On Fri, 22 Mar 2019 10:49:08 +0100
Gianluca Cecchi <gianluca.cecchi(a)gmail.com> wrote:
On Thu, Mar 21, 2019 at 3:46 PM Gianluca Cecchi
<gianluca.cecchi(a)gmail.com>
wrote:
>
> . . .
>
> I'm trying to add with name "MYOVN" from web admin gui: should I use
> instead another name?
>
Gianluca
>
>
> Tried also this as detailed by Dominik, renewing certificates:
https://www.mail-archive.com/users@ovirt.org/msg53697.html
Not understood what to do in step
2. Use the SSO_CLIENT_SECRET from the outfile produced by the previous
command in
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
"Use" in which way???
use as <my_secret_omitted> in
[OVIRT]
ovirt-sso-client-secret=<my_secret_omitted>
I named with default "ovirt-provider-ovn" the OVN provider,
after enabling
debug in OVN I get thsi when I test the connection in web admin gui
2019-03-22 10:40:41,917 root From: ::ffff:10.4.192.43:44744 Request: POST
/v2.0/tokens
2019-03-22 10:40:41,918 root Request body:
{"auth": {"passwordCredentials": {"username":
"admin@internal", "password":
"<PASSWORD_HIDDEN>"}}}
2019-03-22 10:40:41,918 auth.plugins.ovirt.sso Connecting to oVirt engine's
SSO module:
https://ovmgr1.mydomain:443/ovirt-engine/sso/oauth/token
2019-03-22 10:40:41,918 auth.plugins.ovirt.sso Connecting to oVirt engine's
SSO module:
https://ovmgr1.mydomain:443/ovirt-engine/sso/oauth/token
2019-03-22 10:40:41,921 urllib3.connectionpool Starting new HTTPS
connection (1): ovmgr1.mydomain
2019-03-22 10:40:46,961 urllib3.connectionpool
https://ovmgr1.mydomain:443
"POST /ovirt-engine/sso/oauth/token HTTP/1.1" 400 148
2019-03-22 10:40:46,964 root From: ::ffff:10.4.192.43:44744 Request: POST
/v2.0/tokens
2019-03-22 10:40:46,964 root Request body:
{"auth": {"passwordCredentials": {"username":
"admin@internal", "password":
"<PASSWORD_HIDDEN>"}}}
2019-03-22 10:40:46,964 root Error during SSO authentication Cannot
authenticate user 'admin@internal': Unable to log in. Verify your login
information or contact the system administrator.. : access_denied
Traceback (most recent call last):
File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 134,
in _handle_request
method, path_parts, content
File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line
175, in handle_request
return self.call_response_handler(handler, content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in
call_response_handler
return response_handler(content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line
62, in post_tokens
user_password=user_password)
File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in
create_token
return auth.core.plugin.create_token(user_at_domain, user_password)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line
48, in create_token
timeout=self._timeout())
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75,
in create_token
username, password, engine_url, ca_file, timeout)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91,
in _get_sso_token
timeout=timeout
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 55,
in wrapper
_check_for_error(response)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 181,
in _check_for_error
result['error'], details))
Unauthorized: Error during SSO authentication Cannot authenticate user
'admin@internal': Unable to log in. Verify your login information or
contact the system administrator.. : access_denied
It seems I have not completely understood the link between SSO and
admin@internal as a user for OVN authentication....
The ovirt-sso-client-id and ovirt-sso-client-secret is required, to
allow the ovirt-provider-ovn to connect to Engine's SSO for checking to
user visible username, e.g. admin@internal, and password.
I guess you are already aware of the doc in
https://github.com/oVirt/ovirt-provider-ovn/#section-ovirt
ovirt-provider-ovn does not store neither the user, e.g. admin@internal
password nor the session token, it is just forwarded to Engine's SSO to
check for validity.
If you are interested in the details, the session token is generated
by _get_sso_token in
https://github.com/oVirt/ovirt-provider-ovn/blob/master/provider/auth/plu...
and validated by another method in
https://github.com/oVirt/ovirt-provider-ovn/blob/master/provider/auth/plu...
where the ovirt-sso-client-id and ovirt-sso-client-secret are
used as client_id, client_secret.
In your case _get_sso_token is already failing, which does not use the
ovirt-sso-client-secret.
To solve this praticular issue, the provider in oVirt web admin ui
should use the usual oVirt password for admin@internal.
Gianluca