Description of problem: With keycloak-integration enabled, engine-setup asks: [1] Engine admin password: Then it asks: [2] Use Engine admin password as initial keycloak admin [admin] and [admin@ovirt] administration panel user password (Yes, No) [Yes]: If the answer is 'No', it then asks: [3] Keycloak [admin] and [admin@ovirt] password: The actual result is that the following are created: 1. An "internal" engine user "admin", showing in the UI having "internal-authz" as "Authorization provider:", but not clear how it might be used, probably with the password from [1] above 2. Keycloak, with the 'admin' user for administering it having the password from [3] 3. Inside keycloak, a user 'admin@ovirt' for administering oVirt, also having the password from [3]. Eventually, engine-setup outputs: To login to oVirt using Keycloak SSO, enter 'admin@ovirt' as username and the password provided during Setup To login to Keycloak Administration Console enter 'admin' as username and the password provided during Setup This is "coherent" internally - i.e. the prompts/texts match the actual behavior - but IMO misleading and confusing. It would make more sense to me, personally, if: - admin@ovirt (3.) would have the password from [1] - keycloak admin (2.) would remain as is with [3] - It would be clarified somewhere how 'internal-authz' admin (aka 'admin@internal'?) might be used, if at all When deciding/fixing, we should probably also handle grafana and ovn, perhaps other stuff. Version-Release number of selected component (if applicable): Current master, I think since 4.5.1 How reproducible: Always Steps to Reproduce: 1. See above 2. 3. Actual results: admin@internal, with its password, is unusable, keycloak admin and admin@ovirt have the same password Expected results: keycloak admin and admin@ovirt have different passwords, admin@internal is usable, or we clarify somewhere that it's not Additional info: https://github.com/oVirt/ovirt-engine-keycloak/pull/55 Is currently a partial fix. If we want it, need to at least clarify some texts.
Patch merged, moving to MODIFIED. QE: For reproduction/verification: 1. engine-setup 2. Supply some password in 'Engine admin password:' 3. Reply 'No' to 'Use Engine admin password as initial keycloak admin' 4. Supply a different password in 'Keycloak [admin].*password' 5. Finish and see that you can login to both the engine admin and keycloak admin with the expected users/passwords. Please note that also the prompt texts changed. I do not do anything right now about the 'admin@internal' user. It can't be used after keycloak integration is enabled. I do not think this is specifically documented anywhere, but we do document that when attaching to a directory server, it can be disabled - and 'keycloak integration' actually is 'attaching to a directory server', despite being on the same machine: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/chap-users_and_roles#Introduction_to_Directory_Servers https://www.ovirt.org/documentation/administration_guide/index.html#Introduction_to_Directory_Servers
This bug has low overall severity and passed an automated regression suite, and is not going to be further verified by QE. If you believe special care is required, feel free to re-open to ON_QA status.