On 06/20/2016 06:36 PM, Julián Tete wrote:
oVirt: 3.6.2
Trying to use:
https://github.com/machacekondra/ovirt-engine-kerbldap-migration
First use:
engine-manage-domains add --domain=udistritaloas.edu.co <http://udistritaloas.edu.co> --provider=ipa --user=admin --ldap-servers=freeipa.udistritaloas.edu.co <http://freeipa.udistritaloas.edu.co>
The domain was added, but a I can't access to the webadmin portal :/
I get the message:
"User is not authorized to perform this action."
In ovirt-cli
[401] - Unauthorized
tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal
2016-06-20 10:52:22,835 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-32) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal failed to log in. 2016-06-20 10:52:22,836 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default task-32) [] CanDoAction of action 'LoginAdminUser' failed for user admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2016-06-20 11:00:37,679 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-3) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal failed to log in. 2016-06-20 11:00:37,679 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3) [] CanDoAction of action 'LoginUser' failed for user admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2016-06-20 11:01:04,016 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-4) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal failed to log in. 2016-06-20 11:01:04,016 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4) [] CanDoAction of action 'LoginUser' failed for user admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
I am little bit lost, what was your steps, to get into this state, but it looks that your admin@internal user was removed SuperUser permissions, I am really not sure how could you achieve that, but to fix it please run following command: $ su - postgres -c "psql -t engine -c \"insert into permissions values ('0000001b-001b-001b-001b-00000000029f', '00000000-0000-0000-0000-000000000001', 'fdfc627c-d875-11e0-90f0-83df133b58cc', 'aaa00000-0000-0000-0000-123456789aaa', 1);\"" This command will add your admin@internal SuperUser permissions on system. Can you please describe what have you done a bit more, so we can understand the problem? Thanks.
Properties of Internal domain:
cat /etc/ovirt-engine/aaa/internal.properties
ovirt.engine.extension.name <http://ovirt.engine.extension.name> = internal-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine.extension.aaa.jdbc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> = internal ovirt.engine.aaa.authn.authz.plugin = internal-authz config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
cat /etc/ovirt-engine/extensions.d/internal-authn.properties
ovirt.engine.extension.name <http://ovirt.engine.extension.name> = internal-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine.extension.aaa.jdbc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> = internal ovirt.engine.aaa.authn.authz.plugin = internal-authz config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
cat /etc/ovirt-engine/extensions.d/internal-authz.properties
ovirt.engine.extension.name <http://ovirt.engine.extension.name> = internal-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine.extension.aaa.jdbc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
Properties of admin@internal user:
ovirt-aaa-jdbc-tool user show admin
-- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) -- Namespace: * Name: admin ID: fdfc627c-d875-11e0-90f0-83df133b58cc Display Name: Email: First Name: admin Last Name: Department: Title: Description: Account Disabled: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2015-10-01 00:00:00Z Account Valid To: 2100-01-01 00:00:00Z Account Without Password: false Last successful Login At: 2016-06-20 16:01:03Z Last unsuccessful Login At: 2016-06-19 16:53:07Z Password Valid To: 2100-01-01 00:00:00Z
¿ Can I assign privilegies to the user ? ¿ Any idea ?
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users