From: "Paul Robert Marino" <prmarino1(a)gmail.com>
To: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
Cc: "Itamar Heim" <iheim(a)redhat.com>, users(a)ovirt.org
Sent: Wednesday, August 13, 2014 11:47:40 PM
Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Ok so before I open a bug ticket I want to confirm I'm not doing any
thing wrong here.
I upgraded to 3.4
now it says "Active: false " on LDAP groups.
Again I tried to add the sysadmin group from the directory server and
set the power user and super user roles on the group
it shows up as "<domain name>/Groups/sysadmin"
I adder the permisions by clicking on the configure link on the top of
the screen and set them in the "System Permissions" tab
Sounds good so far.
I assume also you see the permissiosn in the permissions sub tab when you click the
group.
I added a user (pmarino) to the system which shows in the "Directory
Group" tab shows "sysadmin groups <domian name>" among
others
however it only shows in the Permissions tab the permissions inherited
by "Everyone" it does not show any permissions inherited by the
sysadmin group.
just to prove it didnt work I logged out and attempted to log back in
as the user (pmarino) it wouldn't let me log in
I logged back in as the internal admin user then I added the SuperUser
permissions directly to the pmarino account and logged back out again.
Now when I logged in as pmarino it gave me the access I expected.
Can I please ask you to provide some database info ?
It will be awesome if you can provide the following SQL queries results -
select group_ids, groups from users where username ilike '%pmarino%';
In addition, please perform - select id, name from ad_groups;
Thanks for your help.
P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the
bugs) should have fixed your issue as well.
Here is the relevant portion of the engine log
"
2014-08-13 16:00:38,801 INFO
[org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5)
[1e7fa420] Running command: AddGroupCommand internal: false. Entities
affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System
2014-08-13 16:00:38,813 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call
Stack: null, Custom Event ID: -1, Message: User '<domain
name>/Groups/sysadmin' was added successfully to the system.
2014-08-13 16:09:01,352 INFO
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command:
AddSystemPermissionCommand internal: false. Entities affected : ID:
aaa00000-0000-0000-0000-123456789aaa Type: System, ID:
aaa00000-0000-0000-0000-123456789aaa Type: System
2014-08-13 16:09:01,371 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID:
75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group
<domain name>/Groups/sysadmin was granted permission for Role
SuperUser on System by admin.
2014-08-13 16:10:40,963 INFO
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command:
AddSystemPermissionCommand internal: false. Entities affected : ID:
aaa00000-0000-0000-0000-123456789aaa Type: System, ID:
aaa00000-0000-0000-0000-123456789aaa Type: System
2014-08-13 16:10:40,979 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb,
Call Stack: null, Custom Event ID: -1, Message: User/Group <domain
name>/Groups/sysadmin was granted permission for Role PowerUserRole on
System by admin.
2014-08-13 16:20:53,891 INFO
[org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4)
[58e00be1] Running command: AddUserCommand internal: false. Entities
affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System
2014-08-13 16:20:53,919 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call
Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added
successfully to the system.
2014-08-13 16:35:52,202 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null,
Custom Event ID: -1, Message: User pmarino failed to log in.
2014-08-13 16:35:52,202 WARN
[org.ovirt.engine.core.bll.LoginAdminUserCommand]
(ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed.
Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2014-08-13 16:39:48,048 INFO
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command:
AddSystemPermissionCommand internal: false. Entities affected : ID:
aaa00000-0000-0000-0000-123456789aaa Type: System
2014-08-13 16:39:48,069 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID:
5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group
pmarino was granted permission for Role SuperUser on System by admin.
2014-08-13 16:40:43,357 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom
Event ID: -1, Message: User pmarino logged in.
"
On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs(a)redhat.com> wrote:
>
>
> ----- Original Message -----
>> From: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
>> To: "Itamar Heim" <iheim(a)redhat.com>
>> Cc: users(a)ovirt.org
>> Sent: Monday, August 11, 2014 8:13:53 PM
>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>>
>> I have checked the codebase of 3.3 -
>> the "active" field is used for presentation purpose only.
>
> Presentation wise only - means that it is not used for our permissions
> calculation , for example.
>
>> Alon has addressed our plans for this in his previous comments.
>> I hope this clarifies more..
>>
>> Yair
>>
>>
>> ----- Original Message -----
>> > From: "Itamar Heim" <iheim(a)redhat.com>
>> > To: "Alon Bar-Lev" <alonbl(a)redhat.com>, "Paul Robert
Marino"
>> > <prmarino1(a)gmail.com>
>> > Cc: users(a)ovirt.org
>> > Sent: Sunday, August 10, 2014 11:54:05 PM
>> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>> >
>> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
>> > >
>> > >
>> > > ----- Original Message -----
>> > >> From: "Paul Robert Marino" <prmarino1(a)gmail.com>
>> > >> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>> > >> Cc: "Maurice James" <mjames(a)media-node.com>,
users(a)ovirt.org
>> > >> Sent: Sunday, August 10, 2014 10:43:14 PM
>> > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>> > >>
>> > >> Sorry for my delayed response to this
>> > >>
>> > >> I am using ovirt 3.3.
>> > >> I am using Kerberos 5, and all of the DNS requirements are in
place.
>> > >> Finally 389 server is the upstream project for RHDS and one of
the
>> > >> upstream projects for IPA.
>> > >> So I chose to set it as RHDS because its an identical match.
>> > >>
>> > >> User authentication works just fine my problem is adding roles to
>> > >> groups.
>> > >> I can assign a role to a group but the group always shows an
inactive
>> > >> status; however if I assign a role directly to to a user it works
>> > >> fine.
>> > >> In addition if I drill down into a user it knows what groups in
the
>> > >> 389 server the user is a member of.
>> > >>
>> > >> finally I can't see any error in the logs when adding a role
to a
>> > >> group
>> > >>
>> > >
>> > > Please open a bug, I am unsure that it will be addressed before 3.5,
>> > > as
>> > > we
>> > > have done major rework for the authentication and authorization to
>> > > make
>> > > it
>> > > much more versatile. Even if there will be a fix it will be provided
>> > > to
>> > > 3.4.z.
>> > >
>> > > It will be best if you want to test this scenario in 3.5 release
>> > > candidate
>> > > and the new ldap provider, so we can address the issue before 3.5
>> > > release
>> > > if exists.
>> > >
>> >
>> > could also be one of these fixed in 3.4:
>> > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it
>> > does not inherit the group permissions
>> > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to
>> > a group indirectly, it does not inherit the group permissions
>> >
>> > >>
>> > >>
>> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev
<alonbl(a)redhat.com>
>> > >> wrote:
>> > >>>
>> > >>>
>> > >>> ----- Original Message -----
>> > >>>> From: "Maurice James"
<mjames(a)media-node.com>
>> > >>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>> > >>>> Cc: "Itamar Heim" <iheim(a)redhat.com>,
users(a)ovirt.org
>> > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM
>> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive
groups
>> > >>>>
>> > >>>> Does this still require the use of kerberos? Will 389-ds
work on
>> > >>>> its
>> > >>>> own?
>> > >>>
>> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the
>> > >>> kerberos/ldap
>> > >>> mix.
>> > >>>
>> > >>> It will be great to receive feedback[2].
>> > >>>
>> > >>> 389ds is not supported directly, I think it is similar to IPA
as it
>> > >>> uses
>> > >>> 389. Maybe I should rename the profile of ipa to 389 if it
works
>> > >>> properly.
>> > >>>
>> > >>> Regards,
>> > >>> Alon
>> > >>>
>> > >>> [1]
>> > >>>
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl...
>> > >>> [2]
http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
>> > >>>
>> > >>>>
>> > >>>> ----- Original Message -----
>> > >>>> From: "Alon Bar-Lev" <alonbl(a)redhat.com>
>> > >>>> To: "Itamar Heim" <iheim(a)redhat.com>
>> > >>>> Cc: users(a)ovirt.org
>> > >>>> Sent: Friday, August 8, 2014 3:45:07 PM
>> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive
groups
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> ----- Original Message -----
>> > >>>>> From: "Itamar Heim"
<iheim(a)redhat.com>
>> > >>>>> To: "Paul Robert Marino"
<prmarino1(a)gmail.com>, users(a)ovirt.org
>> > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM
>> > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server
inactive groups
>> > >>>>>
>> > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
>> > >>>>>> I have ovirt engine running and connected to a 389
server with
>> > >>>>>> the
>> > >>>>>> memberof plugin enabled and working properly.
>> > >>>>>>
>> > >>>>>> I can add users and assign them to roles without
any issues.
>> > >>>>>>
>> > >>>>>> when I look at a user I can see all the LDAP
groups they are a
>> > >>>>>> member
>> > >>>>>> of.
>> > >>>>>>
>> > >>>>>> when I run engine-manage-domains -action=validate
it tells me
>> > >>>>>> the
>> > >>>>>> domain is valid.
>> > >>>>>>
>> > >>>>>> here is my problem when I try to assign a role to
an LDAP group
>> > >>>>>> it
>> > >>>>>> looks like it works but in the general tab when
under the group
>> > >>>>>> it
>> > >>>>>> tells me the status is Inactive.
>> > >>>>>>
>> > >>>>>> dose any one know how to enable the group?
>> > >>>>>> _______________________________________________
>> > >>>>>> Users mailing list
>> > >>>>>> Users(a)ovirt.org
>> > >>>>>>
http://lists.ovirt.org/mailman/listinfo/users
>> > >>>>>>
>> > >>>>>
>> > >>>>> 3.4 or new 3.5 Generic LDAP provider?
>> > >>>>
>> > >>>>
>> > >>>> On case this is 3.5 it is known issue, all groups will be
seen as
>> > >>>> inactive,
>> > >>>> this field will probably be removed from UI, as groups are
no
>> > >>>> longer
>> > >>>> fetched
>> > >>>> periodically.
>> > >>>> This field is totally ignored.
>> > >>>>
>> > >>>> Alon
>> > >>>> _______________________________________________
>> > >>>> Users mailing list
>> > >>>> Users(a)ovirt.org
>> > >>>>
http://lists.ovirt.org/mailman/listinfo/users
>> > >>>>
>> > >>> _______________________________________________
>> > >>> Users mailing list
>> > >>> Users(a)ovirt.org
>> > >>>
http://lists.ovirt.org/mailman/listinfo/users
>> > >>
>> > > _______________________________________________
>> > > Users mailing list
>> > > Users(a)ovirt.org
>> > >
http://lists.ovirt.org/mailman/listinfo/users
>> > >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users(a)ovirt.org
>> >
http://lists.ovirt.org/mailman/listinfo/users
>> >
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>>
http://lists.ovirt.org/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/users