----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Sunday, August 17, 2014 4:33:30 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
here are the results of the queries you asked for
group_ids
|
groups
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 | core.ux.medi a.cbs.net/groups/sysadmin,<domain here>/groups/pmarino,<domain here>/groups/pd managers,<domain here>/groups/qa managers,<domain here>/groups/accounting managers,<domain here>/directory administrat ors (1 row)
engine=# select id, name from ad_groups; id | name --------------------------------------+--------------------------------------- eee00000-0000-0000-0000-123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin (2 rows)
It does look that there is something wrong in the association of users to their group IDS. Just to make sure I'm not missing anything - Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission? Yair
On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says "Active: false " on LDAP groups.
Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as "<domain name>/Groups/sysadmin" I adder the permisions by clicking on the configure link on the top of the screen and set them in the "System Permissions" tab
Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group.
I added a user (pmarino) to the system which shows in the "Directory Group" tab shows "sysadmin groups <domian name>" among others however it only shows in the Permissions tab the permissions inherited by "Everyone" it does not show any permissions inherited by the sysadmin group.
This is not good - I mean, should have worked.
just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in
I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected.
Can I please ask you to provide some database info ?
It will be awesome if you can provide the following SQL queries results -
select group_ids, groups from users where username ilike '%pmarino%';
In addition, please perform - select id, name from ad_groups;
Thanks for your help.
P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well.
Here is the relevant portion of the engine log " 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1, Message: User '<domain name>/Groups/sysadmin' was added successfully to the system. 2014-08-13 16:09:01,352 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:09:01,371 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role SuperUser on System by admin. 2014-08-13 16:10:40,963 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:10:40,979 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role PowerUserRole on System by admin. 2014-08-13 16:20:53,891 INFO [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) [58e00be1] Running command: AddUserCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:20:53,919 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added successfully to the system. 2014-08-13 16:35:52,202 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino failed to log in. 2014-08-13 16:35:52,202 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2014-08-13 16:39:48,048 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:39:48,069 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group pmarino was granted permission for Role SuperUser on System by admin. 2014-08-13 16:40:43,357 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino logged in.
"
On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Monday, August 11, 2014 8:13:53 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
I have checked the codebase of 3.3 - the "active" field is used for presentation purpose only.
Presentation wise only - means that it is not used for our permissions calculation , for example.
Alon has addressed our plans for this in his previous comments. I hope this clarifies more..
Yair
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" <prmarino1@gmail.com> Cc: users@ovirt.org Sent: Sunday, August 10, 2014 11:54:05 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: > > > ----- Original Message ----- >> From: "Paul Robert Marino" <prmarino1@gmail.com> >> To: "Alon Bar-Lev" <alonbl@redhat.com> >> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org >> Sent: Sunday, August 10, 2014 10:43:14 PM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> Sorry for my delayed response to this >> >> I am using ovirt 3.3. >> I am using Kerberos 5, and all of the DNS requirements are in >> place. >> Finally 389 server is the upstream project for RHDS and one of the >> upstream projects for IPA. >> So I chose to set it as RHDS because its an identical match. >> >> User authentication works just fine my problem is adding roles to >> groups. >> I can assign a role to a group but the group always shows an >> inactive >> status; however if I assign a role directly to to a user it works >> fine. >> In addition if I drill down into a user it knows what groups in >> the >> 389 server the user is a member of. >> >> finally I can't see any error in the logs when adding a role to a >> group >> > > Please open a bug, I am unsure that it will be addressed before > 3.5, > as > we > have done major rework for the authentication and authorization to > make > it > much more versatile. Even if there will be a fix it will be > provided > to > 3.4.z. > > It will be best if you want to test this scenario in 3.5 release > candidate > and the new ldap provider, so we can address the issue before 3.5 > release > if exists. >
could also be one of these fixed in 3.4: 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it does not inherit the group permissions 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to a group indirectly, it does not inherit the group permissions
>> >> >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> >> wrote: >>> >>> >>> ----- Original Message ----- >>>> From: "Maurice James" <mjames@media-node.com> >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>>> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org >>>> Sent: Saturday, August 9, 2014 3:47:04 AM >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>>> >>>> Does this still require the use of kerberos? Will 389-ds work on >>>> its >>>> own? >>> >>> In 3.5 we introduced pure ldap support[1], obsoleting the >>> kerberos/ldap >>> mix. >>> >>> It will be great to receive feedback[2]. >>> >>> 389ds is not supported directly, I think it is similar to IPA as >>> it >>> uses >>> 389. Maybe I should rename the profile of ipa to 389 if it works >>> properly. >>> >>> Regards, >>> Alon >>> >>> [1] >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... >>> [2] >>> http://lists.ovirt.org/pipermail/devel/2014-August/008367.html >>> >>>> >>>> ----- Original Message ----- >>>> From: "Alon Bar-Lev" <alonbl@redhat.com> >>>> To: "Itamar Heim" <iheim@redhat.com> >>>> Cc: users@ovirt.org >>>> Sent: Friday, August 8, 2014 3:45:07 PM >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>>> >>>> >>>> >>>> ----- Original Message ----- >>>>> From: "Itamar Heim" <iheim@redhat.com> >>>>> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org >>>>> Sent: Friday, August 8, 2014 10:37:11 PM >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive >>>>> groups >>>>> >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >>>>>> I have ovirt engine running and connected to a 389 server with >>>>>> the >>>>>> memberof plugin enabled and working properly. >>>>>> >>>>>> I can add users and assign them to roles without any issues. >>>>>> >>>>>> when I look at a user I can see all the LDAP groups they are a >>>>>> member >>>>>> of. >>>>>> >>>>>> when I run engine-manage-domains -action=validate it tells me >>>>>> the >>>>>> domain is valid. >>>>>> >>>>>> here is my problem when I try to assign a role to an LDAP >>>>>> group >>>>>> it >>>>>> looks like it works but in the general tab when under the >>>>>> group >>>>>> it >>>>>> tells me the status is Inactive. >>>>>> >>>>>> dose any one know how to enable the group? >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users@ovirt.org >>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>>> >>>>> >>>>> 3.4 or new 3.5 Generic LDAP provider? >>>> >>>> >>>> On case this is 3.5 it is known issue, all groups will be seen >>>> as >>>> inactive, >>>> this field will probably be removed from UI, as groups are no >>>> longer >>>> fetched >>>> periodically. >>>> This field is totally ignored. >>>> >>>> Alon >>>> _______________________________________________ >>>> Users mailing list >>>> Users@ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>> _______________________________________________ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >> > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users