Bug 2021497

Summary: [RFE] Install and configure Keycloak as a default SSO provider for ovirt-engine
Product: [oVirt] ovirt-engine Reporter: Martin Perina <mperina>
Component: GeneralAssignee: Artur Socha <asocha>
Status: CLOSED CURRENTRELEASE QA Contact: Barbora Dolezalova <bdolezal>
Severity: high Docs Contact:
Priority: high    
Version: 4.4.0CC: asocha, bugs, dfodor, gdeolive, rszwajko, sgratch
Target Milestone: ovirt-4.5.1Keywords: FutureFeature, Upstream
Target Release: 4.5.1Flags: mperina: ovirt-4.5+
pm-rhel: planning_ack?
pm-rhel: devel_ack+
gdeolive: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.5.1, ovirt-engine-keycloak Doc Type: Enhancement
Doc Text:
Feature: Replace oVirt default (internal) Single-Sign-On implementation (SSO)[1] with bundled Keycloak[2] (OpenID protocol). Reason: Our existing (internal) SSO supports only a limited number of authentication providers. It is an in-house implementation of OAuth protocol that required significant amount of effort on maintenance. The Keycloak solution enables oVirt user to use additional authentication providers in addition to JDBC or LDAP. These includes integration with 3rd party SSO providers ie. GitHub, Google, Facebook as well as with custom ones. Another benefit is ability to easily configure multi step authentication to increase overall security level of the oVirt installation. Result: oVirt administrators will be able to fully use Keycloak capabilities in terms of setting up authentication/SSO mechanism and multiple user bases. Please note that default ovirt administrator user name has been changed from 'admin' to 'admin@ovirt' (Administrator Panel, VM Portal) and from 'admin@internal' to 'admin@ovirt@internalsso' (REST API). Covered deployment scenarios are documented here[3]. With this RFE implementation it is now possible to login to Monitoring Portal(Grafana) using 'oVirt Single Sing On'. Grafana initial admin user ('admin') is matched by email to default oVirt Administrator ('admin@ovirt') [1]https://ovirt.org/documentation/administration_guide/index.html#chap-Users_and_Roles [2]https://www.keycloak.org [3]https://github.com/oVirt/ovirt-engine-keycloak/blob/master/keycloak_usage.md
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-22 07:32:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1996292    

Description Martin Perina 2021-11-09 12:30:32 UTC 
For new installation Keycloak will be installed and configured by engine-setup to provide default SSO provider for oVirt Engine and Grafana.

For upgrades from previous installation AAA will still be used as default SSO provider, but administrators could switch manually to Keycloak.
Comment 2 Sandro Bonazzola 2022-03-29 16:10:14 UTC 
We are past 4.5.0 feature freeze, please re-target.
Comment 3 Sandro Bonazzola 2022-03-29 16:16:40 UTC 
We are past 4.5.0 feature freeze, please re-target.
Comment 5 Barbora Dolezalova 2022-06-28 11:18:15 UTC 
Verified in ovirt-engine-4.5.1.2-1.el8.noarch

Administration portal, VM portal, Rest api are working.
Only thing missing is shortcut for Keycloak administration portal: bug 2101474