Re: [ovirt-users] User admin@internal can't login in oVirt 3.6

On 06/22/2016 05:21 PM, Julián Tete wrote:

S-O-L-V-E-D!!!

You are a Wizard Ondra Machacek!!!

Thank you very much !!! How Apache says: "It works"

Great! You are welcome

A have a question for you

In the command

su - postgres -c "psql -t engine -c \"insert into permissions values ('0000001b-001b-001b-001b-00000000029f', '00000000-0000-0000-0000-000000000001', 'fdfc627c-d875-11e0-90f0-83df133b58cc', 'aaa00000-0000-0000-0000-123456789aaa', 1);\"

What's the meaning of:

0000001b-001b-001b-001b-00000000029f

This one is id of permission. It's auto generated.

00000000-0000-0000-0000-000000000001

This one is id of role. This is id of SuperUser as you can see by running: select * from roles;

aaa00000-0000-0000-0000-123456789aaa

This one is object id, in this case it's id of system.

1

This one represent object type, it is number that represent some object for example 1 represent system object, number 2 represent Vm, number 3 Host... etc

¿?

Thanks again

2016-06-22 5:22 GMT-05:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>:

On 06/21/2016 09:18 PM, Julián Tete wrote:

Roger Ondra!

1) su - postgres -c "psql -t engine -c \"delete from users where user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""

Output:

DELETE 1

2) su - postgres -c "psql -t engine -c \"UPDATE users set domain='internal-authz' where user_id='fdfc627c-d875-11e0-90f0-83df133b58cc';\""

Output:

ERROR: duplicate key value violates unique constraint "users_domain_external_id_unique" DETAIL: Key (domain, external_id)=(internal-authz, fdfc627c-d875-11e0-90f0-83df133b58cc) already exists.

OK, this is really strange, because this shouldn't be printed as you removed all contraints in step 1).

So, can you please first stop ovirt-engine, before running steps above? So the steps now would be:

1) service ovirt-engine stop

2) remove admin@internal-authz (c9dcda67-9b3e-4255-aa9f-d69043a02b2b) (note id changed, from last time) If there is more admin users with domain internal-authz, please remove them all. $ su - postgres -c "psql -t engine -c \"delete from users where user_id='c9dcda67-9b3e-4255-aa9f-d69043a02b2b';\""

3) rename admin@internal to admin@internal-authz $ su - postgres -c "psql -t engine -c \"UPDATE users set domain='internal-authz' where user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""

4) service ovirt-engine start

3) systemctl restart ovirt-engine.service

No login yet :(

Look at this:

ovirt-aaa-jdbc-tool user show admin

Output: -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) -- Namespace: * Name: admin ID: fdfc627c-d875-11e0-90f0-83df133b58cc Display Name: Email: First Name: admin Last Name: Department: Title: Description: Account Disabled: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2015-10-01 00:00:00Z Account Valid To: 2100-01-01 00:00:00Z Account Without Password: false Last successful Login At: 2016-06-21 19:15:59Z Last unsuccessful Login At: 2016-06-20 17:33:24Z Password Valid To: 2100-01-01 00:00:00Z

su - postgres -c "psql -t engine -c \"select * from users;\""

Output:

fdfc627c-d875-11e0-90f0-83df133b58cc | admin | | internal | admin | | | | t | fdfc627c-d875-11e0-90f0-83df133b58cc | 2015-09-19 21:38:44.838161- 05 | 2016-06-18 20:42:18.883738-05 | * 16f666bb-b4c8-44c9-8264-30c3aff63a6e | | Administrator | udistritaloas.edu.co <http://udistritaloas.edu.co> <http://udistritaloas.edu.co> | admin | | | | f | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19 11:53:39.249812- 05 | 2016-06-19 12:24:41.590162-05 <tel:41.590162-05> | * c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete | internal-authz | julian | | danteconrad14@gmail.com <mailto:danteconrad14@gmail.com> <mailto:danteconrad14@gmail.com <mailto:danteconrad14@gmail.com>> | | f | 1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20 11:22:56.483292- 05 | 2016-06-20 11:23:19.261686-05 | * c9dcda67-9b3e-4255-aa9f-d69043a02b2b | admin | | internal-authz | admin | | | | f | fdfc627c-d875-11e0-90f0-83df133b58cc | 2016-06-21 13:54:07.765767- 05 | 2016-06-21 14:15:59.352697-05 | *

su - postgres -c "psql -t engine -c \"select * from permissions;\""

Output:

00000004-0004-0004-0004-00000000025e | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000000-0000-0000-0000-000000000000 | 4 | 1447535033 0000000f-000f-000f-000f-000000000293 | def0000a-0000-0000-0000-def000000010 | eee00000-0000-0000-0000-123456789eee | 0000000e-000e-000e-000e-0000000002d6 | 27 | 1447535033 00000003-0003-0003-0003-00000000009c | 00000000-0000-0000-0000-000000000001 | fdfc627c-d875-11e0-90f0-83df133b58cc | aaa00000-0000-0000-0000-123456789aaa | 1 | 1447535033 00000006-0006-0006-0006-0000000000e3 | 00000000-0000-0000-0001-000000000002 | fdfc627c-d875-11e0-90f0-83df133b58cc | aaa00000-0000-0000-0000-123456789aaa | 1 | 1447535033 00000011-0011-0011-0011-0000000002a9 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000010-0010-0010-0010-0000000001d1 | 4 | 1447535033 00000013-0013-0013-0013-00000000031e | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000012-0012-0012-0012-0000000001c6 | 4 | 1447535033 00000015-0015-0015-0015-0000000003b8 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000014-0014-0014-0014-0000000002fd | 4 | 1447535033 00000017-0017-0017-0017-000000000388 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000016-0016-0016-0016-0000000002b0 | 4 | 1447535033 00000019-0019-0019-0019-0000000003d5 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000018-0018-0018-0018-000000000314 | 4 | 1447535033 00000027-0027-0027-0027-00000000027e | def00021-0000-0000-0000-def000000015 | eee00000-0000-0000-0000-123456789eee | aaa00000-0000-0000-0000-123456789aaa | 1 | 1447535037 7a3917ea-b2df-444f-938c-f768feeaee04 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 | 1457665842 e8abc833-b860-451c-b580-780c7d1049d4 | def0000a-0000-0000-0000-def00000000f | fdfc627c-d875-11e0-90f0-83df133b58cc | 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 | 1457665842 c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c | def0000a-0000-0000-0000-def00000000b | fdfc627c-d875-11e0-90f0-83df133b58cc | 9881e686-90d0-4da3-85b4-b8a1b3638396 | 19 | 1463161875

2016-06-21 13:30 GMT-05:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>:

On 06/21/2016 04:54 PM, Julián Tete wrote:

That's right I remove internal properties :/

This is the output of the commands:

*/usr/share/ovirt-engine/bin/o**virt-engine-role.sh --command=add --user-name=admin --authz-name=internal-authz --role=SuperUser

* *Output: *

FATAL: Please specify provider namespace

You don't have to run it, I've just send it for a future reference :) But if you for example want to add SuperUser permissions to user 'julian', you can run:

/usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add --principal-id='c01c263a-78c5-4524-a94e-c9aa38141ea9' --role=SuperUser --user-name=julian --authz-name=internal-authz --principal-namespace=*

And you don't need admin@internal-authz user.

*su - postgres -c "psql -t engine -c \"select * from users;\""

* *Output:*

fdfc627c-d875-11e0-90f0-83df133b58cc | admin | | internal | admin | | | | t | fdfc627c-d875-11e0-90f0-83df133b58cc | 2015-09-19 21:38:44.838161- 05 | 2016-06-18 20:42:18.883738-05 | * 16f666bb-b4c8-44c9-8264-30c3aff63a6e | | Administrator | udistritaloas.edu.co <http://udistritaloas.edu.co> <http://udistritaloas.edu.co> <http://udistritaloas.edu.co> | admin | | | | f | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19 11:53:39.249812- 05 | 2016-06-19 12:24:41.590162-05 <tel:41.590162-05> <tel:41.590162-05 <tel:41.590162-05>> | * c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete | internal-authz | julian | | danteconrad14@gmail.com <mailto:danteconrad14@gmail.com> <mailto:danteconrad14@gmail.com <mailto:danteconrad14@gmail.com>> <mailto:danteconrad14@gmail.com <mailto:danteconrad14@gmail.com>

<mailto:danteconrad14@gmail.com <mailto:danteconrad14@gmail.com>>> | | f | 1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20 11:22:56.483292- 05 | 2016-06-20 11:23:19.261686-05 | * 7f300f43-9972-4c0e-bfa9-e86df6f1659f | admin | | internal-authz | admin | | | | f | fdfc627c-d875-11e0-90f0-83df133b58cc | 2016-06-19 11:43:51.644981- 05 | 2016-06-20 16:06:49.138862-05 | * * su - postgres -c "psql -t engine -c \"select * from permissions;\""

Ok, according to current status I would suggest you to:

1) remove admin@internal-authz (7f300f43-9972-4c0e-bfa9-e86df6f1659f) $ su - postgres -c "psql -t engine -c \"delete from users where user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""

2) rename admin@internal to admin@internal-authz $ su - postgres -c "psql -t engine -c \"UPDATE users set domain='internal-authz' where user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""

Then restart ovirt-engine and try to login.

The problem here is that it tries to login with admin user which don't have any permissions, and you have two admin users, because you have removed internal-*properties files, so it added another one.

* *Otput: *

00000004-0004-0004-0004-00000000025e | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000000-0000-0000-0000-000000000000 | 4 | 1447535033 0000000f-000f-000f-000f-000000000293 | def0000a-0000-0000-0000-def000000010 | eee00000-0000-0000-0000-123456789eee | 0000000e-000e-000e-000e-0000000002d6 | 27 | 1447535033 00000003-0003-0003-0003-00000000009c | 00000000-0000-0000-0000-000000000001 | fdfc627c-d875-11e0-90f0-83df133b58cc | aaa00000-0000-0000-0000-123456789aaa | 1 | 1447535033 00000006-0006-0006-0006-0000000000e3 | 00000000-0000-0000-0001-000000000002 | fdfc627c-d875-11e0-90f0-83df133b58cc | aaa00000-0000-0000-0000-123456789aaa | 1 | 1447535033 00000011-0011-0011-0011-0000000002a9 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000010-0010-0010-0010-0000000001d1 | 4 | 1447535033 00000013-0013-0013-0013-00000000031e | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000012-0012-0012-0012-0000000001c6 | 4 | 1447535033 00000015-0015-0015-0015-0000000003b8 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000014-0014-0014-0014-0000000002fd | 4 | 1447535033 00000017-0017-0017-0017-000000000388 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000016-0016-0016-0016-0000000002b0 | 4 | 1447535033 00000019-0019-0019-0019-0000000003d5 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 00000018-0018-0018-0018-000000000314 | 4 | 1447535033 00000027-0027-0027-0027-00000000027e | def00021-0000-0000-0000-def000000015 | eee00000-0000-0000-0000-123456789eee | aaa00000-0000-0000-0000-123456789aaa | 1 | 1447535037 7a3917ea-b2df-444f-938c-f768feeaee04 | def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee | 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 | 1457665842 e8abc833-b860-451c-b580-780c7d1049d4 | def0000a-0000-0000-0000-def00000000f | fdfc627c-d875-11e0-90f0-83df133b58cc | 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 | 1457665842 c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c | def0000a-0000-0000-0000-def00000000b | fdfc627c-d875-11e0-90f0-83df133b58cc | 9881e686-90d0-4da3-85b4-b8a1b3638396 | 19 | 1463161875

2016-06-21 9:18 GMT-05:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>> <mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>>:

On 06/20/2016 08:33 PM, Julián Tete wrote:

Thanks Ondra :)

With the command:

su - postgres -c "psql -t engine -c \"insert into permissions values ('0000001b-001b-001b-001b-00000000029f', '00000000-0000-0000-0000-000000000001', 'fdfc627c-d875-11e0-90f0-83df133b58cc', 'aaa00000-0000-0000-0000-123456789aaa', 1);\""

I've just remembered, that there is bash script for it:

/usr/share/ovirt-engine/bin/ovirt-engine-role.sh

You can use it as follows:

/usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add --user-name=admin --authz-name=internal-authz --role=SuperUser

But, as per your output above, obviously your problem is not missing permissions. I think the problem is that you removed internal*.properties files and then re-add it. Can you please send output of users table and permissions table. Thanks.

su - postgres -c "psql -t engine -c \"select * from users;\"" su - postgres -c "psql -t engine -c \"select * from permissions;\""

I get:

ERROR: duplicate key value violates unique constraint "idx_combined_ad_role_object" DETAIL: Key (ad_element_id, role_id, object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc, 00000000-0000-0000-0000-000000000001, aaa00000-0000-0000-0000-123456789aaa) already exists.

History

261 yum install ovirt-engine-extension-aaa-ldap 262 cp -r

/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties /etc/ovirt-engine/ 263 cd /etc/ovirt-engine/ 264 ll 265 vim profile1.properties 266 ll 267 cd cp

/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/ 268 cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/ 269 cd

/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/ 270 ll 271 cp

/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/ 272 cd /etc/ovirt-engine/extensions.d/ 273 ll 274 find / -type f -iname profile1.properties 275 cp -r

/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties /etc/ovirt-engine/aaa/ 276 find / -type f -iname profile1.properties 277 vim /etc/ovirt-engine/aaa/profile1.properties 278 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties 279 chmod 600 /etc/ovirt-engine/aaa/profile1.properties 280 systemctl restart ovirt-engine 281 vim /etc/ovirt-engine/extensions.d/profile1-authn.properties 282 cd /usr/share/ 283 ls 284 cd ovirt-engine-aaa-ldap 285 ls 286 cd ovirt-engine-extension-aaa-ldap/ 287 ls 288 cd examples/ 289 ls 290 cd ad 291 ls 292 cd extensions.d/ 293 ls 294 vim profile1-authn.properties 295 pwd 296 cd .. 297 pwd 298 cd .. 299 ls 300 cd simple 301 ls 302 cd aaa/ 303 ls 304 vim profile1.properties 305 pwd 306 rm -rf /etc/ovirt-engine/aaa/profile1.properties 307 cp -r

/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties /etc/ovirt-engine/aaa/ 308 vim /etc/ovirt-engine/aaa/profile1.properties 309 history 310 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties 311 chmod 600 /etc/ovirt-engine/aaa/profile1.properties 312 systemctl restart ovirt-engine 313 updatedb 314 locate domain1-authn.properties 315 history 316 cd

/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/ 317 ll 318 cd

/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/ 319 ls 320 cd extensions.d/ 321 ls 322 pwd 323 cd /etc/ovirt-engine/extensions.d/ 324 ls 325 cp -r

/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/ /etc/ovirt-engine/extensions.d/ 326 cp -r

/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/ 327 rm -rf

/etc/ovirt-engine/extensions.d/profile1-authn.properties 328 rm -rf

/etc/ovirt-engine/extensions.d/profile1-authz.properties 329 cp -r

/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/ 330 ll 331 history 332 chown ovirt:ovirt /etc/ovirt-engine/extensions.d/* 333 chmod 600 /etc/ovirt-engine/extensions.d/* 334 ll 335 cd extensions.d/ 336 ll 337 cd 338 engine-config -s SASL_QOP=auth 339 systemctl restart ovirt-engine 340 engine-manage-domains add --domain=udistritaloas.edu.co <http://udistritaloas.edu.co> <http://udistritaloas.edu.co> <http://udistritaloas.edu.co> <http://udistritaloas.edu.co> --provider=ipa --user=admin --ldap-servers=freeipa.udistritaloas.edu.co <http://freeipa.udistritaloas.edu.co> <http://freeipa.udistritaloas.edu.co> <http://freeipa.udistritaloas.edu.co> <http://freeipa.udistritaloas.edu.co> 341 systemctl restart ovirt-engine 342 engine-manage-domains list 343 history 344 cd /etc/ovirt-engine/extensions.d/ 345 ll 346 rm -rf internal-authn.properties 347 rm -rf internal-authz.properties 348 rm -rf profile1-authn.properties 349 rm -rf profile1-authz.properties 350 history 351 cd /etc/ovirt-engine/aaa/ 352 ll 353 rm -rf profile1.properties 354 vim internal.properties 355 systemctl restart ovirt-engine 356 ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01 00:00:00Z" 357 ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2100-01-01 00:00:00Z" 358 engine-config -s AdminPassword=interactive 359 ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2100-01-01 00:00:00Z" 360 systemctl restart ovirt-engine 361 exit 362 cd /etc/ovirt-engine/aaa/ 363 ll 364 vim internal.properties 365 /etc/ovirt-engine/extensions.d/ 366 cd /etc/ovirt-engine/extensions.d/ 367 ll 368 cd extensions.d/ 369 ll 370 pwd 371 ll 372 cd .. 373 ll 374 cd .. 375 ll 376 cd /etc/ovirt-engine/extensions.d/ 377 ll 378 cd extensions.d/ 379 ll 380 pwd 381 ll 382 cd .. 383 ll 384 systemctl restart ovirt-engine.service 385 ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01 00:00:00Z" 386 ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2100-01-01 00:00:00Z" 387 systemctl restart ovirt-engine.service 388 ovirt-aaa-jdbc-tool user password-reset admin@internal --password-valid-to="2100-01-01 00:00:00Z" 389 yum install -y ovirt-engine-extension-aaa-jdbc 390 engine-setup 391 ovirt-aaa-jdbc-tool user show admin 392 ovirt-aaa-jdbc-tool settings show 393 cd /var/log 394 ll 395 cd ovirt-engine 396 ll 397 tail -f n 100 ui.log 398 ll 399 tail -f -n engine.log 400 tail -f -n 1000 engine.log 401 tail -n 5000 engine.log | grep admin@internal 402 ovirt-aaa-jdbc-tool user show admin 403 ovirt-aaa-jdbc-tool user show admin@internal 404 ovirt-aaa-jdbc-tool query --what=user 405 engine-config -s AdminPassword=interactive 406 vim /etc/ovirt-engine/extension.d/internal-authn.properties 407 vim /etc/ovirt-engine/extensions.d/internal-authn.properties 408 cd /etc/ovirt-engine/extensions.d/ 409 ll 410 vim /etc/ovirt-engine/aaa/internal.properties 411 cd /etc/ovirt-engine/aaa/ 412 ll 413 vim internal.properties 414 pwd 415 ovirt-aaa-jdbc-tool user add julian --attribute=firstName=Julian --attribute=lastName=Tete --attribute=email=danteconrad14@gmail.com <mailto:danteconrad14@gmail.com> <mailto:danteconrad14@gmail.com <mailto:danteconrad14@gmail.com>> <mailto:danteconrad14@gmail.com <mailto:danteconrad14@gmail.com> <mailto:danteconrad14@gmail.com <mailto:danteconrad14@gmail.com>>> <mailto:danteconrad14@gmail.com <mailto:danteconrad14@gmail.com> <mailto:danteconrad14@gmail.com <mailto:danteconrad14@gmail.com>> <mailto:danteconrad14@gmail.com <mailto:danteconrad14@gmail.com> <mailto:danteconrad14@gmail.com <mailto:danteconrad14@gmail.com>>>> 416 ovirt-aaa-jdbc-tool user password-reset julian --password-valid-to="2025-08-15 10:30:00Z" 417 history 418 tail -n 5000 engine.log | grep admin@internal 419 tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal 420 ovirt-aaa-jdbc-tool user edit admin --account-valid-from="2015-10-01 00:00:00Z" 421 ovirt-aaa-jdbc-tool user password-reset admin --force --password-valid-to="2100-01-01 00:00:00Z" 422 systemctl restart ovirt-engine.service 423 history 424 ovirt-aaa-jdbc-tool query --what=user 425 updatedb 426 locate internal 427 yum install -y ovirt-engine-cli 428 cd /opt 429 cd /opt/

2016-06-20 13:24 GMT-05:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>> <mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>> <mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>> <mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>>>:

On 06/20/2016 06:36 PM, Julián Tete wrote:

oVirt: 3.6.2

Trying to use:

https://github.com/machacekondra/ovirt-engine-kerbldap-migration

First use:

engine-manage-domains add --domain=udistritaloas.edu.co <http://udistritaloas.edu.co> <http://udistritaloas.edu.co> <http://udistritaloas.edu.co> <http://udistritaloas.edu.co> <http://udistritaloas.edu.co> --provider=ipa --user=admin

--ldap-servers=freeipa.udistritaloas.edu.co <http://freeipa.udistritaloas.edu.co> <http://freeipa.udistritaloas.edu.co> <http://freeipa.udistritaloas.edu.co> <http://freeipa.udistritaloas.edu.co> <http://freeipa.udistritaloas.edu.co>

The domain was added, but a I can't access to the webadmin portal :/

I get the message:

"User is not authorized to perform this action."

In ovirt-cli

[401] - Unauthorized

tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal

2016-06-20 10:52:22,835 ERROR

[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-32) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal failed to log in. 2016-06-20 10:52:22,836 WARN

[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default task-32) [] CanDoAction of action 'LoginAdminUser' failed for user admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2016-06-20 11:00:37,679 ERROR

[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-3) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal failed to log in. 2016-06-20 11:00:37,679 WARN

[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3) [] CanDoAction of action 'LoginUser' failed for user admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2016-06-20 11:01:04,016 ERROR

[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-4) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal failed to log in. 2016-06-20 11:01:04,016 WARN

[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4) [] CanDoAction of action 'LoginUser' failed for user admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

I am little bit lost, what was your steps, to get into this state, but it looks that your admin@internal user was removed SuperUser permissions, I am really not sure how could you achieve that, but to fix it please run following command:

$ su - postgres -c "psql -t engine -c \"insert into permissions values ('0000001b-001b-001b-001b-00000000029f', '00000000-0000-0000-0000-000000000001', 'fdfc627c-d875-11e0-90f0-83df133b58cc', 'aaa00000-0000-0000-0000-123456789aaa', 1);\""

This command will add your admin@internal SuperUser permissions on system.

Can you please describe what have you done a bit more, so we can understand the problem?

Thanks.

Properties of Internal domain:

cat /etc/ovirt-engine/aaa/internal.properties

ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> = internal-authn ovirt.engine.extension.bindings.method = jbossmodule

ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine.extension.aaa.jdbc

ovirt.engine.extension.binding.jbossmodule.class =

org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.authn.profile.name>

<http://ovirt.engine.aaa.authn.profile.name> = internal ovirt.engine.aaa.authn.authz.plugin = internal-authz config.datasource.file = /etc/ovirt-engine/aaa/internal.properties

cat /etc/ovirt-engine/extensions.d/internal-authn.properties

ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> = internal-authn ovirt.engine.extension.bindings.method = jbossmodule

ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine.extension.aaa.jdbc

ovirt.engine.extension.binding.jbossmodule.class =

org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.authn.profile.name>

<http://ovirt.engine.aaa.authn.profile.name> = internal ovirt.engine.aaa.authn.authz.plugin = internal-authz config.datasource.file = /etc/ovirt-engine/aaa/internal.properties

cat /etc/ovirt-engine/extensions.d/internal-authz.properties

ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> =

internal-authz ovirt.engine.extension.bindings.method = jbossmodule

ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine.extension.aaa.jdbc

ovirt.engine.extension.binding.jbossmodule.class =

org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.datasource.file = /etc/ovirt-engine/aaa/internal.properties

Properties of admin@internal user:

ovirt-aaa-jdbc-tool user show admin

-- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) -- Namespace: * Name: admin ID: fdfc627c-d875-11e0-90f0-83df133b58cc Display Name: Email: First Name: admin Last Name: Department: Title: Description: Account Disabled: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2015-10-01 00:00:00Z Account Valid To: 2100-01-01 00:00:00Z Account Without Password: false Last successful Login At: 2016-06-20 16:01:03Z Last unsuccessful Login At: 2016-06-19 16:53:07Z Password Valid To: 2100-01-01 00:00:00Z

¿ Can I assign privilegies to the user ? ¿ Any idea ?

_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>>

http://lists.ovirt.org/mailman/listinfo/users