It looks like the issue was caused by a new admin account being created
in the internal-authz domain. Here is what the engine logs show.
2018-05-30 11:15:21,893-04 INFO
[org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-9)
[] User admin@internal successfully logged in with scopes:
ovirt-app-admin ovirt-app-api ovirt-app-portal
ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all
ovirt-ext=token-info:authz-search
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate
ovirt-ext=token:password-access
2018-05-30 11:15:22,175-04 INFO
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default
task-11) [77362b19] Running command: CreateUserSessionCommand internal:
false.
2018-05-30 11:15:22,252-04 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-11) [77362b19] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User
admin@internal-authz connecting from '10.209.44.27' failed to log
in<UNKNOWN>.
2018-05-30 11:15:22,253-04 ERROR
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default
task-11) [] The user admin@internal is not authorized to perform login
I was able to login after updating the permissions table to use the new
user ID as follows.
update permissions set ad_element_id = (select user_id from users where
domain = 'internal-authz' and username = 'admin') where ad_element_id =
(select user_id from users where domain = 'internal' and username =
'admin') ;
Despite this the ovirt-aaa-jdbc-tool still shows the wrong user ID when
querying the admin account. For example:
[root@mdct-ovirt-engine-dev ~]# ovirt-aaa-jdbc-tool user show admin
-- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
Namespace: *
Name: admin
ID: fdfc627c-d875-11e0-90f0-83df133b58cc
Display Name:
Email:
First Name: admin
Last Name:
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2016-11-16 15:27:01Z
Account Valid To: 2216-11-16 15:27:01Z
Account Without Password: false
Last successful Login At: 2018-05-30 16:02:46Z
Last unsuccessful Login At: 2018-05-29 19:25:28Z
Password Valid To: 2216-09-29 15:27:01Z
Is there a way to resolve this conflict? Where does the
admin@internal-authz account come from? I tried renaming the account
but it is recreated every time that the engine is restarted.
On 05/29/2018 04:31 PM, Alex K wrote:
Are you using engine IP to login? Perhaps the sso default file was
overwritten?
Alex
On Tue, May 29, 2018, 20:32 Michael Watters <wattersm(a)watters.ws
<mailto:wattersm@watters.ws>> wrote:
I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3
release and the admin account is no longer able to login. After
entering the user name and password I receive a message that
states "The
user admin@internal is not authorized to perform login".
Is there a way to resolve this? Resetting the password did not work.
_______________________________________________
Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org>
To unsubscribe send an email to users-leave(a)ovirt.org
<mailto:users-leave@ovirt.org>
Privacy Statement:
https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMN...