<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Oct 15, 2016 at 1:04 AM, Ravi Nori <span dir="ltr"><<a href="mailto:rnori@redhat.com" target="_blank">rnori@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>Also can you please try following command to directly obtain token from SSO. Can replace engine with FQDN and IP to see if both work<br><br>curl -v -k -H "Accept: application/json" 'https://<engine>:443/ovirt-<wbr>engine/sso/oauth/token?grant_<wbr>type=password&username=admin@<wbr>internal&password=123&scope=<wbr>ovirt-app-api'<br><br></div><div>You should see output similar to the one below<br><br>{"access_token":"<wbr>K0sBa0D3rLtmNTdMJ-<wbr>Q4FzOgCtGGY2cSFSCwbLkG94te9nDd<wbr>mEzHSizsFaOeNMdwOziIv3l2-<wbr>Uqm8bxWkMpwMA","scope":"ovirt-<wbr>app-api ovirt-ext=token-info:authz-<wbr>search ovirt-ext=token-info:public-<wbr>authz-search ovirt-ext=token-info:validate"<wbr>,"exp":-381399824,"token_type"<wbr>:"bearer"}<br></div></div></div></blockquote><div><br></div><div>Sorry it took me so long to get back to it, but here it is:</div><div>{"access_token":"eA8w0DaapkKAQ8tfHakzA-R0l-mjD_CsTlAqBaH4iVVjXxQN33poXzt9UhPJLxMU8YOvVNX6LICcxL1EeAiAlw","scope":"ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate","exp":["java.lang.Long",1479290132000],"token_type":"bearer"}</div><div><br></div><div>And here's the difference between the SDK and the manual curl command in ssl_access log:</div><div><div>192.168.201.1 - - [09/Nov/2016:04:52:19 -0500] "POST /ovirt-engine/sso/oauth/token HTTP/1.1" 404 74</div><div>192.168.201.1 - - [09/Nov/2016:04:55:32 -0500] "GET /ovirt-engine/sso/oauth/token?grant_type=password&username=admin@internal&password=123&scope=ovirt-app-api HTTP/1.1" 200 295</div></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div></div><div><br></div>Thanks<span class="gmail-HOEnZb"><font color="#888888"><br><br></font></span></div><span class="gmail-HOEnZb"><font color="#888888">Ravi<br></font></span></div><div class="gmail-HOEnZb"><div class="gmail-h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 14, 2016 at 4:00 PM, Yaniv Kaul <span dir="ltr"><<a href="mailto:ykaul@redhat.com" target="_blank">ykaul@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span><p dir="ltr"></p>
<p dir="ltr">On Oct 14, 2016 7:13 PM, "Ravi Nori" <<a href="mailto:rnori@redhat.com" target="_blank">rnori@redhat.com</a>> wrote:<br>
><br>
> SSO configuration looks good. <br>
><br>
> Can you please share any additional httpd configuration in /etc/httpd/conf.d. Anything to do with LocationMatch for ovirt-engine urls.</p>
</span><p dir="ltr">This is a standard ovirt-system-tests on Lago installation, nothing out of the ordinary, but I'll check. <br><span class="gmail-m_-1057230720337417930HOEnZb"><font color="#888888">
Y. </font></span></p><div class="gmail-m_-1057230720337417930HOEnZb"><div class="gmail-m_-1057230720337417930h5">
<p dir="ltr">><br>
> On Fri, Oct 14, 2016 at 12:52 PM, Yaniv Kaul <<a href="mailto:ykaul@redhat.com" target="_blank">ykaul@redhat.com</a>> wrote:<br>
>><br>
>><br>
>><br>
>> On Fri, Oct 14, 2016 at 3:50 PM, Ravi Nori <<a href="mailto:rnori@redhat.com" target="_blank">rnori@redhat.com</a>> wrote:<br>
>>><br>
>>> Hi Yaniv,<br>
>>><br>
>>> Can you check the output of https:://<engine>/ovirt-engine<wbr>/sso/status in your browser and see if the SSO service is active.<br>
>>><br>
>>> If SSO is deployed, you should see an output similar to the one below. Also are you able to login to webadmin using the browser? <br>
>><br>
>><br>
>> I am able to login using the webui.<br>
>> <br>
>>><br>
>>><br>
>>> {"status_description":"SSO Webapp Deployed","version":"0","statu<wbr>s":"active"}<br>
>><br>
>><br>
>> Indeed:<br>
>> {"status_description":"SSO Webapp Deployed","version":"0","statu<wbr>s":"active"}<br>
>><br>
>> (not sure what 'version 0' means?)<br>
>> <br>
>>><br>
>>><br>
>>> Please share the content of /etc/ovirt-engine/engine.conf.<wbr>d/11-setup-sso.conf<br>
>><br>
>><br>
>> [root@lago-basic-suite-master-<wbr>engine ~]# cat /etc/ovirt-engine/engine.conf.<wbr>d/11-setup-sso.conf<br>
>> ENGINE_SSO_CLIENT_ID="ovirt-en<wbr>gine-core"<br>
>> ENGINE_SSO_CLIENT_SECRET="bsOa<wbr>btD7gE2McwLe80P109UV800XLx4O"<br>
>> ENGINE_SSO_AUTH_URL="https://$<wbr>{ENGINE_FQDN}:443/ovirt-engine<wbr>/sso"<br>
>> ENGINE_SSO_SERVICE_URL="<a href="https://localhost:443/ovirt-engine/sso" target="_blank">https:<wbr>//localhost:443/ovirt-engine/s<wbr>so</a>"<br>
>> ENGINE_SSO_SERVICE_SSL_VERIFY_<wbr>HOST=false<br>
>> ENGINE_SSO_SERVICE_SSL_VERIFY_<wbr>CHAIN=true<br>
>> SSO_ALTERNATE_ENGINE_FQDNS=""<br>
>> SSO_ENGINE_URL="https://${ENGI<wbr>NE_FQDN}:443/ovirt-engine/"<br>
>><br>
>><br>
>> Thanks,<br>
>> Y.<br>
>><br>
>> <br>
>>><br>
>>><br>
>>> Thanks<br>
>>><br>
>>> Ravi<br>
>>><br>
>>><br>
>>><br>
>>><br>
>>><br>
>>> On Fri, Oct 14, 2016 at 7:57 AM, Juan Hernández <<a href="mailto:jhernand@redhat.com" target="_blank">jhernand@redhat.com</a>> wrote:<br>
>>>><br>
>>>> On 10/14/2016 01:45 PM, Yaniv Kaul wrote:<br>
>>>> ><br>
>>>> ><br>
>>>> > On Thu, Oct 13, 2016 at 11:13 AM, Juan Hernández <<a href="mailto:jhernand@redhat.com" target="_blank">jhernand@redhat.com</a><br>
>>>> > <mailto:<a href="mailto:jhernand@redhat.com" target="_blank">jhernand@redhat.com</a>>> wrote:<br>
>>>> ><br>
>>>> > On 10/13/2016 12:04 AM, Yaniv Kaul wrote:<br>
>>>> > > On Fri, Oct 7, 2016 at 10:44 PM, Yaniv Kaul <<a href="mailto:ykaul@redhat.com" target="_blank">ykaul@redhat.com</a> <mailto:<a href="mailto:ykaul@redhat.com" target="_blank">ykaul@redhat.com</a>><br>
>>>> > > <mailto:<a href="mailto:ykaul@redhat.com" target="_blank">ykaul@redhat.com</a> <mailto:<a href="mailto:ykaul@redhat.com" target="_blank">ykaul@redhat.com</a>>>> wrote:<br>
>>>> > ><br>
>>>> > > I'm trying on FC24, using<br>
>>>> > ><br>
>>>> > python-ovirt-engine-sdk4-4.1.0<wbr>-0.0.20161003git056315d.fc24.x<wbr>86_64 to<br>
>>>> > > add a DC, and failing - against master. The client is unhappy:<br>
>>>> > > File<br>
>>>> > ><br>
>>>> > "/home/ykaul/ovirt-system-test<wbr>s/basic-suite-master/test-scen<wbr>arios/002_bootstrap.py",<br>
>>>> > > line 98, in add_dc4<br>
>>>> > > version=sdk4.types.Version(ma<wbr>jor=DC_VER_MAJ,minor=DC_VER_MI<wbr>N),<br>
>>>> > > File "/usr/lib64/python2.7/site-pac<wbr>kages/ovirtsdk4/services.py",<br>
>>>> > > line 4347, in add<br>
>>>> > > response = self._connection.send(request)<br>
>>>> > > File "/usr/lib64/python2.7/site-pac<wbr>kages/ovirtsdk4/__init__.py",<br>
>>>> > > line 276, in send<br>
>>>> > > return self.__send(request)<br>
>>>> > > File "/usr/lib64/python2.7/site-pac<wbr>kages/ovirtsdk4/__init__.py",<br>
>>>> > > line 298, in __send<br>
>>>> > > self._sso_token = self._get_access_token()<br>
>>>> > > File "/usr/lib64/python2.7/site-pac<wbr>kages/ovirtsdk4/__init__.py",<br>
>>>> > > line 460, in _get_access_token<br>
>>>> > > sso_response = self._get_sso_response(self._s<wbr>so_url,<br>
>>>> > post_data)<br>
>>>> > > File "/usr/lib64/python2.7/site-pac<wbr>kages/ovirtsdk4/__init__.py",<br>
>>>> > > line 498, in _get_sso_response<br>
>>>> > > return json.loads(body_buf.getvalue()<wbr>.decode('utf-8'))<br>
>>>> > > File "/usr/lib64/python2.7/json/__i<wbr>nit__.py", line 339, in loads<br>
>>>> > > return _default_decoder.decode(s)<br>
>>>> > > File "/usr/lib64/python2.7/json/dec<wbr>oder.py", line 364, in decode<br>
>>>> > > obj, end = self.raw_decode(s, idx=_w(s, 0).end())<br>
>>>> > > File "/usr/lib64/python2.7/json/dec<wbr>oder.py", line 382, in<br>
>>>> > raw_decode<br>
>>>> > > raise ValueError("No JSON object could be decoded")<br>
>>>> > > ValueError: No JSON object could be decoded<br>
>>>> > ><br>
>>>> > ><br>
>>>> > > Surprisingly, I now can't find that RPM of this SDK in<br>
>>>> > > <a href="http://resources.ovirt.org" target="_blank">resources.ovirt.org</a> <<a href="http://resources.ovirt.org" target="_blank">http://resources.ovirt.org</a>><br>
>>>> > <<a href="http://resources.ovirt.org" target="_blank">http://resources.ovirt.org</a>> now.<br>
>>>> > ><br>
>>>> > > I've tried<br>
>>>> > > with<br>
>>>> > <a href="http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/python-ovirt-engine-sdk4-4.0.0-0.1.20161004gitf94eeb5.fc24.x86_64.rpm" target="_blank">http://resources.ovirt.org/pu<wbr>b/ovirt-master-snapshot/rpm/fc<wbr>24/x86_64/python-ovirt-engine-<wbr>sdk4-4.0.0-0.1.20161004gitf94e<wbr>eb5.fc24.x86_64.rpm</a><br>
>>>> > <<a href="http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/python-ovirt-engine-sdk4-4.0.0-0.1.20161004gitf94eeb5.fc24.x86_64.rpm" target="_blank">http://resources.ovirt.org/p<wbr>ub/ovirt-master-snapshot/rpm/f<wbr>c24/x86_64/python-ovirt-engine<wbr>-sdk4-4.0.0-0.1.20161004gitf94<wbr>eeb5.fc24.x86_64.rpm</a>><br>
>>>> > ><br>
>>>> > <<a href="http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/python-ovirt-engine-sdk4-4.0.0-0.1.20161004gitf94eeb5.fc24.x86_64.rpm" target="_blank">http://resources.ovirt.org/pu<wbr>b/ovirt-master-snapshot/rpm/fc<wbr>24/x86_64/python-ovirt-engine-<wbr>sdk4-4.0.0-0.1.20161004gitf94e<wbr>eb5.fc24.x86_64.rpm</a><br>
>>>> > <<a href="http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/python-ovirt-engine-sdk4-4.0.0-0.1.20161004gitf94eeb5.fc24.x86_64.rpm" target="_blank">http://resources.ovirt.org/p<wbr>ub/ovirt-master-snapshot/rpm/f<wbr>c24/x86_64/python-ovirt-engine<wbr>-sdk4-4.0.0-0.1.20161004gitf94<wbr>eeb5.fc24.x86_64.rpm</a>>><br>
>>>> > ><br>
>>>> > > - same result.<br>
>>>> > ><br>
>>>> > > Did not see anything obvious on server or engine logs.<br>
>>>> > > The code:<br>
>>>> > > def add_dc4(api):<br>
>>>> > > nt.assert_true(api != None)<br>
>>>> > > dcs_service = api.system_service().data_cent<wbr>ers_service()<br>
>>>> > > nt.assert_true(<br>
>>>> > > dc = dcs_service.add(<br>
>>>> > > sdk4.types.DataCenter(<br>
>>>> > > name=DC_NAME4,<br>
>>>> > > description='APIv4 DC',<br>
>>>> > > local=False,<br>
>>>> > ><br>
>>>> > > version=sdk4.types.Version(ma<wbr>jor=DC_VER_MAJ,minor=DC_VER_MI<wbr>N),<br>
>>>> > > ),<br>
>>>> > > )<br>
>>>> > > )<br>
>>>> > ><br>
>>>> > ><br>
>>>> > > And the api object is from:<br>
>>>> > > return sdk4.Connection(<br>
>>>> > > url=url,<br>
>>>> > > username=constants.ENGINE_USE<wbr>R,<br>
>>>> > ><br>
>>>> > password=str(self.metadata['ov<wbr>irt-engine-password']),<br>
>>>> > > insecure=True,<br>
>>>> > > debug=True,<br>
>>>> > > )<br>
>>>> > ><br>
>>>> > ><br>
>>>> > > The clue is actually on the HTTPd logs:<br>
>>>> > > 192.168.203.1 - - [12/Oct/2016:17:56:27 -0400] "POST<br>
>>>> > > /ovirt-engine/sso/oauth/token HTTP/1.1" 404 74<br>
>>>> > ><br>
>>>> > > And indeed, from the deubg log:<br>
>>>> > > begin captured logging << --------------------\n<br>
>>>> > > root: DEBUG: Trying 192.168.203.3...\n<br>
>>>> > > root: DEBUG: Connected to 192.168.203.3 (192.168.203.3) port 443<br>
>>>> > (#0)\n<br>
>>>> > > root: DEBUG: Initializing NSS with certpath: sql:/etc/pki/nssdb\n<br>
>>>> > > root: DEBUG: skipping SSL peer certificate verification\n<br>
>>>> > > root: DEBUG: ALPN/NPN, server did not agree to a protocol\n<br>
>>>> > > root: DEBUG: SSL connection using<br>
>>>> > TLS_ECDHE_RSA_WITH_AES_128_GC<wbr>M_SHA256\n<br>
>>>> > > root: DEBUG: Server certificate:\n<br>
>>>> > > root: DEBUG: subject: CN=engine,O=Test,C=US\n<br>
>>>> > > root: DEBUG: start date: Oct 11 21:55:29 2016 GMT\n<br>
>>>> > > root: DEBUG: expire date: Sep 16 21:55:29 2021 GMT\n<br>
>>>> > > root: DEBUG: common name: engine\nroot: DEBUG: issuer:<br>
>>>> > > CN=engine.38998,O=Test,C=US\n<br>
>>>> > > *root: DEBUG: POST /ovirt-engine/sso/oauth/token HTTP/1.1\n*<br>
>>>> > > *root: DEBUG: Host: 192.168.203.3\n*<br>
>>>> > > *root: DEBUG: User-Agent: PythonSDK/4.1.0a0\n*<br>
>>>> > > *root: DEBUG: Accept: application/json\n*<br>
>>>> > > *root: DEBUG: Content-Length: 78\n*<br>
>>>> > > *root: DEBUG: Content-Type: application/x-www-form-urlenco<wbr>ded\nroot:<br>
>>>> > > DEBUG:<br>
>>>> > ><br>
>>>> > username=admin%40internal&sco<wbr>pe=ovirt-app-api&password=123&<wbr>grant_type=password\n*<br>
>>>> > > *root: DEBUG: upload completely sent off: 78 out of 78 bytes\n*<br>
>>>> > > *root: DEBUG: HTTP/1.1 404 Not Found\n*<br>
>>>> > > *root: DEBUG: Date: Wed, 12 Oct 2016 21:56:27 GMT\n*<br>
>>>> > > *root: DEBUG: Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips\n*<br>
>>>> > > *root: DEBUG: Content-Length: 74\n*<br>
>>>> > > *root: DEBUG: Content-Type: text/html; charset=UTF-8\n*<br>
>>>> > > *root: DEBUG: \n*<br>
>>>> > > *root: DEBUG: <html><head><title>Error</titl<wbr>e></head><body>404 - Not<br>
>>>> > > Found</body></html>\n*<br>
>>>> > > root: DEBUG: Connection #0 to host 192.168.203.3 left intact\n<br>
>>>> > > --------------------- >> end captured logging<br>
>>>> > ><br>
>>>> ><br>
>>>> > That definitively looks like version 3 of the engine. Either that or<br>
>>>> > version 4 of the engine with web server configuration modified so that<br>
>>>> > the SSO doesn't work as expected.<br>
>>>> ><br>
>>>> > What do you get if you run this against that server?<br>
>>>> ><br>
>>>> ><br>
>>>> > Attached.<br>
>>>> > Y.<br>
>>>> ><br>
>>>><br>
>>>> OK, that is version 4.1 of the engine, so next question is why the SSO<br>
>>>> service is not responding. Do you see any message in<br>
>>>> /var/log/ovirt-engine/server.l<wbr>og about "enginesso.war" not being<br>
>>>> deployed? Did you do any modification to the<br>
>>>> /etc/httpd/conf.d/z-ovirt-engi<wbr>ne.conf file?<br>
>>>><br>
>>>> Ravi, Martin, any idea of why the SSO service may not be working?<br>
>>>><br>
>>>> ><br>
>>>> ><br>
>>>> > curl \<br>
>>>> > --verbose \<br>
>>>> > --insecure \<br>
>>>> > --request GET \<br>
>>>> > --user "admin@internal:yourpassword" \<br>
>>>> > --header "Version: 4" \<br>
>>>> > --header "Accept: application/xml" \<br>
>>>> > "<a href="https://thatserver/ovirt-engine/api" target="_blank">https://thatserver/ovirt-eng<wbr>ine/api</a><br>
>>>> > <<a href="https://thatserver/ovirt-engine/api" target="_blank">https://thatserver/ovirt-eng<wbr>ine/api</a>>"<br>
>>>> ><br>
>>>><br>
>>>><br>
>>>> --<br>
>>>> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta<br>
>>>> 3ºD, 28016 Madrid, Spain<br>
>>>> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.<br>
>>><br>
>>><br>
>><br>
></p>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>