oVirt Engine provides a powerful way to manage users and domains using the oVirt Engine AAA extensions. oVirt Engine supports many different LDAP server types for authentication using the ovirt-engine-extension-aaa-ldap extension and supports managing internal users using the ovirt-engine-extension-aaa-jdbc extension. Clients can use the powerful oVirt Engine user management in their applications by using the OAuth2 or OpenId Connect end points provided by oVirt Engine SSO to authenticate users in their applications.

Below is step-by-step instructions on how to integrate Kibana/Elasticsearch on top of OpenShift with oVirt Engine SSO. The instructions should work for any client application that can be configured to use a OAuth2 or OpenID Connect server to authenticate its users.

The goal is to integrate Kibana/Elasticsearch on top of OpenShift with oVirt Engine SSO, so existing engine users can access Kibana/Elasticsearch without reauthentication (we don’t need to maintain authentication configuration separately for oVirt Engine and Kibana/Elasticsearch).

The integration requires a fully working and configured oVirt Engine instance on oVirt Engine host and a fully working and configured instance of Kibana/Elasticsearch on top of OpenShift on the OpenShift host.

Installing Kibana/Elasticsearch and OpenShift Backend

Install Kibana/Elasticsearch/OpenShift on CentOS7 or RHEL 7.3 as described in https://www.ovirt.org/develop/release-management/features/metrics/setting-up-viaq-logging/

Installing oVirt Engine

Setup oVirt Engine on a separate host ovirt-engine.example.com as described in https://www.ovirt.org/download/

Setting up oVirt Engine certificate on OpenShift machine

Get the oVirt Engine CA as described here https://www.ovirt.org/documentation/how-to/guest-console/connect-to-spice-console-without-portal/

scp root@${OVIRT}:/etc/pki/ovirt-engine/ca.pem ${CA_FILE}

Add the certificate to system-wide trusted certificates. Copy the certificate to /etc/pki/ca-trust/source/anchors/ and run update-ca-trust

Register a New sso Client on ovirt-engine Host

Run the client registration tool ovirt-register-sso-client to register a new sso client. The tool will prompt the user to enter the client id, location of the client certificate (downloaded to oVirt Engine host) and the callback url prefix. Make note of the client id and client secret generated by the tool. The client id and client secret need to be entered in the master configuration file on the OpenShift host to configure authentication with oVirt Engine. The client registration tool is only available in oVirt Engine 4.2 and later.

Setup oauthconfig on Kibana/Elasticsearch/OpenShift Host

On Kibana/Elasticsearch/OpenShift host edit /etc/origin/master/master-config.yaml to setup oauthconfig as below. For oVirt Engine 4.1, see note below.

oauthConfig:
  assetPublicURL: https://openshift.example.com:8443/console/
  grantConfig:
    method: auto
  identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    name: my_openid_connect
    provider:
      apiVersion: v1
      kind: OpenIDIdentityProvider
      clientID: <client id specified in previous step>
      clientSecret: <client id generated in previous step>
      extraScopes:
      - ovirt-app-api
      - ovirt-ext=auth:sequence-priority=~
      extraAuthorizeParameters:
        include_granted_scopes: "true"
claims:
        id:
        - custom_id_claim
        - sub
        preferredUsername:
        - preferred_username
        - email
        name:
        - nickname
        - given_name
        - name
        email:
        - custom_email_claim
        - email
      urls:
        authorize: https://ovirt-engine.example.com/ovirt-engine/sso/openid/authorize
        token: https://ovirt-engine.example.com/ovirt-engine/sso/openid/token
  masterCA: ca-bundle.crt
  masterPublicURL: https://openshift.example.com:8443
  masterURL: https://openshift.example.com:8443
  sessionConfig:
    sessionMaxAgeSeconds: 3600
    sessionName: ssn
    sessionSecretsFile: /etc/origin/master/session-secrets.yaml
  tokenConfig:
    accessTokenMaxAgeSeconds: 86400
    authorizeTokenMaxAgeSeconds: 500

In oVirt engine 4.1 the authorize and token endpoints point to oauth endpoints.

      urls:
        authorize: https://ovirt-engine.example.com/ovirt-engine/sso/oauth/authorize
        token: https://ovirt-engine.example.com/ovirt-engine/sso/oauth/token

Restart oVirt Engine

systemctl restart ovirt-engine

Restart origin-master and origin-node on OpenShift Host

systemctl restart origin-master
systemctl restart origin-node

Configure hostnames

Make sure the hosts are reachable by their hostnames if required add host aliases in /etc/hosts

10.16.19.48 openshift.example.com kibana.example.com mux.example.com

10.10.116.110 ovirtengine.example.com

Grant Permissions

The user needs to be granted permissions manually in OpenShift, using the console UI or the command line, so that the user can view the data in Kibana. Accessing https://kibana.example.com should redirect to the engine login page. Enter credentials and login will redirect user back to Kibana.