I'm accessing the server using the host name which I've placed into /etc/hosts on both my workstation and the engine itself.  The VM was built using a backup copy of our production engine data which means the host name matches what is used on the live server.  Permissions also apppear to be correct, I've checked the permissions table in postgresql and everything is fine there.  The admin user does have access to the SuperUser role. On 05/29/2018 04:31 PM, Alex K wrote:

That's very strange, can you please share the upgrade log if you still have it? Also can you please share the output of: $ select * from users; and $ select * from permissions; and also please share content of: /etc/ovirt-engine/extensions.d/internal-authn.properties /etc/ovirt-engine/extensions.d/internal-auth.properties /etc/ovirt-engine/aaa/internal.properties On 05/30/2018 06:12 PM, Michael Watters wrote: > It looks like the issue was caused by a new admin account being created > in the internal-authz domain.  Here is what the engine logs show. > > 2018-05-30 11:15:21,893-04 INFO > [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-9) > [] User admin@internal successfully logged in with scopes: > ovirt-app-admin ovirt-app-api ovirt-app-portal > ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all > ovirt-ext=token-info:authz-search > ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate > ovirt-ext=token:password-access > > 2018-05-30 11:15:22,175-04 INFO > [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default > task-11) [77362b19] Running command: CreateUserSessionCommand internal: > false. > > 2018-05-30 11:15:22,252-04 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (default task-11) [77362b19] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User > admin@internal-authz connecting from '10.209.44.27' failed to log > in<UNKNOWN>. > > 2018-05-30 11:15:22,253-04 ERROR > [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default > task-11) [] The user admin@internal is not authorized to perform login > > I was able to login after updating the permissions table to use the new > user ID as follows. > > update permissions set ad_element_id = (select user_id from users where > domain = 'internal-authz' and username = 'admin') where ad_element_id = > (select user_id from users where domain = 'internal' and username = > 'admin') ; > > Despite this the ovirt-aaa-jdbc-tool still shows the wrong user ID when > querying the admin account.  For example: > > [root@mdct-ovirt-engine-dev ~]# ovirt-aaa-jdbc-tool user show admin > -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) -- > Namespace: * > Name: admin > ID: fdfc627c-d875-11e0-90f0-83df133b58cc > Display Name: > Email: > First Name: admin > Last Name: > Department: > Title: > Description: > Account Disabled: false > Account Locked: false > Account Unlocked At: 1970-01-01 00:00:00Z > Account Valid From: 2016-11-16 15:27:01Z > Account Valid To: 2216-11-16 15:27:01Z > Account Without Password: false > Last successful Login At: 2018-05-30 16:02:46Z > Last unsuccessful Login At: 2018-05-29 19:25:28Z > Password Valid To: 2216-09-29 15:27:01Z > > Is there a way to resolve this conflict?  Where does the > admin@internal-authz account come from?  I tried renaming the account > but it is recreated every time that the engine is restarted. > > > On 05/29/2018 04:31 PM, Alex K wrote: >> Are you using engine IP to login? Perhaps the sso default file was >> overwritten? >> >> Alex >> >> On Tue, May 29, 2018, 20:32 Michael Watters <wattersm(a)watters.ws >> <mailto:wattersm@watters.ws>> wrote: >> >> I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3 >> release and the admin account is no longer able to login. After >> entering the user name and password I receive a message that >> states "The >> user admin@internal is not authorized to perform login". >> >> Is there a way to resolve this?  Resetting the password did not work. >> _______________________________________________ >> Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org> >> To unsubscribe send an email to users-leave(a)ovirt.org >> <mailto:users-leave@ovirt.org> >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMN... >> > > > > _______________________________________________ > Users mailing list -- users(a)ovirt.org > To unsubscribe send an email to users-leave(a)ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ > List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/DT7ERVLLGIY... >