I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3 release and the admin account is no longer able to login. After entering the user name and password I receive a message that states "The user admin@internal is not authorized to perform login". Is there a way to resolve this? Resetting the password did not work.
Are you using engine IP to login? Perhaps the sso default file was overwritten? Alex On Tue, May 29, 2018, 20:32 Michael Watters <wattersm@watters.ws> wrote:
I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3 release and the admin account is no longer able to login. After entering the user name and password I receive a message that states "The user admin@internal is not authorized to perform login".
Is there a way to resolve this? Resetting the password did not work. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMNDQE...
I'm accessing the server using the host name which I've placed into /etc/hosts on both my workstation and the engine itself. The VM was built using a backup copy of our production engine data which means the host name matches what is used on the live server. Permissions also apppear to be correct, I've checked the permissions table in postgresql and everything is fine there. The admin user does have access to the SuperUser role. On 05/29/2018 04:31 PM, Alex K wrote:
Are you using engine IP to login? Perhaps the sso default file was overwritten?
Alex
On Tue, May 29, 2018, 20:32 Michael Watters <wattersm@watters.ws <mailto:wattersm@watters.ws>> wrote:
I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3 release and the admin account is no longer able to login. After entering the user name and password I receive a message that states "The user admin@internal is not authorized to perform login".
Is there a way to resolve this? Resetting the password did not work. _______________________________________________ Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMNDQE...
It looks like the issue was caused by a new admin account being created in the internal-authz domain. Here is what the engine logs show. 2018-05-30 11:15:21,893-04 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-9) [] User admin@internal successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2018-05-30 11:15:22,175-04 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-11) [77362b19] Running command: CreateUserSessionCommand internal: false. 2018-05-30 11:15:22,252-04 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-11) [77362b19] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User admin@internal-authz connecting from '10.209.44.27' failed to log in<UNKNOWN>. 2018-05-30 11:15:22,253-04 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-11) [] The user admin@internal is not authorized to perform login I was able to login after updating the permissions table to use the new user ID as follows. update permissions set ad_element_id = (select user_id from users where domain = 'internal-authz' and username = 'admin') where ad_element_id = (select user_id from users where domain = 'internal' and username = 'admin') ; Despite this the ovirt-aaa-jdbc-tool still shows the wrong user ID when querying the admin account. For example: [root@mdct-ovirt-engine-dev ~]# ovirt-aaa-jdbc-tool user show admin -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) -- Namespace: * Name: admin ID: fdfc627c-d875-11e0-90f0-83df133b58cc Display Name: Email: First Name: admin Last Name: Department: Title: Description: Account Disabled: false Account Locked: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2016-11-16 15:27:01Z Account Valid To: 2216-11-16 15:27:01Z Account Without Password: false Last successful Login At: 2018-05-30 16:02:46Z Last unsuccessful Login At: 2018-05-29 19:25:28Z Password Valid To: 2216-09-29 15:27:01Z Is there a way to resolve this conflict? Where does the admin@internal-authz account come from? I tried renaming the account but it is recreated every time that the engine is restarted. On 05/29/2018 04:31 PM, Alex K wrote:
Are you using engine IP to login? Perhaps the sso default file was overwritten?
Alex
On Tue, May 29, 2018, 20:32 Michael Watters <wattersm@watters.ws <mailto:wattersm@watters.ws>> wrote:
I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3 release and the admin account is no longer able to login. After entering the user name and password I receive a message that states "The user admin@internal is not authorized to perform login".
Is there a way to resolve this? Resetting the password did not work. _______________________________________________ Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMNDQE...
That's very strange, can you please share the upgrade log if you still have it? Also can you please share the output of: $ select * from users; and $ select * from permissions; and also please share content of: /etc/ovirt-engine/extensions.d/internal-authn.properties /etc/ovirt-engine/extensions.d/internal-auth.properties /etc/ovirt-engine/aaa/internal.properties On 05/30/2018 06:12 PM, Michael Watters wrote:
It looks like the issue was caused by a new admin account being created in the internal-authz domain. Here is what the engine logs show.
2018-05-30 11:15:21,893-04 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-9) [] User admin@internal successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access
2018-05-30 11:15:22,175-04 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-11) [77362b19] Running command: CreateUserSessionCommand internal: false.
2018-05-30 11:15:22,252-04 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-11) [77362b19] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User admin@internal-authz connecting from '10.209.44.27' failed to log in<UNKNOWN>.
2018-05-30 11:15:22,253-04 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-11) [] The user admin@internal is not authorized to perform login
I was able to login after updating the permissions table to use the new user ID as follows.
update permissions set ad_element_id = (select user_id from users where domain = 'internal-authz' and username = 'admin') where ad_element_id = (select user_id from users where domain = 'internal' and username = 'admin') ;
Despite this the ovirt-aaa-jdbc-tool still shows the wrong user ID when querying the admin account. For example:
[root@mdct-ovirt-engine-dev ~]# ovirt-aaa-jdbc-tool user show admin -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) -- Namespace: * Name: admin ID: fdfc627c-d875-11e0-90f0-83df133b58cc Display Name: Email: First Name: admin Last Name: Department: Title: Description: Account Disabled: false Account Locked: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2016-11-16 15:27:01Z Account Valid To: 2216-11-16 15:27:01Z Account Without Password: false Last successful Login At: 2018-05-30 16:02:46Z Last unsuccessful Login At: 2018-05-29 19:25:28Z Password Valid To: 2216-09-29 15:27:01Z
Is there a way to resolve this conflict? Where does the admin@internal-authz account come from? I tried renaming the account but it is recreated every time that the engine is restarted.
On 05/29/2018 04:31 PM, Alex K wrote:
Are you using engine IP to login? Perhaps the sso default file was overwritten?
Alex
On Tue, May 29, 2018, 20:32 Michael Watters <wattersm@watters.ws <mailto:wattersm@watters.ws>> wrote:
I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3 release and the admin account is no longer able to login. After entering the user name and password I receive a message that states "The user admin@internal is not authorized to perform login".
Is there a way to resolve this? Resetting the password did not work. _______________________________________________ Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMNDQE...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/DT7ERVLLGIYEE2...
On 05/31/2018 06:43 AM, Ondra Machacek wrote:
That's very strange, can you please share the upgrade log if you still have it?
Here's a copy of the upgrade log. The file is pretty large. https://paste.fedoraproject.org/paste/I3WapJfAnzk81gEgKeeIDg/
Also can you please share the output of:
$ select * from users;
Users table looks like this. https://paste.fedoraproject.org/paste/1634vd5v75YOOOL7X96tzg/ Despite having two different "admin" accounts I can log in now.
and
$ select * from permissions;
https://paste.fedoraproject.org/paste/p9Bl2elvFDOn~Qgzm5J3eA
and also please share content of:
/etc/ovirt-engine/extensions.d/internal-authn.properties
https://paste.fedoraproject.org/paste/hePCFb1ufc0NMlelTLyX-g/
/etc/ovirt-engine/extensions.d/internal-auth.properties /etc/ovirt-engine/aaa/internal.properties
These files do not exist. There is an internal-authz.properties file which looks like this. https://paste.fedoraproject.org/paste/gyhOj0FQvO~R5lFd4-5Z0Q/
participants (3)
-
Alex K -
Michael Watters -
Ondra Machacek