1835163 – Configure role-mapping on SSO to grafana

Bug 1835163 - Configure role-mapping on SSO to grafana

Summary: Configure role-mapping on SSO to grafana

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	ovirt-engine-dwh
Classification:	oVirt
Component:	Setup
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Yedidyah Bar David
QA Contact:	Lucie Leistnerova
Docs Contact:
URL:
Whiteboard:
Depends On:	1807323 1835152
Blocks:	1883476
TreeView+	depends on / blocked

Reported:	2020-05-13 09:49 UTC by Yedidyah Bar David
Modified:	2021-04-26 08:16 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Clones:	1883476 (view as bug list)
Environment:
Last Closed:	2021-04-26 08:16:52 UTC
oVirt Team:	Metrics
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1846256	0	high	CLOSED	SSO allows all engine users to login to grafana	2021-03-07 09:17:48 UTC

Internal Links: 1846256

Description Yedidyah Bar David 2020-05-13 09:49:50 UTC

Description of problem:

Allow engine admins automatically be grafana admins when logging in using SSO/OAuth2.

This requires grafana 6.5, see dependent bug.

A workaround:

1. Login to the engine web admin as admin
2. Login to grafana with SSO - "Sign in with oVirt Engine Auth"
3. Sign out
4. Login with the internal grafana admin
5. Go to Configuration -> Users
6. Find the new user. The default email for the engine's default admin, admin@internal, is 'root@localhost'.
7. Change its Role to Admin.
8. Now you can logout and login again with SSO, it should have admin rights

admin@internal's email address used to be empty until 4.3, and in 4.4 we change it (also on upgrades) for SSO with grafana, as it requires an email address.

Comment 1 Sandro Bonazzola 2020-05-14 07:33:16 UTC

Tentatively targeting 4.4.1, working with platform to get grafana rebase backported to RHEL 8.2.1

Comment 2 Yedidyah Bar David 2021-02-09 08:54:59 UTC

Now looked a bit at this, and it seems like the engine does not provide in userinfo anything to base a decision on, regarding whether to automatically allow access - roles, groups, etc. I might be missing something.

I checked grafana log (after changing its log level to 'debug') and see:

t=2021-02-09T09:48:44+0200 lvl=dbug msg="HTTP GET https://FQDN/ovirt-engine/sso/openid/userinfo: 200 OK {\n  \"acr\" : \"0\",\n  \"authTime\" : 1612791725921,\n  \"sub\" : \"admin@internal\",\n  \"preferredUserName\" : \"admin@internal\",\n  \"email\" : \"root@localhost\",\n  \"name\" : \"admin\",\n  \"familyName\" : \"admin\",\n  \"givenName\" : \"admin\",\n  \"jti\" : \"5dd04d3c-7a6d-4560-a1d5-3201beb8efd5\",\n  \"exp\" : 1612793525921,\n  \"iat\" : 1612791725921,\n  \"iss\" : \"https://didi-centos8-engine.lab.eng.tlv2.redhat.com:443\",\n  \"aud\" : \"ovirt-grafana\"\n}"

t=2021-02-09T10:13:39+0200 lvl=dbug msg="HTTP GET https://FQDN/ovirt-engine/sso/openid/userinfo: 200 OK {\n  \"acr\" : \"0\",\n  \"authTime\" : 1612858143078,\n  \"sub\" : \"testu1@internal\",\n  \"preferredUserName\" : \"testu1@internal\",\n  \"email\" : \"testu1@localhost\",\n  \"name\" : \"John\",\n  \"familyName\" : \"John\",\n  \"givenName\" : \"John\",\n  \"jti\" : \"5a6ff251-a26c-4281-a3de-d9ce6c2e7635\",\n  \"exp\" : 1612859943078,\n  \"iat\" : 1612858143078,\n  \"iss\" : \"https://didi-centos8-engine.lab.eng.tlv2.redhat.com:443\",\n  \"aud\" : \"ovirt-grafana\"\n}"

Artur, is it indeed missing? Or is there a way to configure what information we provide?

Comment 3 Artur Socha 2021-02-12 16:03:35 UTC

(In reply to Yedidyah Bar David from comment #2)
> Now looked a bit at this, and it seems like the engine does not provide in
> userinfo anything to base a decision on, regarding whether to automatically
> allow access - roles, groups, etc. I might be missing something.
> 
> I checked grafana log (after changing its log level to 'debug') and see:
> 
> t=2021-02-09T09:48:44+0200 lvl=dbug msg="HTTP GET
> https://FQDN/ovirt-engine/sso/openid/userinfo: 200 OK {\n  \"acr\" :
> \"0\",\n  \"authTime\" : 1612791725921,\n  \"sub\" : \"admin@internal\",\n 
> \"preferredUserName\" : \"admin@internal\",\n  \"email\" :
> \"root@localhost\",\n  \"name\" : \"admin\",\n  \"familyName\" :
> \"admin\",\n  \"givenName\" : \"admin\",\n  \"jti\" :
> \"5dd04d3c-7a6d-4560-a1d5-3201beb8efd5\",\n  \"exp\" : 1612793525921,\n 
> \"iat\" : 1612791725921,\n  \"iss\" :
> \"https://didi-centos8-engine.lab.eng.tlv2.redhat.com:443\",\n  \"aud\" :
> \"ovirt-grafana\"\n}"
> 
> t=2021-02-09T10:13:39+0200 lvl=dbug msg="HTTP GET
> https://FQDN/ovirt-engine/sso/openid/userinfo: 200 OK {\n  \"acr\" :
> \"0\",\n  \"authTime\" : 1612858143078,\n  \"sub\" : \"testu1@internal\",\n 
> \"preferredUserName\" : \"testu1@internal\",\n  \"email\" :
> \"testu1@localhost\",\n  \"name\" : \"John\",\n  \"familyName\" :
> \"John\",\n  \"givenName\" : \"John\",\n  \"jti\" :
> \"5a6ff251-a26c-4281-a3de-d9ce6c2e7635\",\n  \"exp\" : 1612859943078,\n 
> \"iat\" : 1612858143078,\n  \"iss\" :
> \"https://didi-centos8-engine.lab.eng.tlv2.redhat.com:443\",\n  \"aud\" :
> \"ovirt-grafana\"\n}"
> 
> Artur, is it indeed missing? Or is there a way to configure what information
> we provide?

Just for the record because the discussion has been initiated on email thread.

- Currently, the only way is to match 'admin@internal' on grafana side to be able to tell the user is an admin. 
- Under discussion: potential solutionslike returning ovirt roles in user-info response [1][2] happening over email thread.

[1]https://gerrit.ovirt.org/113436
[2]https://gerrit.ovirt.org/113451

Note You need to log in before you can comment on or make changes to this bug.