oVirt Engine provides a powerful way to manage users and domains using the oVirt Engine AAA extensions. oVirt Engine supports many different LDAP server types for authentication using the ovirt-engine-extension-aaa-ldap
extension and supports managing internal users using the ovirt-engine-extension-aaa-jdbc
extension. Clients can use the powerful oVirt Engine user management in their applications by using the OAuth2 or OpenId Connect end points provided by oVirt Engine SSO to authenticate users in their applications.
Below is step-by-step instructions on how to integrate Kibana/Elasticsearch on top of OpenShift with oVirt Engine SSO. The instructions should work for any client application that can be configured to use a OAuth2 or OpenID Connect server to authenticate its users.
The goal is to integrate Kibana/Elasticsearch on top of OpenShift with oVirt Engine SSO, so existing engine users can access Kibana/Elasticsearch without reauthentication (we don’t need to maintain authentication configuration separately for oVirt Engine and Kibana/Elasticsearch).
The integration requires a fully working and configured oVirt Engine instance on oVirt Engine host and a fully working and configured instance of Kibana/Elasticsearch on top of OpenShift on the OpenShift host.
Installing Kibana/Elasticsearch and OpenShift Backend
Install Kibana/Elasticsearch/OpenShift on CentOS7 or RHEL 7.3 as described in https://www.ovirt.org/develop/release-management/features/metrics/setting-up-viaq-logging/
Installing oVirt Engine
Setup oVirt Engine on a separate host ovirt-engine.example.com as described in https://www.ovirt.org/download/
Setting up oVirt Engine certificate on OpenShift machine
Get the oVirt Engine CA as described here https://www.ovirt.org/documentation/how-to/guest-console/connect-to-spice-console-without-portal/
scp root@${OVIRT}:/etc/pki/ovirt-engine/ca.pem ${CA_FILE}
Add the certificate to system-wide trusted certificates. Copy the certificate to /etc/pki/ca-trust/source/anchors/ and run update-ca-trust
Register a New sso Client on ovirt-engine Host
Run the client registration tool ovirt-register-sso-client to register a new sso client. The tool will prompt the user to enter the client id, location of the client certificate (downloaded to oVirt Engine host) and the callback url prefix. Make note of the client id and client secret generated by the tool. The client id and client secret need to be entered in the master configuration file on the OpenShift host to configure authentication with oVirt Engine. The client registration tool is only available in oVirt Engine 4.2 and later.
Setup oauthconfig on Kibana/Elasticsearch/OpenShift Host
On Kibana/Elasticsearch/OpenShift host edit /etc/origin/master/master-config.yaml to setup oauthconfig as below. For oVirt Engine 4.1, see note below.
oauthConfig:
assetPublicURL: https://openshift.example.com:8443/console/
grantConfig:
method: auto
identityProviders:
- challenge: true
login: true
mappingMethod: claim
name: my_openid_connect
provider:
apiVersion: v1
kind: OpenIDIdentityProvider
clientID: <client id specified in previous step>
clientSecret: <client id generated in previous step>
extraScopes:
- ovirt-app-api
- ovirt-ext=auth:sequence-priority=~
extraAuthorizeParameters:
include_granted_scopes: "true"
claims:
id:
- custom_id_claim
- sub
preferredUsername:
- preferred_username
- email
name:
- nickname
- given_name
- name
email:
- custom_email_claim
- email
urls:
authorize: https://ovirt-engine.example.com/ovirt-engine/sso/openid/authorize
token: https://ovirt-engine.example.com/ovirt-engine/sso/openid/token
masterCA: ca-bundle.crt
masterPublicURL: https://openshift.example.com:8443
masterURL: https://openshift.example.com:8443
sessionConfig:
sessionMaxAgeSeconds: 3600
sessionName: ssn
sessionSecretsFile: /etc/origin/master/session-secrets.yaml
tokenConfig:
accessTokenMaxAgeSeconds: 86400
authorizeTokenMaxAgeSeconds: 500
In oVirt engine 4.1 the authorize and token endpoints point to oauth endpoints.
urls:
authorize: https://ovirt-engine.example.com/ovirt-engine/sso/oauth/authorize
token: https://ovirt-engine.example.com/ovirt-engine/sso/oauth/token
Restart oVirt Engine
systemctl restart ovirt-engine
Restart origin-master and origin-node on OpenShift Host
systemctl restart origin-master
systemctl restart origin-node
Configure hostnames
Make sure the hosts are reachable by their hostnames if required add host aliases in /etc/hosts
10.16.19.48 openshift.example.com kibana.example.com mux.example.com
10.10.116.110 ovirtengine.example.com
Grant Permissions
The user needs to be granted permissions manually in OpenShift, using the console UI or the command line, so that the user can view the data in Kibana. Accessing https://kibana.example.com should redirect to the engine login page. Enter credentials and login will redirect user back to Kibana.