That's very strange, can you please share the upgrade log if you still have it? Also can you please share the output of: $ select * from users; and $ select * from permissions; and also please share content of: /etc/ovirt-engine/extensions.d/internal-authn.properties /etc/ovirt-engine/extensions.d/internal-auth.properties /etc/ovirt-engine/aaa/internal.properties On 05/30/2018 06:12 PM, Michael Watters wrote:
It looks like the issue was caused by a new admin account being created in the internal-authz domain. Here is what the engine logs show.
2018-05-30 11:15:21,893-04 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-9) [] User admin@internal successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access
2018-05-30 11:15:22,175-04 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-11) [77362b19] Running command: CreateUserSessionCommand internal: false.
2018-05-30 11:15:22,252-04 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-11) [77362b19] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User admin@internal-authz connecting from '10.209.44.27' failed to log in<UNKNOWN>.
2018-05-30 11:15:22,253-04 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-11) [] The user admin@internal is not authorized to perform login
I was able to login after updating the permissions table to use the new user ID as follows.
update permissions set ad_element_id = (select user_id from users where domain = 'internal-authz' and username = 'admin') where ad_element_id = (select user_id from users where domain = 'internal' and username = 'admin') ;
Despite this the ovirt-aaa-jdbc-tool still shows the wrong user ID when querying the admin account. For example:
[root@mdct-ovirt-engine-dev ~]# ovirt-aaa-jdbc-tool user show admin -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) -- Namespace: * Name: admin ID: fdfc627c-d875-11e0-90f0-83df133b58cc Display Name: Email: First Name: admin Last Name: Department: Title: Description: Account Disabled: false Account Locked: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2016-11-16 15:27:01Z Account Valid To: 2216-11-16 15:27:01Z Account Without Password: false Last successful Login At: 2018-05-30 16:02:46Z Last unsuccessful Login At: 2018-05-29 19:25:28Z Password Valid To: 2216-09-29 15:27:01Z
Is there a way to resolve this conflict? Where does the admin@internal-authz account come from? I tried renaming the account but it is recreated every time that the engine is restarted.
On 05/29/2018 04:31 PM, Alex K wrote:
Are you using engine IP to login? Perhaps the sso default file was overwritten?
Alex
On Tue, May 29, 2018, 20:32 Michael Watters <wattersm@watters.ws <mailto:wattersm@watters.ws>> wrote:
I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3 release and the admin account is no longer able to login. After entering the user name and password I receive a message that states "The user admin@internal is not authorized to perform login".
Is there a way to resolve this? Resetting the password did not work. _______________________________________________ Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMNDQE...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/DT7ERVLLGIYEE2...