This site is under construction. Please treat it as ALPHA version. Any comments & reviews are welcomed!
This repository contains a set of ovirt-engine setup plugins that allow to install and setup Keycloak overlay package as internal Single-Sign-On (SSO) provider for oVirt Engine, thus deprecating oVirt Engine's AAA. In addition, oVirt Provider OVN and Grafana / Monitoring Portal are being reconfigured to use Keycloak SSO as well.
For fresh installation internally bundled Keycloak becomes the default SSO provider. However, if system administrator decides otherwise it is possible to fall back to legacy AAA configuration by rejecting Keycloak during engine-setup run.
In order to use legacy AAA authentication please provide 'No' for the following engine-setup questions
* Please note * : Keycloak is now deprecating AAA/JDBC authentication module.
It is highly recommended to install Keycloak based authentication.
Configure Keycloak on this host (Yes, No) [Yes]:
provided answer: no
Are you really sure not to install internal Keycloak based authentication?
AAA modules are being deprecated
Configure Keycloak on this host (Yes, No) [Yes]:
provided answer: no
Also hosted-engine --deploy asks:
Configure Keycloak integration on the engine (Yes, No) [Yes]:
If the system administrator originally disabled the internal Keycloak for oVirt >= 4.5.1, and later decides to make a switch, it is possible to do so. The trade-off is that any existing AAA configuration will have to be migrated to Keycloak manually. In order to activate the internal Keycloak, please see the activation procedure.
When upgrading the existing oVirt installation to version >= 4.5.1, due to backward compatibility, oVirt AAA configuration is the preferred solution. There will be no Keycloak related questions during engine-setup execution. System administrators can decide, whether to migrate manually as documented here, or keep using their existing setup. At current time there are no automatic migration from AAA JDBC or AAA LDAP to internally bundled Keycloak. In order to activate the internal Keycloak please see the activation procedure.
Keycloak is not supposed to be installed and configured on the development environment.
In case system administrator decides to enable internally bundled Keycloak SSO there are the following steps needed:
- Backup existing setup (full backup & restore exercise is highly recommended)
- Enable internally bundled Keycloak. Please note that any existing user base setup needs to be migrated manually. Please see Keycloak documentation how to setup various user backends (todo: links)
engine-setup --otopi-environment="OVESETUP_CONFIG/keycloakEnable=bool:True"
- To test the setup please login to Administration Portal using the admin username:
admin@ovirtand provided password. For REST API access the full username with profile must be provided:admin@ovirt@internalsso. - In order to login to Keycloak Administration Console go to
https://ENGINE_FQDN/ovirt-engine-auth/adminand use useradminwith provided password (from the above).
Additionally, the engine-setup output should contain a confirmation that Keycloak has been configured.
--== SUMMARY ==--
[ INFO ] Starting service: grafana-server
[ INFO ] Starting dwh service
[ INFO ] Starting Grafana service
[ INFO ] Restarting ovirt-vmconsole proxy service
Please use the user 'admin' and password specified in order to login to Keycloak admin console
Please use the user 'admin@ovirt' and password specified in order to login using Keycloak SSO
Web access is enabled at:
http://dev2.dom:80/ovirt-engine
https://dev2.dom:443/ovirt-engine
Internal CA fingerprint: SHA256: 4E:A7:F0:71:92:A1:7B:C0:37:2C:4D:DF:86:2D:70:94:E3:7B:DC:FA:0F:44:00:F3:81:E4:35:83:3C:E0:
DF:8F
SSH fingerprint: SHA256:3gsIvHFk+irCRfmtSXbDSOdXYjgGVgoxTMUteBJ/nv0
[ INFO ] Starting engine service
[WARNING] Less than 16384MB of memory is available
Web access for grafana is enabled at:
https://dev2.dom/ovirt-engine-grafana/
Please run the following command on the engine machine dev2.dom, for SSO to work:
systemctl restart ovirt-engine
Keycloak database resources:
Database name: ovirt_engine_keycloak_20220519111841
Database user name: ovirt_engine_keycloak_20220519111841
--== END OF SUMMARY ==--
[ INFO ] Restarting httpd
[ INFO ] Start with setting up Keycloak for Ovirt Engine
[ INFO ] Done with setting up Keycloak for Ovirt Engine
[ INFO ] Stage: Clean up
Log file is located at /var/log/ovirt-engine/setup/ovirt-engine-setup-20220519111823-q89zni.log
[ INFO ] Generating answer file '/var/lib/ovirt-engine/setup/answers/20220519112026-setup.conf'
[ INFO ] Stage: Pre-termination
[ INFO ] Stage: Termination
[ INFO ] Execution of setup completed successfully
There is no automated fallback script from the internal Keycloak to legacy AAA modules. However, this can be done manually if needed but is not recommended.
In case the Grafana (for Monitoring Portal) is configured to run on a separate host (different from where oVirt Engine is deployed) the SSO will not work out-of-the-box. Relevant configuration in /etc/grafana/grafana.ini must be updated. However, it would be still possible to login using grafana bootstrap admin user.
Currently, we do not have any automation to help to migrate existing AAA environments. Feel free to file bugzilla requests or GitHub issues if needed.