Bug 1586085

Summary: [RFE] Add SSH credentials to the oVirt Manager
Product: Red Hat CloudForms Management Engine Reporter: Satoe Imaishi <simaishi>
Component: ProvidersAssignee: Boriso <bodnopoz>
Status: CLOSED CURRENTRELEASE QA Contact: Kedar Kulkarni <kkulkarn>
Severity: high Docs Contact:
Priority: high    
Version: 5.9.0CC: bthurber, dagur, fdeutsch, fdupont, gblomqui, gmccullo, istein, jfrey, jhardy, jocarter, mperina, obarenbo, smallamp
Target Milestone: GAKeywords: FutureFeature, RFE, ZStream
Target Release: 5.9.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: v2v
Fixed In Version: 5.9.3.1 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1561353 Environment:
Last Closed: 2018-07-12 17:26:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: RHEVM Target Upstream Version:
Embargoed:
Bug Depends On: 1561353    
Bug Blocks:    

Comment 2 CFME Bot 2018-06-05 13:29:02 UTC 
New commit detected on ManageIQ/manageiq-ui-classic/gaprindashvili:

https://github.com/ManageIQ/manageiq-ui-classic/commit/9c220cd25f355f992aaf0e45b2ea67501ac7d101
commit 9c220cd25f355f992aaf0e45b2ea67501ac7d101
Author:     Harpreet Kataria <hkataria>
AuthorDate: Mon Jun  4 16:39:33 2018 -0400
Commit:     Harpreet Kataria <hkataria>
CommitDate: Mon Jun  4 16:39:33 2018 -0400

    Merge pull request #3983 from borod108/rfe/add_ssh_pair_to_rhv

    Add support for ssh key pair credentials to rhv
    (cherry picked from commit 04100d266b030a291c07cf4f3bf8cae41d8e701e)

    https://bugzilla.redhat.com/show_bug.cgi?id=1586085

 app/assets/javascripts/controllers/ems_keypair/ems_keypair_controller.js | 4 +-
 app/controllers/mixins/ems_common_angular.rb | 9 +-
 app/views/layouts/angular/_multi_auth_credentials.html.haml | 12 +-
 spec/controllers/ems_infra_controller_spec.rb | 2 +-
 spec/javascripts/controllers/ems_keypair/ems_keypair_controller_spec.js | 59 +-
 5 files changed, 42 insertions(+), 44 deletions(-)
Comment 3 CFME Bot 2018-06-05 13:29:41 UTC 
New commits detected on ManageIQ/manageiq-providers-ovirt/gaprindashvili:

https://github.com/ManageIQ/manageiq-providers-ovirt/commit/113dfe48585fd9b387e62adfa5666c4729f505e7
commit 113dfe48585fd9b387e62adfa5666c4729f505e7
Author:     Piotr Kliczewski <piotr.kliczewski>
AuthorDate: Thu May 24 09:24:18 2018 -0400
Commit:     Piotr Kliczewski <piotr.kliczewski>
CommitDate: Thu May 24 09:24:18 2018 -0400

    Merge pull request #251 from borod108/rfe/add_sshkey_pair

    Add support for ssh_keypair authentication
    (cherry picked from commit 546fcb2c5cb2e88b347dec8c2bd2334858f3acbc)

    https://bugzilla.redhat.com/show_bug.cgi?id=1586085

 app/models/manageiq/providers/redhat/infra_manager/api_integration.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


https://github.com/ManageIQ/manageiq-providers-ovirt/commit/341fdbc36aaf992a27d517ee7962bff49b235292
commit 341fdbc36aaf992a27d517ee7962bff49b235292
Author:     Moti Asayag <masayag>
AuthorDate: Mon Jun  4 08:19:29 2018 -0400
Commit:     Moti Asayag <masayag>
CommitDate: Mon Jun  4 08:19:29 2018 -0400

    Merge pull request #256 from borod108/rfe/ssh_keypair_2

    RHEV SSH Keypair auth always returns true
    (cherry picked from commit 7d11b1e311b3f1e7c07a791d37ed42982624908a)

    https://bugzilla.redhat.com/show_bug.cgi?id=1586085

 app/models/manageiq/providers/redhat/infra_manager/api_integration.rb | 5 +
 1 file changed, 5 insertions(+)
Comment 4 Ilanit Stein 2018-06-07 13:19:19 UTC 
Verified on CFME-5.9.3.1/RHV-4.2.3

That under CFME UI RHV provider, 'RSA Key pair' tab was added.
It is possible to insert those inputs:
'user name': root
'private key': A .pem file, copied from the RHV engine /etc/pki/ovirt-engine/ca.pem 

Note that there is no validation on the inputs here.
Comment 5 Daniel Gur 2018-06-12 07:23:58 UTC 
Hi Sudhir, 
Moving this bug to you following your talk with Ilanit so Ytale could validate it on V2V.

Input we received from Fabien that he also checked it and was happy with the change.

Fabien also need to add documentation regarding this bug. Ilanit send a mail to him about it.
Comment 6 Fabian Deutsch 2018-06-12 10:43:20 UTC 
I suppose I can not help here. Maybe you wnated somebody else, Daniel?
Comment 7 Fabien Dupont 2018-06-13 21:37:42 UTC 
As explained in BZ#1561353, the aim of having SSH credential for the provider is to run playbooks that are present on the RHV-M machine from CloudForms. The approach is to use the credentials to open an SSH session on RHV-M machine and call ansible-playbook on it. The initial use case is to run the V2V conversion host role playbooks.

RHV has a native password-less SSH infrastructure that allows root user to connect to all the RHV hosts. We expect that the user name will mostly be root. However, to allow other use cases, we leave it to the user to fill it.

The private key field aims at containing an SSH private key as generated by ssh-keygen. It can be of any type supported by SSH: DSA, RSA, ECDSA... For the credentials to be viable, the public has to be added on RHV-M machine, in the authorized_keys file of the user entered in user name field.
Comment 8 Kedar Kulkarni 2018-06-20 14:23:15 UTC 
I concur with Comment 4 as I could add the keyfile and username for RHV in 5.9.3.2.
Comment 9 Brett Thurber 2018-06-26 05:23:02 UTC 
*** Bug 1561353 has been marked as a duplicate of this bug. ***
Comment 10 Ilanit Stein 2018-07-02 12:54:51 UTC 
This bug is not a duplicate of bug 1561353. Bug 1561353 is the same bug, 
but for CFME-5.10 Target.
Comment 11 Ilanit Stein 2018-07-02 14:14:53 UTC 
Fabien Dupont
Jun 7, 2018, 5:14 PM

"I am able to collect the private key from Automate code.

ems = $evm.vmdb(:ext_management_system).find_by(name: 'rhv')
auth = $evm.vmdb(:authentication).find_by(name: "#{ems.type} #{ems.name}", authtype: "ssh_keypair")
userid = auth.userid
priv_key = auth.attributes["auth_key"]

The private key is encrypted but we can decrypt it on the fly and use it to run commands on RHV Manager. From my point of view, the requirement is met.

One note, the private key field is expected to be filled with an SSH private key. There is currently no validation on this field, so it will be accepted. "

Regarding key missing validation, see bug 1594343.