Re: [ovirt-users] ovirt with 389 server inactive groups

here are the results of the queries you asked for group_ids | groups -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 | core.ux.medi a.cbs.net/groups/sysadmin,<domain here>/groups/pmarino,<domain here>/groups/pd managers,<domain here>/groups/qa managers,<domain here>/groups/accounting managers,<domain here>/directory administrat ors (1 row) engine=# select id, name from ad_groups; id | name --------------------------------------+--------------------------------------- eee00000-0000-0000-0000-123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin (2 rows) On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs(a)redhat.com&gt; wrote: > > > ----- Original Message ----- >> From: "Paul Robert Marino" <prmarino1(a)gmail.com&gt; >> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com&gt; >> Cc: "Itamar Heim" <iheim(a)redhat.com&gt;, users(a)ovirt.org >> Sent: Wednesday, August 13, 2014 11:47:40 PM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> Ok so before I open a bug ticket I want to confirm I'm not doing any >> thing wrong here. >> I upgraded to 3.4 >> now it says "Active: false " on LDAP groups. >> >> Again I tried to add the sysadmin group from the directory server and >> set the power user and super user roles on the group >> it shows up as "<domain name>/Groups/sysadmin" >> I adder the permisions by clicking on the configure link on the top of >> the screen and set them in the "System Permissions" tab > > Sounds good so far. > I assume also you see the permissiosn in the permissions sub tab when you click the group. > >> >> I added a user (pmarino) to the system which shows in the "Directory >> Group" tab shows "sysadmin groups <domian name>" among others >> however it only shows in the Permissions tab the permissions inherited >> by "Everyone" it does not show any permissions inherited by the >> sysadmin group. > > This is not good - I mean, should have worked. > >> >> just to prove it didnt work I logged out and attempted to log back in >> as the user (pmarino) it wouldn't let me log in >> >> I logged back in as the internal admin user then I added the SuperUser >> permissions directly to the pmarino account and logged back out again. >> Now when I logged in as pmarino it gave me the access I expected. > > Can I please ask you to provide some database info ? > > It will be awesome if you can provide the following SQL queries results - > > select group_ids, groups from users where username ilike '%pmarino%'; > > In addition, please perform - select id, name from ad_groups; > > Thanks for your help. > > P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well. > > > >> >> >> >> Here is the relevant portion of the engine log >> " >> 2014-08-13 16:00:38,801 INFO >> [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) >> [1e7fa420] Running command: AddGroupCommand internal: false. Entities >> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System >> 2014-08-13 16:00:38,813 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call >> Stack: null, Custom Event ID: -1, Message: User '<domain >> name>/Groups/sysadmin' was added successfully to the system. >> 2014-08-13 16:09:01,352 INFO >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand] >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: >> AddSystemPermissionCommand internal: false. Entities affected : ID: >> aaa00000-0000-0000-0000-123456789aaa Type: System, ID: >> aaa00000-0000-0000-0000-123456789aaa Type: System >> 2014-08-13 16:09:01,371 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: >> 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group >> <domain name>/Groups/sysadmin was granted permission for Role >> SuperUser on System by admin. >> 2014-08-13 16:10:40,963 INFO >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand] >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: >> AddSystemPermissionCommand internal: false. Entities affected : ID: >> aaa00000-0000-0000-0000-123456789aaa Type: System, ID: >> aaa00000-0000-0000-0000-123456789aaa Type: System >> 2014-08-13 16:10:40,979 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, >> Call Stack: null, Custom Event ID: -1, Message: User/Group <domain >> name>/Groups/sysadmin was granted permission for Role PowerUserRole on >> System by admin. >> 2014-08-13 16:20:53,891 INFO >> [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) >> [58e00be1] Running command: AddUserCommand internal: false. Entities >> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System >> 2014-08-13 16:20:53,919 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call >> Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added >> successfully to the system. >> 2014-08-13 16:35:52,202 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, >> Custom Event ID: -1, Message: User pmarino failed to log in. >> 2014-08-13 16:35:52,202 WARN >> [org.ovirt.engine.core.bll.LoginAdminUserCommand] >> (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. >> Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION >> 2014-08-13 16:39:48,048 INFO >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand] >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: >> AddSystemPermissionCommand internal: false. Entities affected : ID: >> aaa00000-0000-0000-0000-123456789aaa Type: System >> 2014-08-13 16:39:48,069 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: >> 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group >> pmarino was granted permission for Role SuperUser on System by admin. >> 2014-08-13 16:40:43,357 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom >> Event ID: -1, Message: User pmarino logged in. >> >> " >> >> On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs(a)redhat.com&gt; wrote: >> > >> > >> > ----- Original Message ----- >> >> From: "Yair Zaslavsky" <yzaslavs(a)redhat.com&gt; >> >> To: "Itamar Heim" <iheim(a)redhat.com&gt; >> >> Cc: users(a)ovirt.org >> >> Sent: Monday, August 11, 2014 8:13:53 PM >> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> >> >> I have checked the codebase of 3.3 - >> >> the "active" field is used for presentation purpose only. >> > >> > Presentation wise only - means that it is not used for our permissions >> > calculation , for example. >> > >> >> Alon has addressed our plans for this in his previous comments. >> >> I hope this clarifies more.. >> >> >> >> Yair >> >> >> >> >> >> ----- Original Message ----- >> >> > From: "Itamar Heim" <iheim(a)redhat.com&gt; >> >> > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt;, "Paul Robert Marino" >> >> > <prmarino1(a)gmail.com&gt; >> >> > Cc: users(a)ovirt.org >> >> > Sent: Sunday, August 10, 2014 11:54:05 PM >> >> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> > >> >> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: >> >> > > >> >> > > >> >> > > ----- Original Message ----- >> >> > >> From: "Paul Robert Marino" <prmarino1(a)gmail.com&gt; >> >> > >> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >> >> > >> Cc: "Maurice James" <mjames(a)media-node.com&gt;, users(a)ovirt.org >> >> > >> Sent: Sunday, August 10, 2014 10:43:14 PM >> >> > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> > >> >> >> > >> Sorry for my delayed response to this >> >> > >> >> >> > >> I am using ovirt 3.3. >> >> > >> I am using Kerberos 5, and all of the DNS requirements are in place. >> >> > >> Finally 389 server is the upstream project for RHDS and one of the >> >> > >> upstream projects for IPA. >> >> > >> So I chose to set it as RHDS because its an identical match. >> >> > >> >> >> > >> User authentication works just fine my problem is adding roles to >> >> > >> groups. >> >> > >> I can assign a role to a group but the group always shows an inactive >> >> > >> status; however if I assign a role directly to to a user it works >> >> > >> fine. >> >> > >> In addition if I drill down into a user it knows what groups in the >> >> > >> 389 server the user is a member of. >> >> > >> >> >> > >> finally I can't see any error in the logs when adding a role to a >> >> > >> group >> >> > >> >> >> > > >> >> > > Please open a bug, I am unsure that it will be addressed before 3.5, >> >> > > as >> >> > > we >> >> > > have done major rework for the authentication and authorization to >> >> > > make >> >> > > it >> >> > > much more versatile. Even if there will be a fix it will be provided >> >> > > to >> >> > > 3.4.z. >> >> > > >> >> > > It will be best if you want to test this scenario in 3.5 release >> >> > > candidate >> >> > > and the new ldap provider, so we can address the issue before 3.5 >> >> > > release >> >> > > if exists. >> >> > > >> >> > >> >> > could also be one of these fixed in 3.4: >> >> > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it >> >> > does not inherit the group permissions >> >> > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to >> >> > a group indirectly, it does not inherit the group permissions >> >> > >> >> > >> >> >> > >> >> >> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl(a)redhat.com&gt; >> >> > >> wrote: >> >> > >>> >> >> > >>> >> >> > >>> ----- Original Message ----- >> >> > >>>> From: "Maurice James" <mjames(a)media-node.com&gt; >> >> > >>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >> >> > >>>> Cc: "Itamar Heim" <iheim(a)redhat.com&gt;, users(a)ovirt.org >> >> > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM >> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> > >>>> >> >> > >>>> Does this still require the use of kerberos? Will 389-ds work on >> >> > >>>> its >> >> > >>>> own? >> >> > >>> >> >> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the >> >> > >>> kerberos/ldap >> >> > >>> mix. >> >> > >>> >> >> > >>> It will be great to receive feedback[2]. >> >> > >>> >> >> > >>> 389ds is not supported directly, I think it is similar to IPA as it >> >> > >>> uses >> >> > >>> 389. Maybe I should rename the profile of ipa to 389 if it works >> >> > >>> properly. >> >> > >>> >> >> > >>> Regards, >> >> > >>> Alon >> >> > >>> >> >> > >>> [1] >> >> > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl... >> >> > >>> [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html >> >> > >>> >> >> > >>>> >> >> > >>>> ----- Original Message ----- >> >> > >>>> From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >> >> > >>>> To: "Itamar Heim" <iheim(a)redhat.com&gt; >> >> > >>>> Cc: users(a)ovirt.org >> >> > >>>> Sent: Friday, August 8, 2014 3:45:07 PM >> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> > >>>> >> >> > >>>> >> >> > >>>> >> >> > >>>> ----- Original Message ----- >> >> > >>>>> From: "Itamar Heim" <iheim(a)redhat.com&gt; >> >> > >>>>> To: "Paul Robert Marino" <prmarino1(a)gmail.com&gt;, users(a)ovirt.org >> >> > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM >> >> > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> > >>>>> >> >> > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >> >> > >>>>>> I have ovirt engine running and connected to a 389 server with >> >> > >>>>>> the >> >> > >>>>>> memberof plugin enabled and working properly. >> >> > >>>>>> >> >> > >>>>>> I can add users and assign them to roles without any issues. >> >> > >>>>>> >> >> > >>>>>> when I look at a user I can see all the LDAP groups they are a >> >> > >>>>>> member >> >> > >>>>>> of. >> >> > >>>>>> >> >> > >>>>>> when I run engine-manage-domains -action=validate it tells me >> >> > >>>>>> the >> >> > >>>>>> domain is valid. >> >> > >>>>>> >> >> > >>>>>> here is my problem when I try to assign a role to an LDAP group >> >> > >>>>>> it >> >> > >>>>>> looks like it works but in the general tab when under the group >> >> > >>>>>> it >> >> > >>>>>> tells me the status is Inactive. >> >> > >>>>>> >> >> > >>>>>> dose any one know how to enable the group? >> >> > >>>>>> _______________________________________________ >> >> > >>>>>> Users mailing list >> >> > >>>>>> Users(a)ovirt.org >> >> > >>>>>> http://lists.ovirt.org/mailman/listinfo/users >> >> > >>>>>> >> >> > >>>>> >> >> > >>>>> 3.4 or new 3.5 Generic LDAP provider? >> >> > >>>> >> >> > >>>> >> >> > >>>> On case this is 3.5 it is known issue, all groups will be seen as >> >> > >>>> inactive, >> >> > >>>> this field will probably be removed from UI, as groups are no >> >> > >>>> longer >> >> > >>>> fetched >> >> > >>>> periodically. >> >> > >>>> This field is totally ignored. >> >> > >>>> >> >> > >>>> Alon >> >> > >>>> _______________________________________________ >> >> > >>>> Users mailing list >> >> > >>>> Users(a)ovirt.org >> >> > >>>> http://lists.ovirt.org/mailman/listinfo/users >> >> > >>>> >> >> > >>> _______________________________________________ >> >> > >>> Users mailing list >> >> > >>> Users(a)ovirt.org >> >> > >>> http://lists.ovirt.org/mailman/listinfo/users >> >> > >> >> >> > > _______________________________________________ >> >> > > Users mailing list >> >> > > Users(a)ovirt.org >> >> > > http://lists.ovirt.org/mailman/listinfo/users >> >> > > >> >> > >> >> > _______________________________________________ >> >> > Users mailing list >> >> > Users(a)ovirt.org >> >> > http://lists.ovirt.org/mailman/listinfo/users >> >> > >> >> _______________________________________________ >> >> Users mailing list >> >> Users(a)ovirt.org >> >> http://lists.ovirt.org/mailman/listinfo/users >> >> >> > _______________________________________________ >> > Users mailing list >> > Users(a)ovirt.org >> > http://lists.ovirt.org/mailman/listinfo/users >>