > > >  
> > > > Thank you
> > > >  
> > > >  
> > > > 
> > > > 
> > > > 
> > > > 
> > > > Anton Louw
> > > > 
> > > > 
> > > > 
> > > > 
> > > > Cloud Engineer: Storage and Virtualization
> > > >  at Vox
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > T:
> > > >  087 805 0000 |
> > > > D: 087 805 1572
> > > > 
> > > > M: N/A
> > > > 
> > > > E:
> > > > anton.l...@voxtelecom.co.za
> > > > 
> > > > A: Rutherford Estate,
> > > >  1 Scott Street, Waverley, Johannesburg
> > > > 
> > > > www.vox.co.za
> > > > 
> > > > 
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > > From: Artur Socha <aso...@redhat.com>
> > > > 
> > > > 
> > > > Sent: 19 June 2020 10:23
> > > > 
> > > > To: Anton Louw <anton.l...@voxtelecom.co.za>;
> > > > users@ovirt.org
> > > > 
> > > > Subject: Re: [ovirt-users] KeyCloak Integration
> > > > 
> > > > 
> > > >  
> > > > 
> > > > O
> > > > 
> > > > 
> > > > n Fri, 2020-06-19 at 07:35 +0000, Anton Louw via Users wrote:
> > > > 
> > > > >  
> > > > > Hi Everybody,
> > > > 
> > > >  
> > > > 
> > > > 
> > > > Hi Anton,
> > > > 
> > > > >  
> > > > > So I have implemented KeyCloak into our oVirt environment, which
> > > > > works, up until a point. So WebUI access works, but when calling the
> > > > > API, using:
> > > > > 
> > > > > curl -k -H "Accept: application/json" '
> > > > > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password&username=admin@openidchttp&password=mypass&scope=ovirt-app-api'
> > > > >  
> > > > > I get the below error:
> > > > >  
> > > > > {"error_description":"Cannot authenticate user Invalid scopes: ovirt-
> > > > > app-api ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search
> > > > > ovirt-ext=token-info:public-authz-search 
> > > > > ovirt-ext=token-info:validate 
> > > > > ovirt-ext=token:password-access.","error":"access_denied"}
> > > > >  
> > > > > If my configs are removed, and I use “admin@internal” for my username,
> > > > > then it works.
> > > > >  
> > > > > I followed the below article step by step, and I double checked that
> > > > > all the scopes are added into KeyCloak (ovirt-app-api and ovirt-app-
> > > > > admin)
> > > > > 
> > > > >  
> > > > > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
> > > > >  
> > > > > Anybody have any ideas?
> > > > 
> > > >  
> > > > 
> > > > 
> > > > It is my blind shot but could create & check another user?
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > > One more thing to check please use curl -vvv to check if there are any
> > > > redirects along the way.
> > > > 
> > > > 
> > > > 
> > > > I will check keycloak settings on my setup - perhaps there is something
> > > > non-obvious that could have been missed.
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > > Any chance to get a bit more logs from engine.log and even from
> > > > keycloak? Perhaps there is something there that could help.
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > > Artur
> > > > 
> > > > 
> > > >  
> > > > 
> > > > >  
> > > > > Thank you
> > > > >  
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Anton Louw
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Cloud Engineer: Storage and Virtualization
> > > > >  at Vox
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > T:
> > > > >  087 805 0000 |
> > > > > D: 087 805 1572
> > > > > 
> > > > > M: N/A
> > > > > 
> > > > > E:
> > > > > anton.l...@voxtelecom.co.za
> > > > > 
> > > > > A: Rutherford Estate,
> > > > >  1 Scott Street, Waverley, Johannesburg
> > > > > 
> > > > > www.vox.co.za
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > >  
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > >  
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > >  
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > >  
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > >  
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > >  
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > >  
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Disclaimer
> > > > > The contents of this email are confidential to the sender and the
> > > > > intended recipient. Unless the contents are clearly and entirely of a
> > > > > personal nature, they are subject to copyright
> > > > >  in favour of the holding company of the Vox group of companies. Any
> > > > > recipient who receives this email in error should immediately report
> > > > > the error to the sender and permanently delete this email from all
> > > > > storage devices.
> > > > > 
> > > > > 
> > > > > 
> > > > > This email has been scanned for viruses and malware, and may have been
> > > > > automatically archived by
> > > > > Mimecast Ltd, an innovator in Software as a Service (SaaS) for
> > > > > business. Providing a
> > > > > safer and more useful place for your human generated data.
> > > > > Specializing in; Security, archiving and compliance. To find out more
> > > > > Click Here.
> > > > >  
> > > > > _______________________________________________
> > > > > Users mailing list -- 
> > > > > 
> > > > > users@ovirt.org
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > > > To unsubscribe send an email to 
> > > > > 
> > > > > users-le...@ovirt.org
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > > > Privacy Statement: 
> > > > > 
> > > > > https://www.ovirt.org/privacy-policy.html
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > > > oVirt Code of Conduct: 
> > > > > 
> > > > > https://www.ovirt.org/community/about/community-guidelines/
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > > > List Archives: 
> > > > > 
> > > > > https://lists.ovirt.org/archives/list/users@ovirt.org/message/CC54IPZLYJYE2B3NP4LT4TN4CJX4C7BU/
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > > 
> > > >  
> > > 
> > >  
> > 
> >  
> 
> 
> 
> 
> 
> 
> 
>     
> 
> 

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FGRAZT25FIQWF36EMTKKMT4C3FS3HIKE/

Reply via email to