Re: [ovirt-users] User admin@internal can't login in oVirt 3.6

On 06/21/2016 04:54 PM, Julián Tete wrote: > That's right I remove internal properties :/ > > This is the output of the commands: > > */usr/share/ovirt-engine/bin/o**virt-engine-role.sh --command=add > --user-name=admin --authz-name=internal-authz --role=SuperUser > > * > *Output: > * > > FATAL: Please specify provider namespace > You don't have to run it, I've just send it for a future reference :) But if you for example want to add SuperUser permissions to user 'julian', you can run: /usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add --principal-id='c01c263a-78c5-4524-a94e-c9aa38141ea9' --role=SuperUser --user-name=julian --authz-name=internal-authz --principal-namespace=* And you don't need admin@internal-authz user. > *su - postgres -c "psql -t engine -c \"select * from users;\"" > > * > *Output:* > > fdfc627c-d875-11e0-90f0-83df133b58cc | admin | | > internal | admin | | > | | t | fdfc627c-d875-11e0-90f0-83df133b58cc > | 2015-09-19 21:38:44.838161- > 05 | 2016-06-18 20:42:18.883738-05 | * > 16f666bb-b4c8-44c9-8264-30c3aff63a6e | | Administrator | > udistritaloas.edu.co <http://udistritaloas.edu.co> | admin > | | | | f > | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19 11:53:39.249812- > 05 | 2016-06-19 12:24:41.590162-05 | * > c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete | > internal-authz | julian | | danteconrad14(a)gmail.com > <mailto:danteconrad14@gmail.com> | | f | > 1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20 11:22:56.483292- > 05 | 2016-06-20 11:23:19.261686-05 | * > 7f300f43-9972-4c0e-bfa9-e86df6f1659f | admin | | > internal-authz | admin | | > | | f | fdfc627c-d875-11e0-90f0-83df133b58cc > | 2016-06-19 11:43:51.644981- > 05 | 2016-06-20 16:06:49.138862-05 | * > * > su - postgres -c "psql -t engine -c \"select * from permissions;\"" > Ok, according to current status I would suggest you to: 1) remove admin@internal-authz (7f300f43-9972-4c0e-bfa9-e86df6f1659f) $ su - postgres -c "psql -t engine -c \"delete from users where user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\"" 2) rename admin@internal to admin@internal-authz $ su - postgres -c "psql -t engine -c \"UPDATE users set domain='internal-authz' where user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\"" Then restart ovirt-engine and try to login. The problem here is that it tries to login with admin user which don't have any permissions, and you have two admin users, because you have removed internal-*properties files, so it added another one. > * > *Otput: > * > > > 00000004-0004-0004-0004-00000000025e | > def00009-0000-0000-0000-def000000009 | > eee00000-0000-0000-0000-123456789eee | > 00000000-0000-0000-0000-000000000000 | 4 | 1447535033 > 0000000f-000f-000f-000f-000000000293 | > def0000a-0000-0000-0000-def000000010 | > eee00000-0000-0000-0000-123456789eee | > 0000000e-000e-000e-000e-0000000002d6 | 27 | 1447535033 > 00000003-0003-0003-0003-00000000009c | > 00000000-0000-0000-0000-000000000001 | > fdfc627c-d875-11e0-90f0-83df133b58cc | > aaa00000-0000-0000-0000-123456789aaa | 1 | 1447535033 > 00000006-0006-0006-0006-0000000000e3 | > 00000000-0000-0000-0001-000000000002 | > fdfc627c-d875-11e0-90f0-83df133b58cc | > aaa00000-0000-0000-0000-123456789aaa | 1 | 1447535033 > 00000011-0011-0011-0011-0000000002a9 | > def00009-0000-0000-0000-def000000009 | > eee00000-0000-0000-0000-123456789eee | > 00000010-0010-0010-0010-0000000001d1 | 4 | 1447535033 > 00000013-0013-0013-0013-00000000031e | > def00009-0000-0000-0000-def000000009 | > eee00000-0000-0000-0000-123456789eee | > 00000012-0012-0012-0012-0000000001c6 | 4 | 1447535033 > 00000015-0015-0015-0015-0000000003b8 | > def00009-0000-0000-0000-def000000009 | > eee00000-0000-0000-0000-123456789eee | > 00000014-0014-0014-0014-0000000002fd | 4 | 1447535033 > 00000017-0017-0017-0017-000000000388 | > def00009-0000-0000-0000-def000000009 | > eee00000-0000-0000-0000-123456789eee | > 00000016-0016-0016-0016-0000000002b0 | 4 | 1447535033 > 00000019-0019-0019-0019-0000000003d5 | > def00009-0000-0000-0000-def000000009 | > eee00000-0000-0000-0000-123456789eee | > 00000018-0018-0018-0018-000000000314 | 4 | 1447535033 > 00000027-0027-0027-0027-00000000027e | > def00021-0000-0000-0000-def000000015 | > eee00000-0000-0000-0000-123456789eee | > aaa00000-0000-0000-0000-123456789aaa | 1 | 1447535037 > 7a3917ea-b2df-444f-938c-f768feeaee04 | > def00009-0000-0000-0000-def000000009 | > eee00000-0000-0000-0000-123456789eee | > 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 | 1457665842 > e8abc833-b860-451c-b580-780c7d1049d4 | > def0000a-0000-0000-0000-def00000000f | > fdfc627c-d875-11e0-90f0-83df133b58cc | > 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 | 1457665842 > c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c | > def0000a-0000-0000-0000-def00000000b | > fdfc627c-d875-11e0-90f0-83df133b58cc | > 9881e686-90d0-4da3-85b4-b8a1b3638396 | 19 | 1463161875 > > > 2016-06-21 9:18 GMT-05:00 Ondra Machacek <omachace(a)redhat.com > <mailto:omachace@redhat.com>>: > > > On 06/20/2016 08:33 PM, Julián Tete wrote: > > Thanks Ondra :) > > With the command: > > su - postgres -c "psql -t engine -c \"insert into permissions > values > ('0000001b-001b-001b-001b-00000000029f', > '00000000-0000-0000-0000-000000000001', > 'fdfc627c-d875-11e0-90f0-83df133b58cc', > 'aaa00000-0000-0000-0000-123456789aaa', 1);\"" > > > I've just remembered, that there is bash script for it: > > /usr/share/ovirt-engine/bin/ovirt-engine-role.sh > > You can use it as follows: > > /usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add > --user-name=admin --authz-name=internal-authz --role=SuperUser > > But, as per your output above, obviously your problem is not missing > permissions. > I think the problem is that you removed internal*.properties files > and then re-add it. > Can you please send output of users table and permissions table. > Thanks. > > su - postgres -c "psql -t engine -c \"select * from users;\"" > su - postgres -c "psql -t engine -c \"select * from permissions;\"" > > I get: > > ERROR: duplicate key value violates unique constraint > "idx_combined_ad_role_object" > DETAIL: Key (ad_element_id, role_id, > object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc, > 00000000-0000-0000-0000-000000000001, > aaa00000-0000-0000-0000-123456789aaa) already exists. > > History > > 261 yum install ovirt-engine-extension-aaa-ldap > 262 cp -r > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties > /etc/ovirt-engine/ > 263 cd /etc/ovirt-engine/ > 264 ll > 265 vim profile1.properties > 266 ll > 267 cd cp > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* > /etc/ovirt-engine/extensions.d/ > 268 cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/ > 269 cd > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/ > 270 ll > 271 cp > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* > /etc/ovirt-engine/extensions.d/ > 272 cd /etc/ovirt-engine/extensions.d/ > 273 ll > 274 find / -type f -iname profile1.properties > 275 cp -r > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties > /etc/ovirt-engine/aaa/ > 276 find / -type f -iname profile1.properties > 277 vim /etc/ovirt-engine/aaa/profile1.properties > 278 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties > 279 chmod 600 /etc/ovirt-engine/aaa/profile1.properties > 280 systemctl restart ovirt-engine > 281 vim > /etc/ovirt-engine/extensions.d/profile1-authn.properties > 282 cd /usr/share/ > 283 ls > 284 cd ovirt-engine-aaa-ldap > 285 ls > 286 cd ovirt-engine-extension-aaa-ldap/ > 287 ls > 288 cd examples/ > 289 ls > 290 cd ad > 291 ls > 292 cd extensions.d/ > 293 ls > 294 vim profile1-authn.properties > 295 pwd > 296 cd .. > 297 pwd > 298 cd .. > 299 ls > 300 cd simple > 301 ls > 302 cd aaa/ > 303 ls > 304 vim profile1.properties > 305 pwd > 306 rm -rf /etc/ovirt-engine/aaa/profile1.properties > 307 cp -r > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties > /etc/ovirt-engine/aaa/ > 308 vim /etc/ovirt-engine/aaa/profile1.properties > 309 history > 310 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties > 311 chmod 600 /etc/ovirt-engine/aaa/profile1.properties > 312 systemctl restart ovirt-engine > 313 updatedb > 314 locate domain1-authn.properties > 315 history > 316 cd > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/ > 317 ll > 318 cd > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/ > 319 ls > 320 cd extensions.d/ > 321 ls > 322 pwd > 323 cd /etc/ovirt-engine/extensions.d/ > 324 ls > 325 cp -r > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/ > /etc/ovirt-engine/extensions.d/ > 326 cp -r > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* > /etc/ovirt-engine/extensions.d/ > 327 rm -rf > /etc/ovirt-engine/extensions.d/profile1-authn.properties > 328 rm -rf > /etc/ovirt-engine/extensions.d/profile1-authz.properties > 329 cp -r > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* > /etc/ovirt-engine/extensions.d/ > 330 ll > 331 history > 332 chown ovirt:ovirt /etc/ovirt-engine/extensions.d/* > 333 chmod 600 /etc/ovirt-engine/extensions.d/* > 334 ll > 335 cd extensions.d/ > 336 ll > 337 cd > 338 engine-config -s SASL_QOP=auth > 339 systemctl restart ovirt-engine > 340 engine-manage-domains add --domain=udistritaloas.edu.co > <http://udistritaloas.edu.co> > <http://udistritaloas.edu.co> --provider=ipa --user=admin > --ldap-servers=freeipa.udistritaloas.edu.co > <http://freeipa.udistritaloas.edu.co> > <http://freeipa.udistritaloas.edu.co> > 341 systemctl restart ovirt-engine > 342 engine-manage-domains list > 343 history > 344 cd /etc/ovirt-engine/extensions.d/ > 345 ll > 346 rm -rf internal-authn.properties > 347 rm -rf internal-authz.properties > 348 rm -rf profile1-authn.properties > 349 rm -rf profile1-authz.properties > 350 history > 351 cd /etc/ovirt-engine/aaa/ > 352 ll > 353 rm -rf profile1.properties > 354 vim internal.properties > 355 systemctl restart ovirt-engine > 356 ovirt-aaa-jdbc-tool user edit admin > --account-valid-to="2100-01-01 00:00:00Z" > 357 ovirt-aaa-jdbc-tool user password-reset admin > --password-valid-to="2100-01-01 00:00:00Z" > 358 engine-config -s AdminPassword=interactive > 359 ovirt-aaa-jdbc-tool user password-reset admin > --password-valid-to="2100-01-01 00:00:00Z" > 360 systemctl restart ovirt-engine > 361 exit > 362 cd /etc/ovirt-engine/aaa/ > 363 ll > 364 vim internal.properties > 365 /etc/ovirt-engine/extensions.d/ > 366 cd /etc/ovirt-engine/extensions.d/ > 367 ll > 368 cd extensions.d/ > 369 ll > 370 pwd > 371 ll > 372 cd .. > 373 ll > 374 cd .. > 375 ll > 376 cd /etc/ovirt-engine/extensions.d/ > 377 ll > 378 cd extensions.d/ > 379 ll > 380 pwd > 381 ll > 382 cd .. > 383 ll > 384 systemctl restart ovirt-engine.service > 385 ovirt-aaa-jdbc-tool user edit admin > --account-valid-to="2100-01-01 00:00:00Z" > 386 ovirt-aaa-jdbc-tool user password-reset admin > --password-valid-to="2100-01-01 00:00:00Z" > 387 systemctl restart ovirt-engine.service > 388 ovirt-aaa-jdbc-tool user password-reset admin@internal > --password-valid-to="2100-01-01 00:00:00Z" > 389 yum install -y ovirt-engine-extension-aaa-jdbc > 390 engine-setup > 391 ovirt-aaa-jdbc-tool user show admin > 392 ovirt-aaa-jdbc-tool settings show > 393 cd /var/log > 394 ll > 395 cd ovirt-engine > 396 ll > 397 tail -f n 100 ui.log > 398 ll > 399 tail -f -n engine.log > 400 tail -f -n 1000 engine.log > 401 tail -n 5000 engine.log | grep admin@internal > 402 ovirt-aaa-jdbc-tool user show admin > 403 ovirt-aaa-jdbc-tool user show admin@internal > 404 ovirt-aaa-jdbc-tool query --what=user > 405 engine-config -s AdminPassword=interactive > 406 vim /etc/ovirt-engine/extension.d/internal-authn.properties > 407 vim > /etc/ovirt-engine/extensions.d/internal-authn.properties > 408 cd /etc/ovirt-engine/extensions.d/ > 409 ll > 410 vim /etc/ovirt-engine/aaa/internal.properties > 411 cd /etc/ovirt-engine/aaa/ > 412 ll > 413 vim internal.properties > 414 pwd > 415 ovirt-aaa-jdbc-tool user add julian > --attribute=firstName=Julian --attribute=lastName=Tete > --attribute=email=danteconrad14(a)gmail.com > <mailto:danteconrad14@gmail.com> <mailto:danteconrad14@gmail.com > <mailto:danteconrad14@gmail.com>> > 416 ovirt-aaa-jdbc-tool user password-reset julian > --password-valid-to="2025-08-15 10:30:00Z" > 417 history > 418 tail -n 5000 engine.log | grep admin@internal > 419 tail -n 5000 /var/log/ovirt-engine/engine.log | grep > admin@internal > 420 ovirt-aaa-jdbc-tool user edit admin > --account-valid-from="2015-10-01 00:00:00Z" > 421 ovirt-aaa-jdbc-tool user password-reset admin --force > --password-valid-to="2100-01-01 00:00:00Z" > 422 systemctl restart ovirt-engine.service > 423 history > 424 ovirt-aaa-jdbc-tool query --what=user > 425 updatedb > 426 locate internal > 427 yum install -y ovirt-engine-cli > 428 cd /opt > 429 cd /opt/ > > > > 2016-06-20 13:24 GMT-05:00 Ondra Machacek <omachace(a)redhat.com > <mailto:omachace@redhat.com> > <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>: > > > > On 06/20/2016 06:36 PM, Julián Tete wrote: > > oVirt: 3.6.2 > > Trying to use: > > > https://github.com/machacekondra/ovirt-engine-kerbldap-migration > > First use: > > engine-manage-domains add --domain=udistritaloas.edu.co > <http://udistritaloas.edu.co> > <http://udistritaloas.edu.co> > <http://udistritaloas.edu.co> --provider=ipa --user=admin > --ldap-servers=freeipa.udistritaloas.edu.co > <http://freeipa.udistritaloas.edu.co> > <http://freeipa.udistritaloas.edu.co> > <http://freeipa.udistritaloas.edu.co> > > > The domain was added, but a I can't access to the > webadmin portal :/ > > I get the message: > > "User is not authorized to perform this action." > > In ovirt-cli > > [401] - Unauthorized > > tail -n 5000 /var/log/ovirt-engine/engine.log | grep > admin@internal > > 2016-06-20 10:52:22,835 ERROR > > > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (default task-32) [] Correlation ID: null, Call Stack: > null, Custom > Event ID: -1, Message: User admin@internal failed to log > in. > 2016-06-20 10:52:22,836 WARN > [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] > (default > task-32) > [] CanDoAction of action 'LoginAdminUser' failed for user > admin@internal. Reasons: > USER_NOT_AUTHORIZED_TO_PERFORM_ACTION > 2016-06-20 11:00:37,679 ERROR > > > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (default task-3) [] Correlation ID: null, Call Stack: > null, > Custom Event > ID: -1, Message: User admin@internal failed to log in. > 2016-06-20 11:00:37,679 WARN > [org.ovirt.engine.core.bll.aaa.LoginUserCommand] > (default task-3) [] > CanDoAction of action 'LoginUser' failed for user > admin@internal. > Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION > 2016-06-20 11:01:04,016 ERROR > > > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (default task-4) [] Correlation ID: null, Call Stack: > null, > Custom Event > ID: -1, Message: User admin@internal failed to log in. > 2016-06-20 11:01:04,016 WARN > [org.ovirt.engine.core.bll.aaa.LoginUserCommand] > (default task-4) [] > CanDoAction of action 'LoginUser' failed for user > admin@internal. > Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION > > > I am little bit lost, what was your steps, to get into this > state, > but it looks that your admin@internal user was removed > SuperUser > permissions, I am really not sure how could you achieve > that, but to > fix it please run following command: > > $ su - postgres -c "psql -t engine -c \"insert into > permissions > values ('0000001b-001b-001b-001b-00000000029f', > '00000000-0000-0000-0000-000000000001', > 'fdfc627c-d875-11e0-90f0-83df133b58cc', > 'aaa00000-0000-0000-0000-123456789aaa', 1);\"" > > This command will add your admin@internal SuperUser > permissions on > system. > > Can you please describe what have you done a bit more, so we > can > understand the problem? > > Thanks. > > > Properties of Internal domain: > > cat /etc/ovirt-engine/aaa/internal.properties > > ovirt.engine.extension.name > <http://ovirt.engine.extension.name> > <http://ovirt.engine.extension.name> > <http://ovirt.engine.extension.name> = > internal-authn > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine.extension.aaa.jdbc > ovirt.engine.extension.binding.jbossmodule.class = > > org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension > ovirt.engine.extension.provides = > org.ovirt.engine.api.extensions.aaa.Authn > ovirt.engine.aaa.authn.profile.name > <http://ovirt.engine.aaa.authn.profile.name> > <http://ovirt.engine.aaa.authn.profile.name> > <http://ovirt.engine.aaa.authn.profile.name> = internal > ovirt.engine.aaa.authn.authz.plugin = internal-authz > config.datasource.file = > /etc/ovirt-engine/aaa/internal.properties > > cat > /etc/ovirt-engine/extensions.d/internal-authn.properties > > ovirt.engine.extension.name > <http://ovirt.engine.extension.name> > <http://ovirt.engine.extension.name> > <http://ovirt.engine.extension.name> = > internal-authn > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine.extension.aaa.jdbc > ovirt.engine.extension.binding.jbossmodule.class = > > org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension > ovirt.engine.extension.provides = > org.ovirt.engine.api.extensions.aaa.Authn > ovirt.engine.aaa.authn.profile.name > <http://ovirt.engine.aaa.authn.profile.name> > <http://ovirt.engine.aaa.authn.profile.name> > <http://ovirt.engine.aaa.authn.profile.name> = internal > ovirt.engine.aaa.authn.authz.plugin = internal-authz > config.datasource.file = > /etc/ovirt-engine/aaa/internal.properties > > cat > /etc/ovirt-engine/extensions.d/internal-authz.properties > > ovirt.engine.extension.name > <http://ovirt.engine.extension.name> > <http://ovirt.engine.extension.name> > <http://ovirt.engine.extension.name> = > > internal-authz > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine.extension.aaa.jdbc > ovirt.engine.extension.binding.jbossmodule.class = > > org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension > ovirt.engine.extension.provides = > org.ovirt.engine.api.extensions.aaa.Authz > config.datasource.file = > /etc/ovirt-engine/aaa/internal.properties > > Properties of admin@internal user: > > ovirt-aaa-jdbc-tool user show admin > > -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) -- > Namespace: * > Name: admin > ID: fdfc627c-d875-11e0-90f0-83df133b58cc > Display Name: > Email: > First Name: admin > Last Name: > Department: > Title: > Description: > Account Disabled: false > Account Unlocked At: 1970-01-01 00:00:00Z > Account Valid From: 2015-10-01 00:00:00Z > Account Valid To: 2100-01-01 00:00:00Z > Account Without Password: false > Last successful Login At: 2016-06-20 16:01:03Z > Last unsuccessful Login At: 2016-06-19 16:53:07Z > Password Valid To: 2100-01-01 00:00:00Z > > ¿ Can I assign privilegies to the user ? ¿ Any idea ? > > > _______________________________________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > http://lists.ovirt.org/mailman/listinfo/users > > > >