On Fri, 22 Mar 2019 10:49:08 +0100 Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Thu, Mar 21, 2019 at 3:46 PM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
. . .
I'm trying to add with name "MYOVN" from web admin gui: should I use instead another name?
Gianluca
Tried also this as detailed by Dominik, renewing certificates:
https://www.mail-archive.com/users@ovirt.org/msg53697.html
Not understood what to do in step 2. Use the SSO_CLIENT_SECRET from the outfile produced by the previous command in /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf "Use" in which way???
use as <my_secret_omitted> in [OVIRT] ovirt-sso-client-secret=<my_secret_omitted>
I named with default "ovirt-provider-ovn" the OVN provider, after enabling debug in OVN I get thsi when I test the connection in web admin gui
2019-03-22 10:40:41,917 root From: ::ffff:10.4.192.43:44744 Request: POST /v2.0/tokens 2019-03-22 10:40:41,918 root Request body: {"auth": {"passwordCredentials": {"username": "admin@internal", "password": "<PASSWORD_HIDDEN>"}}} 2019-03-22 10:40:41,918 auth.plugins.ovirt.sso Connecting to oVirt engine's SSO module: https://ovmgr1.mydomain:443/ovirt-engine/sso/oauth/token 2019-03-22 10:40:41,918 auth.plugins.ovirt.sso Connecting to oVirt engine's SSO module: https://ovmgr1.mydomain:443/ovirt-engine/sso/oauth/token 2019-03-22 10:40:41,921 urllib3.connectionpool Starting new HTTPS connection (1): ovmgr1.mydomain 2019-03-22 10:40:46,961 urllib3.connectionpool https://ovmgr1.mydomain:443 "POST /ovirt-engine/sso/oauth/token HTTP/1.1" 400 148 2019-03-22 10:40:46,964 root From: ::ffff:10.4.192.43:44744 Request: POST /v2.0/tokens 2019-03-22 10:40:46,964 root Request body: {"auth": {"passwordCredentials": {"username": "admin@internal", "password": "<PASSWORD_HIDDEN>"}}} 2019-03-22 10:40:46,964 root Error during SSO authentication Cannot authenticate user 'admin@internal': Unable to log in. Verify your login information or contact the system administrator.. : access_denied Traceback (most recent call last): File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 134, in _handle_request method, path_parts, content File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175, in handle_request return self.call_response_handler(handler, content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in call_response_handler return response_handler(content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 62, in post_tokens user_password=user_password) File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in create_token return auth.core.plugin.create_token(user_at_domain, user_password) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line 48, in create_token timeout=self._timeout()) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in create_token username, password, engine_url, ca_file, timeout) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in _get_sso_token timeout=timeout File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 55, in wrapper _check_for_error(response) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 181, in _check_for_error result['error'], details)) Unauthorized: Error during SSO authentication Cannot authenticate user 'admin@internal': Unable to log in. Verify your login information or contact the system administrator.. : access_denied
It seems I have not completely understood the link between SSO and admin@internal as a user for OVN authentication....
The ovirt-sso-client-id and ovirt-sso-client-secret is required, to allow the ovirt-provider-ovn to connect to Engine's SSO for checking to user visible username, e.g. admin@internal, and password. I guess you are already aware of the doc in https://github.com/oVirt/ovirt-provider-ovn/#section-ovirt ovirt-provider-ovn does not store neither the user, e.g. admin@internal password nor the session token, it is just forwarded to Engine's SSO to check for validity. If you are interested in the details, the session token is generated by _get_sso_token in https://github.com/oVirt/ovirt-provider-ovn/blob/master/provider/auth/plugin... and validated by another method in https://github.com/oVirt/ovirt-provider-ovn/blob/master/provider/auth/plugin... where the ovirt-sso-client-id and ovirt-sso-client-secret are used as client_id, client_secret. In your case _get_sso_token is already failing, which does not use the ovirt-sso-client-secret. To solve this praticular issue, the provider in oVirt web admin ui should use the usual oVirt password for admin@internal.
Gianluca