Bug 1835163

Summary: Configure role-mapping on SSO to grafana
Product: [oVirt] ovirt-engine-dwh Reporter: Yedidyah Bar David <didi>
Component: SetupAssignee: Yedidyah Bar David <didi>
Status: CLOSED DEFERRED QA Contact: Lucie Leistnerova <lleistne>
Severity: high Docs Contact:
Priority: high    
Version: ---CC: asocha, bugs, emarcus, mperina, sradco
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1883476 (view as bug list) Environment:
Last Closed: 2021-04-26 08:16:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Metrics RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1807323, 1835152    
Bug Blocks: 1883476    

Description Yedidyah Bar David 2020-05-13 09:49:50 UTC 
Description of problem:

Allow engine admins automatically be grafana admins when logging in using SSO/OAuth2.

This requires grafana 6.5, see dependent bug.

A workaround:

1. Login to the engine web admin as admin
2. Login to grafana with SSO - "Sign in with oVirt Engine Auth"
3. Sign out
4. Login with the internal grafana admin
5. Go to Configuration -> Users
6. Find the new user. The default email for the engine's default admin, admin@internal, is 'root@localhost'.
7. Change its Role to Admin.
8. Now you can logout and login again with SSO, it should have admin rights

admin@internal's email address used to be empty until 4.3, and in 4.4 we change it (also on upgrades) for SSO with grafana, as it requires an email address.
Comment 1 Sandro Bonazzola 2020-05-14 07:33:16 UTC 
Tentatively targeting 4.4.1, working with platform to get grafana rebase backported to RHEL 8.2.1
Comment 2 Yedidyah Bar David 2021-02-09 08:54:59 UTC 
Now looked a bit at this, and it seems like the engine does not provide in userinfo anything to base a decision on, regarding whether to automatically allow access - roles, groups, etc. I might be missing something.

I checked grafana log (after changing its log level to 'debug') and see:

t=2021-02-09T09:48:44+0200 lvl=dbug msg="HTTP GET https://FQDN/ovirt-engine/sso/openid/userinfo: 200 OK {\n  \"acr\" : \"0\",\n  \"authTime\" : 1612791725921,\n  \"sub\" : \"admin@internal\",\n  \"preferredUserName\" : \"admin@internal\",\n  \"email\" : \"root@localhost\",\n  \"name\" : \"admin\",\n  \"familyName\" : \"admin\",\n  \"givenName\" : \"admin\",\n  \"jti\" : \"5dd04d3c-7a6d-4560-a1d5-3201beb8efd5\",\n  \"exp\" : 1612793525921,\n  \"iat\" : 1612791725921,\n  \"iss\" : \"https://didi-centos8-engine.lab.eng.tlv2.redhat.com:443\",\n  \"aud\" : \"ovirt-grafana\"\n}"

t=2021-02-09T10:13:39+0200 lvl=dbug msg="HTTP GET https://FQDN/ovirt-engine/sso/openid/userinfo: 200 OK {\n  \"acr\" : \"0\",\n  \"authTime\" : 1612858143078,\n  \"sub\" : \"testu1@internal\",\n  \"preferredUserName\" : \"testu1@internal\",\n  \"email\" : \"testu1@localhost\",\n  \"name\" : \"John\",\n  \"familyName\" : \"John\",\n  \"givenName\" : \"John\",\n  \"jti\" : \"5a6ff251-a26c-4281-a3de-d9ce6c2e7635\",\n  \"exp\" : 1612859943078,\n  \"iat\" : 1612858143078,\n  \"iss\" : \"https://didi-centos8-engine.lab.eng.tlv2.redhat.com:443\",\n  \"aud\" : \"ovirt-grafana\"\n}"

Artur, is it indeed missing? Or is there a way to configure what information we provide?
Comment 3 Artur Socha 2021-02-12 16:03:35 UTC 
(In reply to Yedidyah Bar David from comment #2)
> Now looked a bit at this, and it seems like the engine does not provide in
> userinfo anything to base a decision on, regarding whether to automatically
> allow access - roles, groups, etc. I might be missing something.
> 
> I checked grafana log (after changing its log level to 'debug') and see:
> 
> t=2021-02-09T09:48:44+0200 lvl=dbug msg="HTTP GET
> https://FQDN/ovirt-engine/sso/openid/userinfo: 200 OK {\n  \"acr\" :
> \"0\",\n  \"authTime\" : 1612791725921,\n  \"sub\" : \"admin@internal\",\n 
> \"preferredUserName\" : \"admin@internal\",\n  \"email\" :
> \"root@localhost\",\n  \"name\" : \"admin\",\n  \"familyName\" :
> \"admin\",\n  \"givenName\" : \"admin\",\n  \"jti\" :
> \"5dd04d3c-7a6d-4560-a1d5-3201beb8efd5\",\n  \"exp\" : 1612793525921,\n 
> \"iat\" : 1612791725921,\n  \"iss\" :
> \"https://didi-centos8-engine.lab.eng.tlv2.redhat.com:443\",\n  \"aud\" :
> \"ovirt-grafana\"\n}"
> 
> t=2021-02-09T10:13:39+0200 lvl=dbug msg="HTTP GET
> https://FQDN/ovirt-engine/sso/openid/userinfo: 200 OK {\n  \"acr\" :
> \"0\",\n  \"authTime\" : 1612858143078,\n  \"sub\" : \"testu1@internal\",\n 
> \"preferredUserName\" : \"testu1@internal\",\n  \"email\" :
> \"testu1@localhost\",\n  \"name\" : \"John\",\n  \"familyName\" :
> \"John\",\n  \"givenName\" : \"John\",\n  \"jti\" :
> \"5a6ff251-a26c-4281-a3de-d9ce6c2e7635\",\n  \"exp\" : 1612859943078,\n 
> \"iat\" : 1612858143078,\n  \"iss\" :
> \"https://didi-centos8-engine.lab.eng.tlv2.redhat.com:443\",\n  \"aud\" :
> \"ovirt-grafana\"\n}"
> 
> Artur, is it indeed missing? Or is there a way to configure what information
> we provide?

Just for the record because the discussion has been initiated on email thread.

- Currently, the only way is to match 'admin@internal' on grafana side to be able to tell the user is an admin. 
- Under discussion: potential solutionslike returning ovirt roles in user-info response [1][2] happening over email thread.

[1]https://gerrit.ovirt.org/113436
[2]https://gerrit.ovirt.org/113451