That's right I remove internal properties :/
This is the output of the commands:
*/usr/share/ovirt-engine/bin/o**virt-engine-role.sh --command=add
--user-name=admin --authz-name=internal-authz --role=SuperUser
*
*Output:
*
FATAL: Please specify provider namespace
You don't have to run it, I've just send it for a future reference :)
But if you for example want to add SuperUser permissions to user
'julian', you can run:
/usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add
--principal-id='c01c263a-78c5-4524-a94e-c9aa38141ea9' --role=SuperUser
--user-name=julian --authz-name=internal-authz --principal-namespace=*
And you don't need admin@internal-authz user.
*su - postgres -c "psql -t engine -c \"select * from users;\""
*
*Output:*
fdfc627c-d875-11e0-90f0-83df133b58cc | admin | |
internal | admin | |
| | t | fdfc627c-d875-11e0-90f0-83df133b58cc
| 2015-09-19 21:38:44.838161-
05 | 2016-06-18 20:42:18.883738-05 | *
16f666bb-b4c8-44c9-8264-30c3aff63a6e | | Administrator |
udistritaloas.edu.co <
http://udistritaloas.edu.co> | admin
| | | | f
| 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19 11:53:39.249812-
05 | 2016-06-19 12:24:41.590162-05 | *
c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete |
internal-authz | julian | | danteconrad14(a)gmail.com
<mailto:danteconrad14@gmail.com> | | f |
1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20 11:22:56.483292-
05 | 2016-06-20 11:23:19.261686-05 | *
7f300f43-9972-4c0e-bfa9-e86df6f1659f | admin | |
internal-authz | admin | |
| | f | fdfc627c-d875-11e0-90f0-83df133b58cc
| 2016-06-19 11:43:51.644981-
05 | 2016-06-20 16:06:49.138862-05 | *
*
su - postgres -c "psql -t engine -c \"select * from permissions;\""
Ok, according to current status I would suggest you to:
1) remove admin@internal-authz (7f300f43-9972-4c0e-bfa9-e86df6f1659f)
$ su - postgres -c "psql -t engine -c \"delete from users where
user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""
2) rename admin@internal to admin@internal-authz
$ su - postgres -c "psql -t engine -c \"UPDATE users set
domain='internal-authz' where
user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""
Then restart ovirt-engine and try to login.
The problem here is that it tries to login with admin user which don't
have any permissions, and
you have two admin users, because you have removed internal-*properties
files, so it added
another one.
*
*Otput:
*
00000004-0004-0004-0004-00000000025e |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000000-0000-0000-0000-000000000000 | 4 | 1447535033
0000000f-000f-000f-000f-000000000293 |
def0000a-0000-0000-0000-def000000010 |
eee00000-0000-0000-0000-123456789eee |
0000000e-000e-000e-000e-0000000002d6 | 27 | 1447535033
00000003-0003-0003-0003-00000000009c |
00000000-0000-0000-0000-000000000001 |
fdfc627c-d875-11e0-90f0-83df133b58cc |
aaa00000-0000-0000-0000-123456789aaa | 1 | 1447535033
00000006-0006-0006-0006-0000000000e3 |
00000000-0000-0000-0001-000000000002 |
fdfc627c-d875-11e0-90f0-83df133b58cc |
aaa00000-0000-0000-0000-123456789aaa | 1 | 1447535033
00000011-0011-0011-0011-0000000002a9 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000010-0010-0010-0010-0000000001d1 | 4 | 1447535033
00000013-0013-0013-0013-00000000031e |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000012-0012-0012-0012-0000000001c6 | 4 | 1447535033
00000015-0015-0015-0015-0000000003b8 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000014-0014-0014-0014-0000000002fd | 4 | 1447535033
00000017-0017-0017-0017-000000000388 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000016-0016-0016-0016-0000000002b0 | 4 | 1447535033
00000019-0019-0019-0019-0000000003d5 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000018-0018-0018-0018-000000000314 | 4 | 1447535033
00000027-0027-0027-0027-00000000027e |
def00021-0000-0000-0000-def000000015 |
eee00000-0000-0000-0000-123456789eee |
aaa00000-0000-0000-0000-123456789aaa | 1 | 1447535037
7a3917ea-b2df-444f-938c-f768feeaee04 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 | 1457665842
e8abc833-b860-451c-b580-780c7d1049d4 |
def0000a-0000-0000-0000-def00000000f |
fdfc627c-d875-11e0-90f0-83df133b58cc |
8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 | 1457665842
c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
def0000a-0000-0000-0000-def00000000b |
fdfc627c-d875-11e0-90f0-83df133b58cc |
9881e686-90d0-4da3-85b4-b8a1b3638396 | 19 | 1463161875
2016-06-21 9:18 GMT-05:00 Ondra Machacek <omachace(a)redhat.com
<mailto:omachace@redhat.com>>:
On 06/20/2016 08:33 PM, Julián Tete wrote:
Thanks Ondra :)
With the command:
su - postgres -c "psql -t engine -c \"insert into permissions values
('0000001b-001b-001b-001b-00000000029f',
'00000000-0000-0000-0000-000000000001',
'fdfc627c-d875-11e0-90f0-83df133b58cc',
'aaa00000-0000-0000-0000-123456789aaa', 1);\""
I've just remembered, that there is bash script for it:
/usr/share/ovirt-engine/bin/ovirt-engine-role.sh
You can use it as follows:
/usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add
--user-name=admin --authz-name=internal-authz --role=SuperUser
But, as per your output above, obviously your problem is not missing
permissions.
I think the problem is that you removed internal*.properties files
and then re-add it.
Can you please send output of users table and permissions table. Thanks.
su - postgres -c "psql -t engine -c \"select * from users;\""
su - postgres -c "psql -t engine -c \"select * from
permissions;\""
I get:
ERROR: duplicate key value violates unique constraint
"idx_combined_ad_role_object"
DETAIL: Key (ad_element_id, role_id,
object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
00000000-0000-0000-0000-000000000001,
aaa00000-0000-0000-0000-123456789aaa) already exists.
History
261 yum install ovirt-engine-extension-aaa-ldap
262 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
/etc/ovirt-engine/
263 cd /etc/ovirt-engine/
264 ll
265 vim profile1.properties
266 ll
267 cd cp
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
268 cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/
269 cd
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
270 ll
271 cp
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
272 cd /etc/ovirt-engine/extensions.d/
273 ll
274 find / -type f -iname profile1.properties
275 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
/etc/ovirt-engine/aaa/
276 find / -type f -iname profile1.properties
277 vim /etc/ovirt-engine/aaa/profile1.properties
278 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
279 chmod 600 /etc/ovirt-engine/aaa/profile1.properties
280 systemctl restart ovirt-engine
281 vim /etc/ovirt-engine/extensions.d/profile1-authn.properties
282 cd /usr/share/
283 ls
284 cd ovirt-engine-aaa-ldap
285 ls
286 cd ovirt-engine-extension-aaa-ldap/
287 ls
288 cd examples/
289 ls
290 cd ad
291 ls
292 cd extensions.d/
293 ls
294 vim profile1-authn.properties
295 pwd
296 cd ..
297 pwd
298 cd ..
299 ls
300 cd simple
301 ls
302 cd aaa/
303 ls
304 vim profile1.properties
305 pwd
306 rm -rf /etc/ovirt-engine/aaa/profile1.properties
307 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
/etc/ovirt-engine/aaa/
308 vim /etc/ovirt-engine/aaa/profile1.properties
309 history
310 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
311 chmod 600 /etc/ovirt-engine/aaa/profile1.properties
312 systemctl restart ovirt-engine
313 updatedb
314 locate domain1-authn.properties
315 history
316 cd
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
317 ll
318 cd
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
319 ls
320 cd extensions.d/
321 ls
322 pwd
323 cd /etc/ovirt-engine/extensions.d/
324 ls
325 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
/etc/ovirt-engine/extensions.d/
326 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
327 rm -rf
/etc/ovirt-engine/extensions.d/profile1-authn.properties
328 rm -rf
/etc/ovirt-engine/extensions.d/profile1-authz.properties
329 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
330 ll
331 history
332 chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
333 chmod 600 /etc/ovirt-engine/extensions.d/*
334 ll
335 cd extensions.d/
336 ll
337 cd
338 engine-config -s SASL_QOP=auth
339 systemctl restart ovirt-engine
340 engine-manage-domains add --domain=udistritaloas.edu.co
<
http://udistritaloas.edu.co>
<
http://udistritaloas.edu.co> --provider=ipa --user=admin
--ldap-servers=freeipa.udistritaloas.edu.co
<
http://freeipa.udistritaloas.edu.co>
<
http://freeipa.udistritaloas.edu.co>
341 systemctl restart ovirt-engine
342 engine-manage-domains list
343 history
344 cd /etc/ovirt-engine/extensions.d/
345 ll
346 rm -rf internal-authn.properties
347 rm -rf internal-authz.properties
348 rm -rf profile1-authn.properties
349 rm -rf profile1-authz.properties
350 history
351 cd /etc/ovirt-engine/aaa/
352 ll
353 rm -rf profile1.properties
354 vim internal.properties
355 systemctl restart ovirt-engine
356 ovirt-aaa-jdbc-tool user edit admin
--account-valid-to="2100-01-01 00:00:00Z"
357 ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
358 engine-config -s AdminPassword=interactive
359 ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
360 systemctl restart ovirt-engine
361 exit
362 cd /etc/ovirt-engine/aaa/
363 ll
364 vim internal.properties
365 /etc/ovirt-engine/extensions.d/
366 cd /etc/ovirt-engine/extensions.d/
367 ll
368 cd extensions.d/
369 ll
370 pwd
371 ll
372 cd ..
373 ll
374 cd ..
375 ll
376 cd /etc/ovirt-engine/extensions.d/
377 ll
378 cd extensions.d/
379 ll
380 pwd
381 ll
382 cd ..
383 ll
384 systemctl restart ovirt-engine.service
385 ovirt-aaa-jdbc-tool user edit admin
--account-valid-to="2100-01-01 00:00:00Z"
386 ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
387 systemctl restart ovirt-engine.service
388 ovirt-aaa-jdbc-tool user password-reset admin@internal
--password-valid-to="2100-01-01 00:00:00Z"
389 yum install -y ovirt-engine-extension-aaa-jdbc
390 engine-setup
391 ovirt-aaa-jdbc-tool user show admin
392 ovirt-aaa-jdbc-tool settings show
393 cd /var/log
394 ll
395 cd ovirt-engine
396 ll
397 tail -f n 100 ui.log
398 ll
399 tail -f -n engine.log
400 tail -f -n 1000 engine.log
401 tail -n 5000 engine.log | grep admin@internal
402 ovirt-aaa-jdbc-tool user show admin
403 ovirt-aaa-jdbc-tool user show admin@internal
404 ovirt-aaa-jdbc-tool query --what=user
405 engine-config -s AdminPassword=interactive
406 vim /etc/ovirt-engine/extension.d/internal-authn.properties
407 vim /etc/ovirt-engine/extensions.d/internal-authn.properties
408 cd /etc/ovirt-engine/extensions.d/
409 ll
410 vim /etc/ovirt-engine/aaa/internal.properties
411 cd /etc/ovirt-engine/aaa/
412 ll
413 vim internal.properties
414 pwd
415 ovirt-aaa-jdbc-tool user add julian
--attribute=firstName=Julian --attribute=lastName=Tete
--attribute=email=danteconrad14(a)gmail.com
<mailto:danteconrad14@gmail.com> <mailto:danteconrad14@gmail.com
<mailto:danteconrad14@gmail.com>>
416 ovirt-aaa-jdbc-tool user password-reset julian
--password-valid-to="2025-08-15 10:30:00Z"
417 history
418 tail -n 5000 engine.log | grep admin@internal
419 tail -n 5000 /var/log/ovirt-engine/engine.log | grep
admin@internal
420 ovirt-aaa-jdbc-tool user edit admin
--account-valid-from="2015-10-01 00:00:00Z"
421 ovirt-aaa-jdbc-tool user password-reset admin --force
--password-valid-to="2100-01-01 00:00:00Z"
422 systemctl restart ovirt-engine.service
423 history
424 ovirt-aaa-jdbc-tool query --what=user
425 updatedb
426 locate internal
427 yum install -y ovirt-engine-cli
428 cd /opt
429 cd /opt/
2016-06-20 13:24 GMT-05:00 Ondra Machacek <omachace(a)redhat.com
<mailto:omachace@redhat.com>
<mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>:
On 06/20/2016 06:36 PM, Julián Tete wrote:
oVirt: 3.6.2
Trying to use:
https://github.com/machacekondra/ovirt-engine-kerbldap-migration
First use:
engine-manage-domains add --domain=udistritaloas.edu.co
<
http://udistritaloas.edu.co>
<
http://udistritaloas.edu.co>
<
http://udistritaloas.edu.co> --provider=ipa --user=admin
--ldap-servers=freeipa.udistritaloas.edu.co
<
http://freeipa.udistritaloas.edu.co>
<
http://freeipa.udistritaloas.edu.co>
<
http://freeipa.udistritaloas.edu.co>
The domain was added, but a I can't access to the
webadmin portal :/
I get the message:
"User is not authorized to perform this action."
In ovirt-cli
[401] - Unauthorized
tail -n 5000 /var/log/ovirt-engine/engine.log | grep
admin@internal
2016-06-20 10:52:22,835 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-32) [] Correlation ID: null, Call Stack:
null, Custom
Event ID: -1, Message: User admin@internal failed to log in.
2016-06-20 10:52:22,836 WARN
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(default
task-32)
[] CanDoAction of action 'LoginAdminUser' failed for user
admin@internal. Reasons:
USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2016-06-20 11:00:37,679 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-3) [] Correlation ID: null, Call Stack: null,
Custom Event
ID: -1, Message: User admin@internal failed to log in.
2016-06-20 11:00:37,679 WARN
[org.ovirt.engine.core.bll.aaa.LoginUserCommand]
(default task-3) []
CanDoAction of action 'LoginUser' failed for user
admin@internal.
Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2016-06-20 11:01:04,016 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-4) [] Correlation ID: null, Call Stack: null,
Custom Event
ID: -1, Message: User admin@internal failed to log in.
2016-06-20 11:01:04,016 WARN
[org.ovirt.engine.core.bll.aaa.LoginUserCommand]
(default task-4) []
CanDoAction of action 'LoginUser' failed for user
admin@internal.
Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
I am little bit lost, what was your steps, to get into this
state,
but it looks that your admin@internal user was removed SuperUser
permissions, I am really not sure how could you achieve
that, but to
fix it please run following command:
$ su - postgres -c "psql -t engine -c \"insert into permissions
values ('0000001b-001b-001b-001b-00000000029f',
'00000000-0000-0000-0000-000000000001',
'fdfc627c-d875-11e0-90f0-83df133b58cc',
'aaa00000-0000-0000-0000-123456789aaa', 1);\""
This command will add your admin@internal SuperUser
permissions on
system.
Can you please describe what have you done a bit more, so we can
understand the problem?
Thanks.
Properties of Internal domain:
cat /etc/ovirt-engine/aaa/internal.properties
ovirt.engine.extension.name
<
http://ovirt.engine.extension.name>
<
http://ovirt.engine.extension.name>
<
http://ovirt.engine.extension.name> =
internal-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine.extension.aaa.jdbc
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name
<
http://ovirt.engine.aaa.authn.profile.name>
<
http://ovirt.engine.aaa.authn.profile.name>
<
http://ovirt.engine.aaa.authn.profile.name> = internal
ovirt.engine.aaa.authn.authz.plugin = internal-authz
config.datasource.file =
/etc/ovirt-engine/aaa/internal.properties
cat /etc/ovirt-engine/extensions.d/internal-authn.properties
ovirt.engine.extension.name
<
http://ovirt.engine.extension.name>
<
http://ovirt.engine.extension.name>
<
http://ovirt.engine.extension.name> =
internal-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine.extension.aaa.jdbc
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name
<
http://ovirt.engine.aaa.authn.profile.name>
<
http://ovirt.engine.aaa.authn.profile.name>
<
http://ovirt.engine.aaa.authn.profile.name> = internal
ovirt.engine.aaa.authn.authz.plugin = internal-authz
config.datasource.file =
/etc/ovirt-engine/aaa/internal.properties
cat /etc/ovirt-engine/extensions.d/internal-authz.properties
ovirt.engine.extension.name
<
http://ovirt.engine.extension.name>
<
http://ovirt.engine.extension.name>
<
http://ovirt.engine.extension.name> =
internal-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine.extension.aaa.jdbc
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authz
config.datasource.file =
/etc/ovirt-engine/aaa/internal.properties
Properties of admin@internal user:
ovirt-aaa-jdbc-tool user show admin
-- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
Namespace: *
Name: admin
ID: fdfc627c-d875-11e0-90f0-83df133b58cc
Display Name:
Email:
First Name: admin
Last Name:
Department:
Title:
Description:
Account Disabled: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2015-10-01 00:00:00Z
Account Valid To: 2100-01-01 00:00:00Z
Account Without Password: false
Last successful Login At: 2016-06-20 16:01:03Z
Last unsuccessful Login At: 2016-06-19 16:53:07Z
Password Valid To: 2100-01-01 00:00:00Z
¿ Can I assign privilegies to the user ? ¿ Any idea ?
_______________________________________________
Users mailing list
Users(a)ovirt.org <mailto:Users@ovirt.org>
<mailto:Users@ovirt.org <mailto:Users@ovirt.org>>
http://lists.ovirt.org/mailman/listinfo/users