That's right I remove internal properties :/

This is the output of the commands:

/usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add --user-name=admin --authz-name=internal-authz --role=SuperUser

Output:

FATAL: Please specify provider namespace

su - postgres -c "psql -t engine -c \"select * from users;\""

Output:

fdfc627c-d875-11e0-90f0-83df133b58cc | admin  |               | internal             | admin    |            |                         |      | t                       | fdfc627c-d875-11e0-90f0-83df133b58cc | 2015-09-19 21:38:44.838161-
05 | 2016-06-18 20:42:18.883738-05 | *
 16f666bb-b4c8-44c9-8264-30c3aff63a6e |        | Administrator | udistritaloas.edu.co | admin    |            |                         |      | f                       | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19 11:53:39.249812-
05 | 2016-06-19 12:24:41.590162-05 | *
 c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete          | internal-authz       | julian   |            | danteconrad14@gmail.com |      | f                       | 1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20 11:22:56.483292-
05 | 2016-06-20 11:23:19.261686-05 | *
 7f300f43-9972-4c0e-bfa9-e86df6f1659f | admin  |               | internal-authz       | admin    |            |                         |      | f                       | fdfc627c-d875-11e0-90f0-83df133b58cc | 2016-06-19 11:43:51.644981-
05 | 2016-06-20 16:06:49.138862-05 | *

su - postgres -c "psql -t engine -c \"select * from permissions;\""

Otput:

 00000004-0004-0004-0004-00000000025e | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000000-0000-0000-0000-000000000000 |              4 |    1447535033
 0000000f-000f-000f-000f-000000000293 | def0000a-0000-0000-0000-def000000010 | eee00000-0000-0000-0000-123456789eee | 0000000e-000e-000e-000e-0000000002d6 |             27 |    1447535033
 00000003-0003-0003-0003-00000000009c | 00000000-0000-0000-0000-000000000001 | fdfc627c-d875-11e0-90f0-83df133b58cc | aaa00000-0000-0000-0000-123456789aaa |              1 |    1447535033
 00000006-0006-0006-0006-0000000000e3 | 00000000-0000-0000-0001-000000000002 | fdfc627c-d875-11e0-90f0-83df133b58cc | aaa00000-0000-0000-0000-123456789aaa |              1 |    1447535033
 00000011-0011-0011-0011-0000000002a9 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000010-0010-0010-0010-0000000001d1 |              4 |    1447535033
 00000013-0013-0013-0013-00000000031e | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000012-0012-0012-0012-0000000001c6 |              4 |    1447535033
 00000015-0015-0015-0015-0000000003b8 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000014-0014-0014-0014-0000000002fd |              4 |    1447535033
 00000017-0017-0017-0017-000000000388 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000016-0016-0016-0016-0000000002b0 |              4 |    1447535033
 00000019-0019-0019-0019-0000000003d5 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000018-0018-0018-0018-000000000314 |              4 |    1447535033
 00000027-0027-0027-0027-00000000027e | def00021-0000-0000-0000-def000000015 | eee00000-0000-0000-0000-123456789eee | aaa00000-0000-0000-0000-123456789aaa |              1 |    1447535037
 7a3917ea-b2df-444f-938c-f768feeaee04 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |    1457665842
 e8abc833-b860-451c-b580-780c7d1049d4 | def0000a-0000-0000-0000-def00000000f | fdfc627c-d875-11e0-90f0-83df133b58cc | 8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |    1457665842
 c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c | def0000a-0000-0000-0000-def00000000b | fdfc627c-d875-11e0-90f0-83df133b58cc | 9881e686-90d0-4da3-85b4-b8a1b3638396 |             19 |    1463161875


2016-06-21 9:18 GMT-05:00 Ondra Machacek <omachace@redhat.com>:
On 06/20/2016 08:33 PM, Julián Tete wrote:
Thanks Ondra :)

With the command:

su - postgres -c "psql -t engine -c \"insert into permissions values
('0000001b-001b-001b-001b-00000000029f',
'00000000-0000-0000-0000-000000000001',
'fdfc627c-d875-11e0-90f0-83df133b58cc',
'aaa00000-0000-0000-0000-123456789aaa', 1);\""


I've just remembered, that there is bash script for it:

 /usr/share/ovirt-engine/bin/ovirt-engine-role.sh

You can use it as follows:

 /usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add --user-name=admin --authz-name=internal-authz --role=SuperUser

But, as per your output above, obviously your problem is not missing permissions.
I think the problem is that you removed internal*.properties files and then re-add it.
Can you please send output of users table and permissions table. Thanks.

 su - postgres -c "psql -t engine -c \"select * from users;\""
 su - postgres -c "psql -t engine -c \"select * from permissions;\""

I get:

ERROR:  duplicate key value violates unique constraint
"idx_combined_ad_role_object"
DETAIL:  Key (ad_element_id, role_id,
object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
00000000-0000-0000-0000-000000000001,
aaa00000-0000-0000-0000-123456789aaa) already exists.

History

  261  yum install ovirt-engine-extension-aaa-ldap
  262  cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
/etc/ovirt-engine/
  263  cd /etc/ovirt-engine/
  264  ll
  265  vim profile1.properties
  266  ll
  267  cd cp
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
  268  cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/
  269  cd
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
  270  ll
  271  cp
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
  272  cd /etc/ovirt-engine/extensions.d/
  273  ll
  274  find / -type f -iname profile1.properties
  275  cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
/etc/ovirt-engine/aaa/
  276  find / -type f -iname profile1.properties
  277  vim /etc/ovirt-engine/aaa/profile1.properties
  278  chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
  279  chmod 600 /etc/ovirt-engine/aaa/profile1.properties
  280  systemctl restart ovirt-engine
  281  vim /etc/ovirt-engine/extensions.d/profile1-authn.properties
  282  cd /usr/share/
  283  ls
  284  cd ovirt-engine-aaa-ldap
  285  ls
  286  cd ovirt-engine-extension-aaa-ldap/
  287  ls
  288  cd examples/
  289  ls
  290  cd ad
  291  ls
  292  cd extensions.d/
  293  ls
  294  vim profile1-authn.properties
  295  pwd
  296  cd ..
  297  pwd
  298  cd ..
  299  ls
  300  cd simple
  301  ls
  302  cd aaa/
  303  ls
  304  vim profile1.properties
  305  pwd
  306  rm -rf /etc/ovirt-engine/aaa/profile1.properties
  307  cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
/etc/ovirt-engine/aaa/
  308  vim /etc/ovirt-engine/aaa/profile1.properties
  309  history
  310  chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
  311  chmod 600 /etc/ovirt-engine/aaa/profile1.properties
  312  systemctl restart ovirt-engine
  313  updatedb
  314  locate domain1-authn.properties
  315  history
  316  cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
  317  ll
  318  cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
  319  ls
  320  cd extensions.d/
  321  ls
  322  pwd
  323  cd /etc/ovirt-engine/extensions.d/
  324  ls
  325  cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
/etc/ovirt-engine/extensions.d/
  326   cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/
  327  rm -rf /etc/ovirt-engine/extensions.d/profile1-authn.properties
  328  rm -rf /etc/ovirt-engine/extensions.d/profile1-authz.properties
  329   cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/
  330  ll
  331  history
  332  chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
  333  chmod 600 /etc/ovirt-engine/extensions.d/*
  334  ll
  335  cd extensions.d/
  336  ll
  337  cd
  338  engine-config -s SASL_QOP=auth
  339  systemctl restart ovirt-engine
  340  engine-manage-domains add --domain=udistritaloas.edu.co
<http://udistritaloas.edu.co> --provider=ipa --user=admin
--ldap-servers=freeipa.udistritaloas.edu.co
<http://freeipa.udistritaloas.edu.co>
  341  systemctl restart ovirt-engine
  342  engine-manage-domains list
  343  history
  344  cd /etc/ovirt-engine/extensions.d/
  345  ll
  346  rm -rf internal-authn.properties
  347  rm -rf internal-authz.properties
  348  rm -rf profile1-authn.properties
  349  rm -rf profile1-authz.properties
  350  history
  351  cd /etc/ovirt-engine/aaa/
  352  ll
  353  rm -rf profile1.properties
  354  vim internal.properties
  355  systemctl restart ovirt-engine
  356  ovirt-aaa-jdbc-tool user edit admin
--account-valid-to="2100-01-01 00:00:00Z"
  357  ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
  358  engine-config -s AdminPassword=interactive
  359  ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
  360  systemctl restart ovirt-engine
  361  exit
  362  cd /etc/ovirt-engine/aaa/
  363  ll
  364  vim internal.properties
  365  /etc/ovirt-engine/extensions.d/
  366  cd /etc/ovirt-engine/extensions.d/
  367  ll
  368  cd extensions.d/
  369  ll
  370  pwd
  371  ll
  372  cd ..
  373  ll
  374  cd ..
  375  ll
  376  cd /etc/ovirt-engine/extensions.d/
  377  ll
  378  cd extensions.d/
  379  ll
  380  pwd
  381  ll
  382  cd ..
  383  ll
  384  systemctl restart ovirt-engine.service
  385  ovirt-aaa-jdbc-tool user edit admin
--account-valid-to="2100-01-01 00:00:00Z"
  386  ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
  387  systemctl restart ovirt-engine.service
  388  ovirt-aaa-jdbc-tool user password-reset admin@internal
--password-valid-to="2100-01-01 00:00:00Z"
  389  yum install -y ovirt-engine-extension-aaa-jdbc
  390  engine-setup
  391  ovirt-aaa-jdbc-tool user show admin
  392  ovirt-aaa-jdbc-tool settings show
  393  cd /var/log
  394  ll
  395  cd ovirt-engine
  396  ll
  397  tail -f n 100 ui.log
  398  ll
  399  tail -f -n engine.log
  400  tail -f -n 1000 engine.log
  401  tail -n 5000 engine.log | grep admin@internal
  402  ovirt-aaa-jdbc-tool user show admin
  403  ovirt-aaa-jdbc-tool user show admin@internal
  404  ovirt-aaa-jdbc-tool query --what=user
  405  engine-config -s AdminPassword=interactive
  406  vim /etc/ovirt-engine/extension.d/internal-authn.properties
  407  vim /etc/ovirt-engine/extensions.d/internal-authn.properties
  408  cd /etc/ovirt-engine/extensions.d/
  409  ll
  410  vim /etc/ovirt-engine/aaa/internal.properties
  411  cd /etc/ovirt-engine/aaa/
  412  ll
  413  vim internal.properties
  414  pwd
  415  ovirt-aaa-jdbc-tool user add julian
--attribute=firstName=Julian     --attribute=lastName=Tete
--attribute=email=danteconrad14@gmail.com <mailto:danteconrad14@gmail.com>
  416  ovirt-aaa-jdbc-tool user password-reset julian
--password-valid-to="2025-08-15 10:30:00Z"
  417  history
  418  tail -n 5000 engine.log | grep admin@internal
  419  tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal
  420  ovirt-aaa-jdbc-tool user edit admin
--account-valid-from="2015-10-01 00:00:00Z"
  421  ovirt-aaa-jdbc-tool user password-reset admin --force
--password-valid-to="2100-01-01 00:00:00Z"
  422  systemctl restart ovirt-engine.service
  423  history
  424  ovirt-aaa-jdbc-tool query --what=user
  425  updatedb
  426  locate internal
  427  yum install -y ovirt-engine-cli
  428  cd /opt
  429  cd /opt/



2016-06-20 13:24 GMT-05:00 Ondra Machacek <omachace@redhat.com
<mailto:omachace@redhat.com>>:


    On 06/20/2016 06:36 PM, Julián Tete wrote:

        oVirt: 3.6.2

        Trying to use:

        https://github.com/machacekondra/ovirt-engine-kerbldap-migration

        First use:

        engine-manage-domains add --domain=udistritaloas.edu.co
        <http://udistritaloas.edu.co>
        <http://udistritaloas.edu.co> --provider=ipa --user=admin
        --ldap-servers=freeipa.udistritaloas.edu.co
        <http://freeipa.udistritaloas.edu.co>
        <http://freeipa.udistritaloas.edu.co>


        The domain was added, but a I can't access to the webadmin portal :/

        I get the message:

        "User is not authorized to perform this action."

        In ovirt-cli

        [401] - Unauthorized

        tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal

        2016-06-20 10:52:22,835 ERROR
        [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
        (default task-32) [] Correlation ID: null, Call Stack: null, Custom
        Event ID: -1, Message: User admin@internal failed to log in.
        2016-06-20 10:52:22,836 WARN
        [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default
        task-32)
        [] CanDoAction of action 'LoginAdminUser' failed for user
        admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
        2016-06-20 11:00:37,679 ERROR
        [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
        (default task-3) [] Correlation ID: null, Call Stack: null,
        Custom Event
        ID: -1, Message: User admin@internal failed to log in.
        2016-06-20 11:00:37,679 WARN
        [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3) []
        CanDoAction of action 'LoginUser' failed for user admin@internal.
        Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
        2016-06-20 11:01:04,016 ERROR
        [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
        (default task-4) [] Correlation ID: null, Call Stack: null,
        Custom Event
        ID: -1, Message: User admin@internal failed to log in.
        2016-06-20 11:01:04,016 WARN
        [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4) []
        CanDoAction of action 'LoginUser' failed for user admin@internal.
        Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION


    I am little bit lost, what was your steps, to get into this state,
    but it looks that your admin@internal user was removed SuperUser
    permissions, I am really not sure how could you achieve that, but to
    fix it please run following command:

     $ su - postgres -c "psql -t engine -c \"insert into permissions
    values ('0000001b-001b-001b-001b-00000000029f',
    '00000000-0000-0000-0000-000000000001',
    'fdfc627c-d875-11e0-90f0-83df133b58cc',
    'aaa00000-0000-0000-0000-123456789aaa', 1);\""

    This command will add your admin@internal SuperUser permissions on
    system.

    Can you please describe what have you done a bit more, so we can
    understand the problem?

    Thanks.


        Properties of Internal domain:

        cat /etc/ovirt-engine/aaa/internal.properties

        ovirt.engine.extension.name <http://ovirt.engine.extension.name>
        <http://ovirt.engine.extension.name> =
        internal-authn
        ovirt.engine.extension.bindings.method = jbossmodule
        ovirt.engine.extension.binding.jbossmodule.module =
        org.ovirt.engine.extension.aaa.jdbc
        ovirt.engine.extension.binding.jbossmodule.class =
        org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
        ovirt.engine.extension.provides =
        org.ovirt.engine.api.extensions.aaa.Authn
        ovirt.engine.aaa.authn.profile.name
        <http://ovirt.engine.aaa.authn.profile.name>
        <http://ovirt.engine.aaa.authn.profile.name> = internal
        ovirt.engine.aaa.authn.authz.plugin = internal-authz
        config.datasource.file = /etc/ovirt-engine/aaa/internal.properties

        cat /etc/ovirt-engine/extensions.d/internal-authn.properties

        ovirt.engine.extension.name <http://ovirt.engine.extension.name>
        <http://ovirt.engine.extension.name> =
        internal-authn
        ovirt.engine.extension.bindings.method = jbossmodule
        ovirt.engine.extension.binding.jbossmodule.module =
        org.ovirt.engine.extension.aaa.jdbc
        ovirt.engine.extension.binding.jbossmodule.class =
        org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
        ovirt.engine.extension.provides =
        org.ovirt.engine.api.extensions.aaa.Authn
        ovirt.engine.aaa.authn.profile.name
        <http://ovirt.engine.aaa.authn.profile.name>
        <http://ovirt.engine.aaa.authn.profile.name> = internal
        ovirt.engine.aaa.authn.authz.plugin = internal-authz
        config.datasource.file = /etc/ovirt-engine/aaa/internal.properties

        cat /etc/ovirt-engine/extensions.d/internal-authz.properties

        ovirt.engine.extension.name <http://ovirt.engine.extension.name>
        <http://ovirt.engine.extension.name> =

        internal-authz
        ovirt.engine.extension.bindings.method = jbossmodule
        ovirt.engine.extension.binding.jbossmodule.module =
        org.ovirt.engine.extension.aaa.jdbc
        ovirt.engine.extension.binding.jbossmodule.class =
        org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
        ovirt.engine.extension.provides =
        org.ovirt.engine.api.extensions.aaa.Authz
        config.datasource.file = /etc/ovirt-engine/aaa/internal.properties

        Properties of admin@internal user:

        ovirt-aaa-jdbc-tool user show admin

        -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
        Namespace: *
        Name: admin
        ID: fdfc627c-d875-11e0-90f0-83df133b58cc
        Display Name:
        Email:
        First Name: admin
        Last Name:
        Department:
        Title:
        Description:
        Account Disabled: false
        Account Unlocked At: 1970-01-01 00:00:00Z
        Account Valid From: 2015-10-01 00:00:00Z
        Account Valid To: 2100-01-01 00:00:00Z
        Account Without Password: false
        Last successful Login At: 2016-06-20 16:01:03Z
        Last unsuccessful Login At: 2016-06-19 16:53:07Z
        Password Valid To: 2100-01-01 00:00:00Z

        ¿ Can I assign privilegies to the user ? ¿ Any idea ?


        _______________________________________________
        Users mailing list
        Users@ovirt.org <mailto:Users@ovirt.org>
        http://lists.ovirt.org/mailman/listinfo/users