Description of problem: We currently allow all authenticated engine users to login to grafana via SSO, potentially letting them see information they are not supposed to see. A proper fix for this is probably part of bug 1835163, but we need something before it's fixed. For now, I am going to disable automatic creation of a grafana user with SSO. This means, that the admin will have to create/invite new users manually, and SSO will only work after they are manually created. SSO identification is done on the email address of the user in the engine (this is already true, but required less attention if users are created automatically). Version-Release number of selected component (if applicable): Current master How reproducible: Always Steps to Reproduce: 1. Install and setup engine+dwh+grafana 2. Create on the engine a non-admin user, login with this user to the VM portal 3. Try to login to grafana with 'Sign in with oVirt Engine Auth' Actual results: Works Expected results: Fails Additional info: If we indeed fix as described, letting access to such a user requires: 1. Set an email address for the user in the engine, if it does not already have one 2. Login to grafana with an existing admin (the initial admin, at first) 3. Go to: Configuration -> Users, Invite 4. Input the email address and name, select role 5. Send the invitation - either let grafana do this with "Send invite mail", 6. Or: Press "Pending Invites", locate the one you want, and press "Copy invite" 7. Then Copy (press Ctrl-C) and use this link to create the account (by using it yourself or sending to the user). 8. After the account is created, and if indeed there is an engine-side user with the same email address, SSO will work for this user.
Verified in ovirt-engine-4.4.1.8-0.7.el8ev.noarch ovirt-engine-dwh-4.4.1.2-1.el8ev.noarch Verified with reproducer from comment 0: 1. Install and setup engine+dwh+grafana 2. Create on the engine a non-admin user, login with this user to the VM portal 3. Try to login to grafana with 'Sign in with oVirt Engine Auth' Result: HTTP 500 error page (see separate bug 1856097). Login with an admin user works well. I move this bug to VERIFIED as the functionality no longer allow a non-admin or uninvited user to access Grafana. The error page is tracked separately in bug 1856097.
Eli - I rewrote the doc text to clarify the current status (with current bug fixed). Feel free to amend as needed, and in particular to include more detailed steps for how to create/invite users (you can based on comment 0), or open a doc bug to add this to the main docs. When I initially wrote comment 0, it described a bug - a current bad behavior (allow all users to login). Now, this behavior is fixed, but on the expense of degraded functionality (impossible to auto-create users). I am writing this to clarify that in your text, "allows" actually refers to the situation before the fix (which, for RHV, does not exist, because we never released RHV with current bug unfixed), and "Workaround" is not a workaround but simply the behavior. So if you want to keep your own text with as few changes as possible, it can be e.g.: The Grafana dashboard allowed any authenticated oVirt engine user to log in using Single Sign-On (SSO). With this version, automatic creation of Grafana SSO users has been disabled. A Grafana Admin user must create or invite a new user manually. But as I said, this does not apply to RHV, because it was never released with current bug unfixed.
Didi, please add to the doc text that when DWH is installed on separate machine, smtp server must be installed/configured to sent the emails.
(In reply to Lucie Leistnerova from comment #4) > Didi, please add to the doc text that when DWH is installed on separate > machine, smtp server must be installed/configured to sent the emails. Why is it specific to separate machine? I think you refer to the emails with invitation links, right? I think this applies always, currently. I personally didn't let it send emails but copy/pasted, see step 6 of the "Additional info" in comment 0. Eli - can you please add this "Additional info" text to the main docs, or perhaps just to doc text here? Thanks. Then, also add there something like: For using "Send invite mail", you first have to configure postfix to allow sending outgoing email.
This bugzilla is included in oVirt 4.4.1 release, published on July 8th 2020. Since the problem described in this bug report should be resolved in oVirt 4.4.1 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.
Published to https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/administration_guide/index#configuring_grafana