On Wed, Nov 9, 2016 at 8:05 PM, Juan Hernández <jhernand(a)redhat.com
<mailto:jhernand@redhat.com>> wrote:
On 11/09/2016 11:12 AM, Yaniv Kaul wrote:
>
>
> On Sat, Oct 15, 2016 at 1:04 AM, Ravi Nori <rnori(a)redhat.com
<mailto:rnori@redhat.com>
> <mailto:rnori@redhat.com <mailto:rnori@redhat.com>>> wrote:
>
> Also can you please try following command to directly obtain token
> from SSO. Can replace engine with FQDN and IP to see if both work
>
> curl -v -k -H "Accept: application/json"
>
'https://<engine>:443/ovirt-engine/sso/oauth/token?grant_type=password&username=admin@internal&password=123&scope=ovirt-app-api'
>
> You should see output similar to the one below
>
>
{"access_token":"K0sBa0D3rLtmNTdMJ-Q4FzOgCtGGY2cSFSCwbLkG94te9nDdmEzHSizsFaOeNMdwOziIv3l2-Uqm8bxWkMpwMA","scope":"ovirt-app-api
> ovirt-ext=token-info:authz-search
> ovirt-ext=token-info:public-authz-search
>
ovirt-ext=token-info:validate","exp":-381399824,"token_type":"bearer"}
>
>
> Sorry it took me so long to get back to it, but here it is:
>
{"access_token":"eA8w0DaapkKAQ8tfHakzA-R0l-mjD_CsTlAqBaH4iVVjXxQN33poXzt9UhPJLxMU8YOvVNX6LICcxL1EeAiAlw","scope":"ovirt-app-api
> ovirt-ext=token-info:authz-search
> ovirt-ext=token-info:public-authz-search
>
ovirt-ext=token-info:validate","exp":["java.lang.Long",1479290132000],"token_type":"bearer"}
>
That "java.lang.Long" there is an error, but not related to this
problem, as the SDK doesn't use the "exp" attribute. I guess it is a
side effect of the recent change to use "long" instead of "int",
looks
like the JSON library used in the engine doesn't like longs.
> And here's the difference between the SDK and the manual curl command in
> ssl_access log:
> 192.168.201.1 - - [09/Nov/2016:04:52:19 -0500] "POST
> /ovirt-engine/sso/oauth/token HTTP/1.1" 404 74
> 192.168.201.1 - - [09/Nov/2016:04:55:32 -0500] "GET
>
/ovirt-engine/sso/oauth/token?grant_type=password&username=admin@internal&password=123&scope=ovirt-app-api
> HTTP/1.1" 200 295
>
That difference is by design. The SDK uses POST to avoid sending the
credentials (specially the password) as a query parameter, as that is
most probably logged and archived.
We discovered recently an issue with the Python SDK, due to a bug in the
"pycurl" library:
Debug mode raises UnicodeDecodeError: 'utf8' codec can't decode byte
0x8d in position 7: invalid start byte
https://bugzilla.redhat.com/1392878
<
https://bugzilla.redhat.com/1392878>
It isn't exactly the same problem, but as the cause of that bug is a
pointer that is used after releasing, it can cause all kinds of strange
effects.
Please try the latest build of the SDK.
I thought I was:
python-ovirt-engine-sdk4-4.1.0-0.1.a0.20161108gitaad5627.fc24.x86_64
Yes, that build contains the fix, so we can discard it as the source of
your problem.
>
>
> Thanks
>
> Ravi
>
> On Fri, Oct 14, 2016 at 4:00 PM, Yaniv Kaul <ykaul(a)redhat.com
<mailto:ykaul@redhat.com>
> <mailto:ykaul@redhat.com <mailto:ykaul@redhat.com>>> wrote:
>
> On Oct 14, 2016 7:13 PM, "Ravi Nori" <rnori(a)redhat.com
<mailto:rnori@redhat.com>
> <mailto:rnori@redhat.com <mailto:rnori@redhat.com>>>
wrote:
> >
> > SSO configuration looks good.
> >
> > Can you please share any additional httpd configuration in
/etc/httpd/conf.d. Anything to do with LocationMatch for ovirt-engine urls.
>
> This is a standard ovirt-system-tests on Lago installation,
> nothing out of the ordinary, but I'll check.
> Y.
>
> >
> > On Fri, Oct 14, 2016 at 12:52 PM, Yaniv Kaul <ykaul(a)redhat.com
<mailto:ykaul@redhat.com>
> <mailto:ykaul@redhat.com <mailto:ykaul@redhat.com>>>
wrote:
> >>
> >>
> >>
> >> On Fri, Oct 14, 2016 at 3:50 PM, Ravi Nori <rnori(a)redhat.com
<mailto:rnori@redhat.com>
> <mailto:rnori@redhat.com <mailto:rnori@redhat.com>>>
wrote:
> >>>
> >>> Hi Yaniv,
> >>>
> >>> Can you check the output of
> https:://<engine>/ovirt-engine/sso/status in your browser and
> see if the SSO service is active.
> >>>
> >>> If SSO is deployed, you should see an output similar
to the
> one below. Also are you able to login to webadmin using the
> browser?
> >>
> >>
> >> I am able to login using the webui.
> >>
> >>>
> >>>
> >>> {"status_description":"SSO Webapp
>
Deployed","version":"0","status":"active"}
> >>
> >>
> >> Indeed:
> >> {"status_description":"SSO Webapp
>
Deployed","version":"0","status":"active"}
> >>
> >> (not sure what 'version 0' means?)
> >>
> >>>
> >>>
> >>> Please share the content of
> /etc/ovirt-engine/engine.conf.d/11-setup-sso.conf
> >>
> >>
> >> [root@lago-basic-suite-master-engine ~]# cat
> /etc/ovirt-engine/engine.conf.d/11-setup-sso.conf
> >> ENGINE_SSO_CLIENT_ID="ovirt-engine-core"
> >>
ENGINE_SSO_CLIENT_SECRET="bsOabtD7gE2McwLe80P109UV800XLx4O"
> >>
ENGINE_SSO_AUTH_URL="https://${ENGINE_FQDN}:443/ovirt-engine/sso"
> >>
>
ENGINE_SSO_SERVICE_URL="https://localhost:443/ovirt-engine/sso
<
https://localhost:443/ovirt-engine/sso>
> <
https://localhost:443/ovirt-engine/sso
<
https://localhost:443/ovirt-engine/sso>>"
> >> ENGINE_SSO_SERVICE_SSL_VERIFY_HOST=false
> >> ENGINE_SSO_SERVICE_SSL_VERIFY_CHAIN=true
> >> SSO_ALTERNATE_ENGINE_FQDNS=""
> >>
SSO_ENGINE_URL="https://${ENGINE_FQDN}:443/ovirt-engine/"
> >>
> >>
> >> Thanks,
> >> Y.
> >>
> >>
> >>>
> >>>
> >>> Thanks
> >>>
> >>> Ravi
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Fri, Oct 14, 2016 at 7:57 AM, Juan Hernández
> <jhernand(a)redhat.com <mailto:jhernand@redhat.com>
<mailto:jhernand@redhat.com <mailto:jhernand@redhat.com>>> wrote:
> >>>>
> >>>> On 10/14/2016 01:45 PM, Yaniv Kaul wrote:
> >>>> >
> >>>> >
> >>>> > On Thu, Oct 13, 2016 at 11:13 AM, Juan Hernández
> <jhernand(a)redhat.com <mailto:jhernand@redhat.com>
<mailto:jhernand@redhat.com <mailto:jhernand@redhat.com>>
> >>>> > <mailto:jhernand@redhat.com
<mailto:jhernand@redhat.com>
> <mailto:jhernand@redhat.com
<mailto:jhernand@redhat.com>>>> wrote:
> >>>> >
> >>>> > On 10/13/2016 12:04 AM, Yaniv Kaul wrote:
> >>>> > > On Fri, Oct 7, 2016 at 10:44 PM, Yaniv
Kaul
> <ykaul(a)redhat.com <mailto:ykaul@redhat.com>
<mailto:ykaul@redhat.com <mailto:ykaul@redhat.com>>
> <mailto:ykaul@redhat.com <mailto:ykaul@redhat.com>
<mailto:ykaul@redhat.com <mailto:ykaul@redhat.com>>>
> >>>> > > <mailto:ykaul@redhat.com
<mailto:ykaul@redhat.com> <mailto:ykaul@redhat.com
<mailto:ykaul@redhat.com>>
> <mailto:ykaul@redhat.com <mailto:ykaul@redhat.com>
<mailto:ykaul@redhat.com <mailto:ykaul@redhat.com>>>>> wrote:
> >>>> > >
> >>>> > > I'm trying on FC24, using
> >>>> > >
> >>>> >
>
python-ovirt-engine-sdk4-4.1.0-0.0.20161003git056315d.fc24.x86_64 to
> >>>> > > add a DC, and failing - against
master. The
> client is unhappy:
> >>>> > > File
> >>>> > >
> >>>> >
>
"/home/ykaul/ovirt-system-tests/basic-suite-master/test-scenarios/002_bootstrap.py",
> >>>> > > line 98, in add_dc4
> >>>> > >
>
version=sdk4.types.Version(major=DC_VER_MAJ,minor=DC_VER_MIN),
> >>>> > > File
> "/usr/lib64/python2.7/site-packages/ovirtsdk4/services.py",
> >>>> > > line 4347, in add
> >>>> > > response =
self._connection.send(request)
> >>>> > > File
> "/usr/lib64/python2.7/site-packages/ovirtsdk4/__init__.py",
> >>>> > > line 276, in send
> >>>> > > return self.__send(request)
> >>>> > > File
> "/usr/lib64/python2.7/site-packages/ovirtsdk4/__init__.py",
> >>>> > > line 298, in __send
> >>>> > > self._sso_token =
self._get_access_token()
> >>>> > > File
> "/usr/lib64/python2.7/site-packages/ovirtsdk4/__init__.py",
> >>>> > > line 460, in _get_access_token
> >>>> > > sso_response =
> self._get_sso_response(self._sso_url,
> >>>> > post_data)
> >>>> > > File
> "/usr/lib64/python2.7/site-packages/ovirtsdk4/__init__.py",
> >>>> > > line 498, in _get_sso_response
> >>>> > > return
> json.loads(body_buf.getvalue().decode('utf-8'))
> >>>> > > File
"/usr/lib64/python2.7/json/__init__.py",
> line 339, in loads
> >>>> > > return
_default_decoder.decode(s)
> >>>> > > File
"/usr/lib64/python2.7/json/decoder.py",
> line 364, in decode
> >>>> > > obj, end = self.raw_decode(s,
idx=_w(s,
> 0).end())
> >>>> > > File
"/usr/lib64/python2.7/json/decoder.py",
> line 382, in
> >>>> > raw_decode
> >>>> > > raise ValueError("No JSON
object could be
> decoded")
> >>>> > > ValueError: No JSON object could be
decoded
> >>>> > >
> >>>> > >
> >>>> > > Surprisingly, I now can't find
that RPM
of this
> SDK in
> >>>> > >
resources.ovirt.org
<
http://resources.ovirt.org>
> <
http://resources.ovirt.org> <
http://resources.ovirt.org>
> >>>> > <
http://resources.ovirt.org> now.
> >>>> > >
> >>>> > > I've tried
> >>>> > > with
> >>>> >
>
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
>
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
> >>>> >
>
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
>
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
> >>>> > >
> >>>> >
>
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
>
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
> >>>> >
>
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
>
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
<
http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc24/x86_64/pyth...
> >>>> > >
> >>>> > > - same result.
> >>>> > >
> >>>> > > Did not see anything obvious on
server or
> engine logs.
> >>>> > > The code:
> >>>> > > def add_dc4(api):
> >>>> > > nt.assert_true(api != None)
> >>>> > > dcs_service =
> api.system_service().data_centers_service()
> >>>> > > nt.assert_true(
> >>>> > > dc = dcs_service.add(
> >>>> > > sdk4.types.DataCenter(
> >>>> > > name=DC_NAME4,
> >>>> > >
description='APIv4 DC',
> >>>> > > local=False,
> >>>> > >
> >>>> > >
>
version=sdk4.types.Version(major=DC_VER_MAJ,minor=DC_VER_MIN),
> >>>> > > ),
> >>>> > > )
> >>>> > > )
> >>>> > >
> >>>> > >
> >>>> > > And the api object is from:
> >>>> > > return sdk4.Connection(
> >>>> > > url=url,
> >>>> > >
username=constants.ENGINE_USER,
> >>>> > >
> >>>> >
password=str(self.metadata['ovirt-engine-password']),
> >>>> > > insecure=True,
> >>>> > > debug=True,
> >>>> > > )
> >>>> > >
> >>>> > >
> >>>> > > The clue is actually on the HTTPd logs:
> >>>> > > 192.168.203.1 - - [12/Oct/2016:17:56:27
-0400] "POST
> >>>> > > /ovirt-engine/sso/oauth/token
HTTP/1.1" 404 74
> >>>> > >
> >>>> > > And indeed, from the deubg log:
> >>>> > > begin captured logging <<
--------------------\n
> >>>> > > root: DEBUG: Trying 192.168.203.3...\n
> >>>> > > root: DEBUG: Connected to 192.168.203.3
> (192.168.203.3) port 443
> >>>> > (#0)\n
> >>>> > > root: DEBUG: Initializing NSS with
certpath:
> sql:/etc/pki/nssdb\n
> >>>> > > root: DEBUG: skipping SSL peer
certificate
> verification\n
> >>>> > > root: DEBUG: ALPN/NPN, server did not
agree to a
> protocol\n
> >>>> > > root: DEBUG: SSL connection using
> >>>> > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n
> >>>> > > root: DEBUG: Server certificate:\n
> >>>> > > root: DEBUG: subject:
CN=engine,O=Test,C=US\n
> >>>> > > root: DEBUG: start date: Oct 11 21:55:29
2016
GMT\n
> >>>> > > root: DEBUG: expire date: Sep 16
21:55:29
2021 GMT\n
> >>>> > > root: DEBUG: common name: engine\nroot:
DEBUG: issuer:
> >>>> > > CN=engine.38998,O=Test,C=US\n
> >>>> > > *root: DEBUG: POST
/ovirt-engine/sso/oauth/token
> HTTP/1.1\n*
> >>>> > > *root: DEBUG: Host: 192.168.203.3\n*
> >>>> > > *root: DEBUG: User-Agent:
PythonSDK/4.1.0a0\n*
> >>>> > > *root: DEBUG: Accept:
application/json\n*
> >>>> > > *root: DEBUG: Content-Length: 78\n*
> >>>> > > *root: DEBUG: Content-Type:
> application/x-www-form-urlencoded\nroot:
> >>>> > > DEBUG:
> >>>> > >
> >>>> >
>
username=admin%40internal&scope=ovirt-app-api&password=123&grant_type=password\n*
> >>>> > > *root: DEBUG: upload completely sent off:
78
out of
> 78 bytes\n*
> >>>> > > *root: DEBUG: HTTP/1.1 404 Not Found\n*
> >>>> > > *root: DEBUG: Date: Wed, 12 Oct 2016
21:56:27
GMT\n*
> >>>> > > *root: DEBUG: Server: Apache/2.4.6
(CentOS)
> OpenSSL/1.0.1e-fips\n*
> >>>> > > *root: DEBUG: Content-Length: 74\n*
> >>>> > > *root: DEBUG: Content-Type: text/html;
charset=UTF-8\n*
> >>>> > > *root: DEBUG: \n*
> >>>> > > *root: DEBUG:
>
<html><head><title>Error</title></head><body>404 -
Not
> >>>> > > Found</body></html>\n*
> >>>> > > root: DEBUG: Connection #0 to host
192.168.203.3
> left intact\n
> >>>> > > --------------------- >> end
captured logging
> >>>> > >
> >>>> >
> >>>> > That definitively looks like version 3 of the
engine.
> Either that or
> >>>> > version 4 of the engine with web server
configuration
> modified so that
> >>>> > the SSO doesn't work as expected.
> >>>> >
> >>>> > What do you get if you run this against that
server?
> >>>> >
> >>>> >
> >>>> > Attached.
> >>>> > Y.
> >>>> >
> >>>>
> >>>> OK, that is version 4.1 of the engine, so next
question is
> why the SSO
> >>>> service is not responding. Do you see any message in
> >>>> /var/log/ovirt-engine/server.log about
"enginesso.war" not
> being
> >>>> deployed? Did you do any modification to the
> >>>> /etc/httpd/conf.d/z-ovirt-engine.conf file?
> >>>>
> >>>> Ravi, Martin, any idea of why the SSO service may not
be
> working?
> >>>>
> >>>> >
> >>>> >
> >>>> > curl \
> >>>> > --verbose \
> >>>> > --insecure \
> >>>> > --request GET \
> >>>> > --user
"admin@internal:yourpassword" \
> >>>> > --header "Version: 4" \
> >>>> > --header "Accept: application/xml"
\
> >>>> > "https://thatserver/ovirt-engine/api
<
https://thatserver/ovirt-engine/api>
> <
https://thatserver/ovirt-engine/api
<
https://thatserver/ovirt-engine/api>>
> >>>> > <
https://thatserver/ovirt-engine/api
<
https://thatserver/ovirt-engine/api>
> <
https://thatserver/ovirt-engine/api
<
https://thatserver/ovirt-engine/api>>>"
> >>>> >
> >>>>
> >>>>
> >>>> --
> >>>> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif.
Gorbea
> 3, planta
> >>>> 3ºD, 28016 Madrid, Spain
> >>>> Inscrita en el Reg. Mercantil de Madrid – C.I.F.
B82657941
> - Red Hat S.L.
> >>>
> >>>
> >>
> >
>
>
>
--
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat
S.L.
--
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.