Hi

I was able to fix the problem.
I am not 100% sure, but seems like restart ovirt-provider-ovn didn't apply changes.

So, what i did.
I perform secret Update, and restart services, and no changes.
Then i change debug, but log file didn't appear, so i perform stop/start... And from this moment of time everything is working fine.

Should i enable "Automatic Synchronization" that you mention on first message? 

Andrey

вт, 12 февр. 2019 г. в 22:39, Dominik Holler <dholler@redhat.com>:
On Tue, 12 Feb 2019 21:06:24 +0300
Андрей Русаков <anrusakov@gmail.com> wrote:

> Hi Dominik,
> Thank you for your reply.
>
> Automatic Synchronization  is Disabled already.
>
> yes,
> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> is in place.
> I  google a bit (before starting new thread) and find similar problem (the
> case was in wrong/missing ovirt-sso-client-secret), and i try to update
> ovirt-sso-client-secret.

How did you update the secret?
The procedure would be
1. Run /usr/share/ovirt-engine/bin/ovirt-register-sso-client-tool.sh
   with
   Client Id: ovirt-provider-ovn
   Client CA Certificate File Location: /etc/pki/ovirt-engine/certs/engine.cer
   Callback Prefix URL: https://<ENGINE_FQDN>:443/ovirt-engine/
2. Use the SSO_CLIENT_SECRET from the outfile produced by the previous
   command in
   /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
3. Restart ovirt-engine and ovirt-provider-ovn
   systemctl restart ovirt-engine
   systemctl restart ovirt-provider-ovn


If this does not solve the problem and you want to use the
ovirt-provider-ovn, please increase logging in ovirt-provider-ovn via
sudo sed -i.$(date +%F-%H-%M) 's/INFO/DEBUG/gi' /etc/ovirt-provider-ovn/logger.conf
systemctl restart ovirt-provider-ovn

and share the ovirt-provider-ovn.log with the error after the restart.


> But it didn't help
>
> Andrey.
>
> вт, 12 февр. 2019 г. в 20:04, Dominik Holler <dholler@redhat.com>:
>
> > On Tue, 12 Feb 2019 16:50:06 -0000
> > Andrey  Rusakov <anrusakov@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > Recently i upgrade my oVirt installation 4.2.8 to 4.3.
> > > I was able to login right after upgrade (yum, setup, reboot).
> > > But according to logs, account locks in 2-3 minutes.
> > >
> > > 2019-02-12 15:44:57,228+03 ERROR
> > [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-1) []
> > OAuthException invalid_grant: The provided authorization grant for the auth
> > code has expired.
> > > 2019-02-12 15:44:57,232+03 ERROR
> > [org.ovirt.engine.core.aaa.filters.SsoRestApiAuthFilter] (default task-2)
> > [] Cannot authenticate using authentication Headers: invalid_grant: The
> > provided authorization grant for the auth code has expired.
> > > 2019-02-12 15:44:57,307+03 INFO
> > [org.ovirt.engine.extension.aaa.jdbc.core.Authentication] (default task-2)
> > [] locking user: admin due to interval failures
> > >
> > > I was able to unlock admin using CLI, but every time i go to OVN config
> > it locks immediately.
> > >
> > > Checking OVN service logs i can see
> > >
> > > code 401, message Unauthorized
> > > "POST /v2.0/tokens HTTP/1.1" 401 -
> > >
> > > And
> > > "Error during SSO authentication invalid_grant : The provided
> > authorization grant for the auth code has expired."
> > > On OVN web page.
> > >
> >
> >
> > For a timely fix, please disable automatic synchronization of the
> > ovirt-provider-ovn via web UI Administration -> Providers ->
> > ovirt-provider-ovn -> Edit -> Disable Automatic Synchronization
> >
> > Is there a file
> > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> > ?
> >
> > > Is it possible to  renew authorization grant or ...?
> > >
> > > _______________________________________________
> > > Users mailing list -- users@ovirt.org
> > > To unsubscribe send an email to users-leave@ovirt.org
> > > Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> > > oVirt Code of Conduct:
> > https://www.ovirt.org/community/about/community-guidelines/
> > > List Archives:
> > https://lists.ovirt.org/archives/list/users@ovirt.org/message/FRTJIQSQGCANHY7HKQAPPBHGLRN2LDJK/
> >
> >
>



--
С Уважением.
Русаков Андрей.