On 06/20/2016 08:33 PM, Julián Tete wrote:
Thanks Ondra :)
With the command:
su - postgres -c "psql -t engine -c \"insert into permissions values
('0000001b-001b-001b-001b-00000000029f',
'00000000-0000-0000-0000-000000000001',
'fdfc627c-d875-11e0-90f0-83df133b58cc',
'aaa00000-0000-0000-0000-123456789aaa', 1);\""
I've just remembered, that there is bash script for it:
/usr/share/ovirt-engine/bin/ovirt-engine-role.sh
You can use it as follows:
/usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add --user-name=admin --authz-name=internal-authz --role=SuperUser
But, as per your output above, obviously your problem is not missing permissions.
I think the problem is that you removed internal*.properties files and then re-add it.
Can you please send output of users table and permissions table. Thanks.
su - postgres -c "psql -t engine -c \"select * from users;\""
su - postgres -c "psql -t engine -c \"select * from permissions;\""
<http://udistritaloas.edu.co> --provider=ipa --user=adminI get:
ERROR: duplicate key value violates unique constraint
"idx_combined_ad_role_object"
DETAIL: Key (ad_element_id, role_id,
object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
00000000-0000-0000-0000-000000000001,
aaa00000-0000-0000-0000-123456789aaa) already exists.
History
261 yum install ovirt-engine-extension-aaa-ldap
262 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
/etc/ovirt-engine/
263 cd /etc/ovirt-engine/
264 ll
265 vim profile1.properties
266 ll
267 cd cp
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
268 cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/
269 cd
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
270 ll
271 cp
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
272 cd /etc/ovirt-engine/extensions.d/
273 ll
274 find / -type f -iname profile1.properties
275 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
/etc/ovirt-engine/aaa/
276 find / -type f -iname profile1.properties
277 vim /etc/ovirt-engine/aaa/profile1.properties
278 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
279 chmod 600 /etc/ovirt-engine/aaa/profile1.properties
280 systemctl restart ovirt-engine
281 vim /etc/ovirt-engine/extensions.d/profile1-authn.properties
282 cd /usr/share/
283 ls
284 cd ovirt-engine-aaa-ldap
285 ls
286 cd ovirt-engine-extension-aaa-ldap/
287 ls
288 cd examples/
289 ls
290 cd ad
291 ls
292 cd extensions.d/
293 ls
294 vim profile1-authn.properties
295 pwd
296 cd ..
297 pwd
298 cd ..
299 ls
300 cd simple
301 ls
302 cd aaa/
303 ls
304 vim profile1.properties
305 pwd
306 rm -rf /etc/ovirt-engine/aaa/profile1.properties
307 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
/etc/ovirt-engine/aaa/
308 vim /etc/ovirt-engine/aaa/profile1.properties
309 history
310 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
311 chmod 600 /etc/ovirt-engine/aaa/profile1.properties
312 systemctl restart ovirt-engine
313 updatedb
314 locate domain1-authn.properties
315 history
316 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
317 ll
318 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
319 ls
320 cd extensions.d/
321 ls
322 pwd
323 cd /etc/ovirt-engine/extensions.d/
324 ls
325 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
/etc/ovirt-engine/extensions.d/
326 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/
327 rm -rf /etc/ovirt-engine/extensions.d/profile1-authn.properties
328 rm -rf /etc/ovirt-engine/extensions.d/profile1-authz.properties
329 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/
330 ll
331 history
332 chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
333 chmod 600 /etc/ovirt-engine/extensions.d/*
334 ll
335 cd extensions.d/
336 ll
337 cd
338 engine-config -s SASL_QOP=auth
339 systemctl restart ovirt-engine
340 engine-manage-domains add --domain=udistritaloas.edu.co
--ldap-servers=freeipa.udistritaloas.edu.co
<http://freeipa.udistritaloas.edu.co>--attribute=email=danteconrad14@gmail.com <mailto:danteconrad14@gmail.com>341 systemctl restart ovirt-engine
342 engine-manage-domains list
343 history
344 cd /etc/ovirt-engine/extensions.d/
345 ll
346 rm -rf internal-authn.properties
347 rm -rf internal-authz.properties
348 rm -rf profile1-authn.properties
349 rm -rf profile1-authz.properties
350 history
351 cd /etc/ovirt-engine/aaa/
352 ll
353 rm -rf profile1.properties
354 vim internal.properties
355 systemctl restart ovirt-engine
356 ovirt-aaa-jdbc-tool user edit admin
--account-valid-to="2100-01-01 00:00:00Z"
357 ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
358 engine-config -s AdminPassword=interactive
359 ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
360 systemctl restart ovirt-engine
361 exit
362 cd /etc/ovirt-engine/aaa/
363 ll
364 vim internal.properties
365 /etc/ovirt-engine/extensions.d/
366 cd /etc/ovirt-engine/extensions.d/
367 ll
368 cd extensions.d/
369 ll
370 pwd
371 ll
372 cd ..
373 ll
374 cd ..
375 ll
376 cd /etc/ovirt-engine/extensions.d/
377 ll
378 cd extensions.d/
379 ll
380 pwd
381 ll
382 cd ..
383 ll
384 systemctl restart ovirt-engine.service
385 ovirt-aaa-jdbc-tool user edit admin
--account-valid-to="2100-01-01 00:00:00Z"
386 ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
387 systemctl restart ovirt-engine.service
388 ovirt-aaa-jdbc-tool user password-reset admin@internal
--password-valid-to="2100-01-01 00:00:00Z"
389 yum install -y ovirt-engine-extension-aaa-jdbc
390 engine-setup
391 ovirt-aaa-jdbc-tool user show admin
392 ovirt-aaa-jdbc-tool settings show
393 cd /var/log
394 ll
395 cd ovirt-engine
396 ll
397 tail -f n 100 ui.log
398 ll
399 tail -f -n engine.log
400 tail -f -n 1000 engine.log
401 tail -n 5000 engine.log | grep admin@internal
402 ovirt-aaa-jdbc-tool user show admin
403 ovirt-aaa-jdbc-tool user show admin@internal
404 ovirt-aaa-jdbc-tool query --what=user
405 engine-config -s AdminPassword=interactive
406 vim /etc/ovirt-engine/extension.d/internal-authn.properties
407 vim /etc/ovirt-engine/extensions.d/internal-authn.properties
408 cd /etc/ovirt-engine/extensions.d/
409 ll
410 vim /etc/ovirt-engine/aaa/internal.properties
411 cd /etc/ovirt-engine/aaa/
412 ll
413 vim internal.properties
414 pwd
415 ovirt-aaa-jdbc-tool user add julian
--attribute=firstName=Julian --attribute=lastName=Tete
416 ovirt-aaa-jdbc-tool user password-reset julian
--password-valid-to="2025-08-15 10:30:00Z"
417 history
418 tail -n 5000 engine.log | grep admin@internal
419 tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal
420 ovirt-aaa-jdbc-tool user edit admin
--account-valid-from="2015-10-01 00:00:00Z"
421 ovirt-aaa-jdbc-tool user password-reset admin --force
--password-valid-to="2100-01-01 00:00:00Z"
422 systemctl restart ovirt-engine.service
423 history
424 ovirt-aaa-jdbc-tool query --what=user
425 updatedb
426 locate internal
427 yum install -y ovirt-engine-cli
428 cd /opt
429 cd /opt/
2016-06-20 13:24 GMT-05:00 Ondra Machacek <omachace@redhat.com
<mailto:omachace@redhat.com>>:
On 06/20/2016 06:36 PM, Julián Tete wrote:
oVirt: 3.6.2
Trying to use:
https://github.com/machacekondra/ovirt-engine-kerbldap-migration
First use:
engine-manage-domains add --domain=udistritaloas.edu.co
<http://udistritaloas.edu.co>
<http://udistritaloas.edu.co> --provider=ipa --user=admin
--ldap-servers=freeipa.udistritaloas.edu.co
<http://freeipa.udistritaloas.edu.co>
<http://freeipa.udistritaloas.edu.co>
The domain was added, but a I can't access to the webadmin portal :/
I get the message:
"User is not authorized to perform this action."
In ovirt-cli
[401] - Unauthorized
tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal
2016-06-20 10:52:22,835 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-32) [] Correlation ID: null, Call Stack: null, Custom
Event ID: -1, Message: User admin@internal failed to log in.
2016-06-20 10:52:22,836 WARN
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default
task-32)
[] CanDoAction of action 'LoginAdminUser' failed for user
admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2016-06-20 11:00:37,679 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-3) [] Correlation ID: null, Call Stack: null,
Custom Event
ID: -1, Message: User admin@internal failed to log in.
2016-06-20 11:00:37,679 WARN
[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3) []
CanDoAction of action 'LoginUser' failed for user admin@internal.
Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2016-06-20 11:01:04,016 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-4) [] Correlation ID: null, Call Stack: null,
Custom Event
ID: -1, Message: User admin@internal failed to log in.
2016-06-20 11:01:04,016 WARN
[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4) []
CanDoAction of action 'LoginUser' failed for user admin@internal.
Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
I am little bit lost, what was your steps, to get into this state,
but it looks that your admin@internal user was removed SuperUser
permissions, I am really not sure how could you achieve that, but to
fix it please run following command:
$ su - postgres -c "psql -t engine -c \"insert into permissions
values ('0000001b-001b-001b-001b-00000000029f',
'00000000-0000-0000-0000-000000000001',
'fdfc627c-d875-11e0-90f0-83df133b58cc',
'aaa00000-0000-0000-0000-123456789aaa', 1);\""
This command will add your admin@internal SuperUser permissions on
system.
Can you please describe what have you done a bit more, so we can
understand the problem?
Thanks.
Properties of Internal domain:
cat /etc/ovirt-engine/aaa/internal.properties
ovirt.engine.extension.name <http://ovirt.engine.extension.name>
<http://ovirt.engine.extension.name> =
internal-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine.extension.aaa.jdbc
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name
<http://ovirt.engine.aaa.authn.profile.name>
<http://ovirt.engine.aaa.authn.profile.name> = internal
ovirt.engine.aaa.authn.authz.plugin = internal-authz
config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
cat /etc/ovirt-engine/extensions.d/internal-authn.properties
ovirt.engine.extension.name <http://ovirt.engine.extension.name>
<http://ovirt.engine.extension.name> =
internal-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine.extension.aaa.jdbc
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name
<http://ovirt.engine.aaa.authn.profile.name>Users@ovirt.org <mailto:Users@ovirt.org><http://ovirt.engine.aaa.authn.profile.name> = internal
ovirt.engine.aaa.authn.authz.plugin = internal-authz
config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
cat /etc/ovirt-engine/extensions.d/internal-authz.properties
ovirt.engine.extension.name <http://ovirt.engine.extension.name>
<http://ovirt.engine.extension.name> =
internal-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine.extension.aaa.jdbc
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authz
config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
Properties of admin@internal user:
ovirt-aaa-jdbc-tool user show admin
-- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
Namespace: *
Name: admin
ID: fdfc627c-d875-11e0-90f0-83df133b58cc
Display Name:
Email:
First Name: admin
Last Name:
Department:
Title:
Description:
Account Disabled: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2015-10-01 00:00:00Z
Account Valid To: 2100-01-01 00:00:00Z
Account Without Password: false
Last successful Login At: 2016-06-20 16:01:03Z
Last unsuccessful Login At: 2016-06-19 16:53:07Z
Password Valid To: 2100-01-01 00:00:00Z
¿ Can I assign privilegies to the user ? ¿ Any idea ?
_______________________________________________
Users mailing list
http://lists.ovirt.org/mailman/listinfo/users