57266 2025-12-17 17:55:33 +0300 Не работает интеграция с OpenID 2025-12-17 18:04:25 +0300 1 1 1 Unclassified Branch p10 pve-access-control не указана x86_64 Linux NEW P5 normal --- 1 alimektor shaba darisishe qa-p10 oldest_to_newest 279202 0 alimektor 2025-12-17 17:55:33 +0300 Версия - pve-access-control-7.4.3-alt4 Шаги воспроизведения Настроить OpenID. Для демонстрации я настроил Keycloak на том же узле, что и PVE: # apt-get install -y postgresql-server jq keycloak && \ /etc/init.d/postgresql initdb && \ systemctl enable --now postgresql && sleep 5 && \ psql -U postgres -c "CREATE USER keycloak WITH PASSWORD '12345678';" && \ psql -U postgres -c "CREATE DATABASE keycloak OWNER keycloak;" && \ psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;" && \ systemctl stop ahttpd # cp /etc/keycloak/keycloak.conf /etc/keycloak/keycloak.conf-orig && sed -i -e "s|#db=postgres|db=postgres|g" \ -e "s|#db-username=keycloak|db-username=keycloak|g" \ -e "s|#db-password=password|db-password=12345678|g" \ -e "s|#db-url=jdbc:postgresql://localhost/keycloak|db-url=jdbc:postgresql://localhost/keycloak|g" \ -e "s|#health-enabled=true|health-enabled=true|g" \ -e "s|#metrics-enabled=true|metrics-enabled=true|g" \ -e "s|#hostname=myhostname|hostname=$(hostname)|g" \ /etc/keycloak/keycloak.conf && \ diff -u --color /etc/keycloak/keycloak.conf-orig /etc/keycloak/keycloak.conf # cert-sh generate "keycloak" && l /var/lib/ssl/certs/keycloak.pem ## Дождаться "Installed features:..." kc.sh start ## Ввести `admin` # kc.sh bootstrap-admin user --username admin # systemctl enable --now keycloak.service && sleep 5; systemctl status keycloak.service -l --no-pager # JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:bin/java::") # cp /var/lib/ssl/certs/keycloak.pem /etc/pki/ca-trust/source/anchors/ && update-ca-trust # cp /etc/pve/pve-root-ca.pem /etc/pki/ca-trust/source/anchors/ && update-ca-trust # keytool -importcert -alias keycloak -file /var/lib/ssl/certs/keycloak.pem -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -noprompt # /usr/lib/keycloak/bin/kcadm.sh config credentials --server https://$(hostname):8443 --realm master --user admin --password admin # /usr/lib/keycloak/bin/kcadm.sh create realms -s realm=pve-realm -s enabled=true # /usr/lib/keycloak/bin/kcadm.sh create clients -r pve-realm -s clientId=pve-web-app -s enabled=true -s publicClient=false -s protocol=openid-connect -s "redirectUris=[\"https://$(hostname):8006*\"]" -s "webOrigins=[\"*\"]" -s standardFlowEnabled=true -s directAccessGrantsEnabled=true # CLIENT_ID=$(/usr/lib/keycloak/bin/kcadm.sh get clients -r pve-realm --fields id,clientId | jq -r '.[] | select(.clientId=="pve-web-app") | .id') # SECRET=$(/usr/lib/keycloak/bin/kcadm.sh get clients/$CLIENT_ID/client-secret -r pve-realm | jq .value | xargs) # /usr/lib/keycloak/bin/kcadm.sh create users -r pve-realm -s username=testopenid -s firstName=Test -s lastName=OpenID -s email=testopenid@awesome.org -s enabled=true # USER_ID=$(/usr/lib/keycloak/bin/kcadm.sh get users -r pve-realm --fields id,username | jq -r '.[] | select(.username=="testopenid") | .id') # /usr/lib/keycloak/bin/kcadm.sh set-password -r pve-realm --userid $USER_ID --new-password testpass123 # /usr/lib/keycloak/bin/kcadm.sh update realms/pve-realm -s sslRequired=NONE # curl -sk -X POST "https://$(hostname):8443/realms/pve-realm/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' -d 'client_id=pve-web-app' -d "client_secret=${SECRET}" -d 'username=testopenid' -d 'password=testpass123' -d 'grant_type=password' | jq # echo "Issuer: https://$(hostname):8443/realms/pve-realm" && \ # echo "Client ID: pve-web-app" && \ # echo "Client Secret Key: $SECRET" # pveum realm add keycloak--type openid --issuer-url https://$(hostname):8443/realms/pve-realm --client-id pve-web-app --client-secret $SECRET Выполнить вход через keycloak или запрос на PVE: # pvesh create /access/openid/auth-url -realm keycloak -redirect-url https://$(hostname):8006 Ожидаемый результат: успешный вход через Keycloak, получена строка авторизации для Keycloak через pvesh Фактический результат: 500 ошибка в веб-интерфейсе, pvesh: Failed to parse server response В P11 не воспроизводится.