Bug 1846256

Summary: SSO allows all engine users to login to grafana
Product: [oVirt] ovirt-engine-dwh Reporter: Yedidyah Bar David <didi>
Component: SetupAssignee: Shirly Radco <sradco>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Novotny <pnovotny>
Severity: high Docs Contact:
Priority: high    
Version: 4.4.0CC: bugs, emarcus, lleistne, sradco
Target Milestone: ovirt-4.4.4Flags: pm-rhel: ovirt-4.4+
Target Release: 4.4.1.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-dwh-4.4.1.2 Doc Type: Known Issue
Doc Text:
Grafana now allows Single-Sign-On (SSO) using oVirt engine users, but does not allow automatic creation of them. A future version (see bugs 1835163 and 1807323) will allow automatic creation of admin users. For now, users must be created manually, but following that, they can login using SSO.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-05 06:25:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Metrics RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yedidyah Bar David 2020-06-11 08:38:40 UTC 
Description of problem:

We currently allow all authenticated engine users to login to grafana via SSO, potentially letting them see information they are not supposed to see.

A proper fix for this is probably part of bug 1835163, but we need something before it's fixed.

For now, I am going to disable automatic creation of a grafana user with SSO.

This means, that the admin will have to create/invite new users manually, and SSO will only work after they are manually created.

SSO identification is done on the email address of the user in the engine (this is already true, but required less attention if users are created automatically).

Version-Release number of selected component (if applicable):
Current master

How reproducible:
Always

Steps to Reproduce:
1. Install and setup engine+dwh+grafana
2. Create on the engine a non-admin user, login with this user to the VM portal
3. Try to login to grafana with 'Sign in with oVirt Engine Auth'

Actual results:
Works

Expected results:
Fails

Additional info:

If we indeed fix as described, letting access to such a user requires:

1. Set an email address for the user in the engine, if it does not already have one

2. Login to grafana with an existing admin (the initial admin, at first)

3. Go to: Configuration -> Users, Invite

4. Input the email address and name, select role

5. Send the invitation - either let grafana do this with "Send invite mail",

6. Or: Press "Pending Invites", locate the one you want, and press "Copy invite"

7. Then Copy (press Ctrl-C) and use this link to create the account (by using it yourself or sending to the user).

8. After the account is created, and if indeed there is an engine-side user with the same email address, SSO will work for this user.
Comment 1 Pavel Novotny 2020-07-12 16:35:35 UTC 
Verified in
ovirt-engine-4.4.1.8-0.7.el8ev.noarch
ovirt-engine-dwh-4.4.1.2-1.el8ev.noarch

Verified with reproducer from comment 0:
1. Install and setup engine+dwh+grafana
2. Create on the engine a non-admin user, login with this user to the VM portal
3. Try to login to grafana with 'Sign in with oVirt Engine Auth'

Result:
HTTP 500 error page (see separate bug 1856097).


Login with an admin user works well.


I move this bug to VERIFIED as the functionality no longer allow a non-admin or uninvited user to access Grafana.
The error page is tracked separately in bug 1856097.
Comment 3 Yedidyah Bar David 2020-07-28 07:01:58 UTC 
Eli - I rewrote the doc text to clarify the current status (with current bug fixed). Feel free to amend as needed, and in particular to include more detailed steps for how to create/invite users (you can based on comment 0), or open a doc bug to add this to the main docs.

When I initially wrote comment 0, it described a bug - a current bad behavior (allow all users to login). Now, this behavior is fixed, but on the expense of degraded functionality (impossible to auto-create users). I am writing this to clarify that in your text, "allows" actually refers to the situation before the fix (which, for RHV, does not exist, because we never released RHV with current bug unfixed), and "Workaround" is not a workaround but simply the behavior. So if you want to keep your own text with as few changes as possible, it can be e.g.:

The Grafana dashboard allowed any authenticated oVirt engine user to log in using Single Sign-On (SSO). 
With this version, automatic creation of Grafana SSO users has been disabled. A Grafana Admin user must create or invite a new user manually.

But as I said, this does not apply to RHV, because it was never released with current bug unfixed.
Comment 4 Lucie Leistnerova 2020-07-30 14:13:38 UTC 
Didi, please add to the doc text that when DWH is installed on separate machine, smtp server must be installed/configured to sent the emails.
Comment 5 Yedidyah Bar David 2020-08-04 06:03:52 UTC 
(In reply to Lucie Leistnerova from comment #4)
> Didi, please add to the doc text that when DWH is installed on separate
> machine, smtp server must be installed/configured to sent the emails.

Why is it specific to separate machine?

I think you refer to the emails with invitation links, right?
I think this applies always, currently.

I personally didn't let it send emails but copy/pasted, see step 6 of the "Additional info" in comment 0.

Eli - can you please add this "Additional info" text to the main docs, or perhaps just to doc text here? Thanks. Then, also add there something like:

For using "Send invite mail", you first have to configure postfix to allow sending outgoing email.
Comment 6 Sandro Bonazzola 2020-08-05 06:25:20 UTC 
This bugzilla is included in oVirt 4.4.1 release, published on July 8th 2020.

Since the problem described in this bug report should be resolved in oVirt 4.4.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Comment 9 Eli Marcus 2021-03-07 09:15:43 UTC 
Published to 
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/administration_guide/index#configuring_grafana