Description of problem: Grafana is currently being installed with a new admin user, that user has it's own password that is being set during engine-setup. You can not sign in with sso from admin@internal. This is because the admin@internal has root@localhost as mail address and grafana admin has admin@localhost as mail address. If you change the mail in grafana for admin to root@localhost sso works, but it changes the grafana username automatically to root@localhost. I would prefer to have a single admin with sso than two seperated admin users. Version-Release number of selected component (if applicable): 4.4.8 How reproducible: Steps to Reproduce: 1. log in to grafana via sso using admin@internal user Actual results: no login possible Expected results: login as grafana admin
The documentation text flag should only be set after 'doc text' field is provided. Please provide the documentation text and set the flag to '?' again.
Hi, sorry for the late response, this bug is not assigned so we missed it. If you use the same password for the engine, and Grafana during engine-setup you should be able to login to both via sso. You can also see similar bug: 2002064 Thanks
(In reply to Aviv Litman from comment #2) > Hi, sorry for the late response, this bug is not assigned so we missed it. > If you use the same password for the engine, and Grafana during engine-setup > you should be able to login to both via sso. Hi, I don't think that's how it's currently handled in ovirt/rhv+grafana. I have two distinct users who get created by engine-setup, one is the rhv/ovirt admin@internal, one is the grafana admin user. They are not linked. The attribute that is currently used to link the accounts rhv/ovirt <> grafana is the e-mail address (at least it seems to be in my environments). That is why you need to change the mail of the default admin user to "root@localhost" within grafana to be able to sso with the default "admin@internal" from rhv/ovirt. This will also change the grafana username to the mail (root@localhost). The current grafana admin user has a default of "admin@localhost" for the mail. I don't think that's currently being set by engine-setup (I found no mention of it in https://github.com/oVirt/ovirt-dwh ) so I am guessing this is a grafana default that we'd need to overwrite? > > You can also see similar bug: 2002064 This bug is about changing the default e-mail address of the grafana admin user to the same as the default admin@internal user of rhv/ovirt to enable sso (or other way around). We could also change the way accounts are mapped to use different identifying attribute. But I am guessing changing the default mail is the easiest way :) > > Thanks
Not sure what the exact request in this bug is, but if it's "I want grafana admin SSO login to work out-of-the-box, right after engine-setup", then we decided to give up on this. See also bug 1846256, bug 1835163. Latter was closed after an internal discussion because it's not as simple as hoped, and there was not enough interest - it seems most users that do use SSO, do not mind having to manually create/invite the users first. So I tend to CLOSE NOTABUG (or perhaps DUPLICATE of bug 1835163). If it's something else, please clarify. If it's indeed that you want to reopen bug 1835163, you are welcome to continue the discussion there. Main reason (at the time, ~ 1 year ago) that it was closed, is that it seemed like there is no industry-standard for OAUTH about how to expose, if at all, users' groups/rights/etc., and even if there was, it's not completely clear we should _by_default_ let engine admins also be grafana admins, engine users (non-admins) be grafana users (Editors? Viewers? not admins), etc. It's much safer to not do anything and let the user handle this manually. Since this is a one-time operation per grafana user, it's not that much work. It might be possible to automate this, if needed, using grafana-cli or its API - I didn't try, no idea.
I only want to change the e-mail of the grafana admin to default to "root@localhost", that's all I want. This will enable the rhv admin@internal user to sso login to grafana should they chose to use sso. But this has a flipside, the username of the grafana admin user is automatically changed to root@localhost if someone uses the sso to login. I do not want to do either things that are in 1846256 or 1835163 :) Current defaults RHV/ovirt: Username: admin@internal E-Mail: root@localhost Current grafana defaults: Username: admin E-Mail: admin@localhost (I don't think this is set anywhere, at least I did not find it, so I am guessing this is a grafana default, not happening during rhv/ovirt setup, also I don't think admin@localhost is a good idea because that user may exist and not be a privileged user) What I think the solution could/should be: Default RHV/ovirt admin@internal: unchanged Default grafana admin: Username: root@localhost E-Mail: root@localhost Greetings Klaas
OK, I think I understand. Do you expect this to happen only for oVirt setups? Or for all grafana setups? If latter, perhaps better file an issue there. I think this makes more sense. If only for oVirt (for now), that's current bug. Moving back to NEW and setting prio/sev. Patches are welcome! I don't know grafana well enough to say, but it might be a trivial patch. If so, perhaps add Keyword EasyFix. If you manage to do this manually using some API or whatever, but would rather not interfere with oVirt's code, please supply exact details of what needs to run where and I can push a patch wrapping this, if you can then verify it. Thanks!
didn't finish in time for 4.5 GA, untargetting for another review
This bug is automatically resolved with internal Keycloak integration being enabled. More information at: https://bugzilla.redhat.com/2021497