It looks like the issue was caused by a new admin account being created in the internal-authz domain.  Here is what the engine logs show.

2018-05-30 11:15:21,893-04 INFO  [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-9) [] User admin@internal successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access

2018-05-30 11:15:22,175-04 INFO  [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-11) [77362b19] Running command: CreateUserSessionCommand internal: false.

2018-05-30 11:15:22,252-04 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-11) [77362b19] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User admin@internal-authz connecting from '10.209.44.27' failed to log in<UNKNOWN>.

2018-05-30 11:15:22,253-04 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-11) [] The user admin@internal is not authorized to perform login

I was able to login after updating the permissions table to use the new user ID as follows.

update permissions set ad_element_id = (select user_id from users where domain = 'internal-authz' and username = 'admin') where ad_element_id = (select user_id from users where domain = 'internal' and username = 'admin') ;

Despite this the ovirt-aaa-jdbc-tool still shows the wrong user ID when querying the admin account.  For example:

[root@mdct-ovirt-engine-dev ~]# ovirt-aaa-jdbc-tool user show admin
-- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
Namespace: *
Name: admin
ID: fdfc627c-d875-11e0-90f0-83df133b58cc
Display Name:
Email:
First Name: admin
Last Name:
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2016-11-16 15:27:01Z
Account Valid To: 2216-11-16 15:27:01Z
Account Without Password: false
Last successful Login At: 2018-05-30 16:02:46Z
Last unsuccessful Login At: 2018-05-29 19:25:28Z
Password Valid To: 2216-09-29 15:27:01Z

Is there a way to resolve this conflict?  Where does the admin@internal-authz account come from?  I tried renaming the account but it is recreated every time that the engine is restarted.

Are you using engine IP to login? Perhaps the sso default file was overwritten?

Alex

On Tue, May 29, 2018, 20:32 Michael Watters <wattersm@watters.ws> wrote:

I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3
release and the admin account is no longer able to login.  After
entering the user name and password I receive a message that states "The
user admin@internal is not authorized to perform login".

Is there a way to resolve this?  Resetting the password did not work.
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMNDQEIWCVPMYSYSLVZSGJOM/