[Users] 3.2 beta and IPA domain question
Hello, I seem to remember in RHEV 3.0 that when you configured an IPA domain, its admin was automatically configured as an admin for RHEV itself. Is it true and in case does remain true for oVirt? I configured IPA as shipped on CentOS 6.3+updates ipa-server-2.2.0-17.el6_3.1.x86_64 I successfully added it to y oVirt 3.2 beta setup [root@f18engine ~]# engine-manage-domains -action=add -domain=LOCALDOMAIN.LOCAL -user=admin -provider=IPA -interactive Enter password: The domain localdomain.local has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager. Users from this domain can be granted permissions from the Web administration interface. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully Then [root@f18engine ~]# systemctl try-restart ovirt-engine.service [root@f18engine ~]# systemctl status ovirt-engine.service ovirt-engine.service - oVirt Engine Loaded: loaded (/usr/lib/systemd/system/ovirt-engine.service; enabled) Active: active (running) since Sat 2013-02-02 00:10:29 CET; 10s ago Process: 32512 ExecStop=/usr/bin/engine-service stop (code=exited, status=0/SUCCESS) Process: 32520 ExecStart=/usr/bin/engine-service start (code=exited, status=0/SUCCESS) Main PID: 32521 (java) CGroup: name=systemd:/system/ovirt-engine.service └─32521 engine-service -server -XX:+TieredCompilation -Xms1g -Xmx1g -XX:PermSize=256m -XX:MaxPe... Feb 02 00:10:28 f18engine.localdomain.local systemd[1]: Starting oVirt Engine... Feb 02 00:10:29 f18engine.localdomain.local engine-service[32520]: Started engine process 32521. Feb 02 00:10:29 f18engine.localdomain.local engine-service[32520]: Starting engine-service: [ OK ] Feb 02 00:10:29 f18engine.localdomain.local systemd[1]: Started oVirt Engine. Now from web admin portal I can choose the "localdomain.local" domain in drop down menu. But when I try to enter the webadmin portal I get: User is not authorized to perform this action. Do I need to grant IPA admin user from internal admin before, or should it just work? Gianluca
Hi, The IPA (or Active Directory) admin user doesn't get admin permissions anymore. You can change this with option -addPermissions: -addPermissions In combination with -action=add/edit will add engine superuser permissions to the user. Default behaviour is not to add permissions. Or login with admin@internal and give your IPA admin superuser permissions in webadmin. -- Best Regards René Koch Senior Solution Architect ============================================ ovido gmbh - "Das Linux Systemhaus" Brünner Straße 163, A-1210 Wien Phone: +43 720 / 530 670 - 0 Mobile: +43 660 / 512 21 31 E-Mail: r.koch@ovido.at ============================================ -----Original message-----
From:Gianluca Cecchi <gianluca.cecchi@gmail.com> Sent: Saturday 2nd February 2013 0:22 To: users <users@ovirt.org> Subject: [Users] 3.2 beta and IPA domain question
Hello, I seem to remember in RHEV 3.0 that when you configured an IPA domain, its admin was automatically configured as an admin for RHEV itself. Is it true and in case does remain true for oVirt?
I configured IPA as shipped on CentOS 6.3+updates ipa-server-2.2.0-17.el6_3.1.x86_64
I successfully added it to y oVirt 3.2 beta setup
[root@f18engine ~]# engine-manage-domains -action=add -domain=LOCALDOMAIN.LOCAL -user=admin -provider=IPA -interactive Enter password:
The domain localdomain.local has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager. Users from this domain can be granted permissions from the Web administration interface. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully
Then [root@f18engine ~]# systemctl try-restart ovirt-engine.service [root@f18engine ~]# systemctl status ovirt-engine.service ovirt-engine.service - oVirt Engine Loaded: loaded (/usr/lib/systemd/system/ovirt-engine.service; enabled) Active: active (running) since Sat 2013-02-02 00:10:29 CET; 10s ago Process: 32512 ExecStop=/usr/bin/engine-service stop (code=exited, status=0/SUCCESS) Process: 32520 ExecStart=/usr/bin/engine-service start (code=exited, status=0/SUCCESS) Main PID: 32521 (java) CGroup: name=systemd:/system/ovirt-engine.service └─32521 engine-service -server -XX:+TieredCompilation -Xms1g -Xmx1g -XX:PermSize=256m -XX:MaxPe...
Feb 02 00:10:28 f18engine.localdomain.local systemd[1]: Starting oVirt Engine... Feb 02 00:10:29 f18engine.localdomain.local engine-service[32520]: Started engine process 32521. Feb 02 00:10:29 f18engine.localdomain.local engine-service[32520]: Starting engine-service: [ OK ] Feb 02 00:10:29 f18engine.localdomain.local systemd[1]: Started oVirt Engine.
Now from web admin portal I can choose the "localdomain.local" domain in drop down menu. But when I try to enter the webadmin portal I get:
User is not authorized to perform this action.
Do I need to grant IPA admin user from internal admin before, or should it just work?
Gianluca _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Il giorno 02/feb/2013 13:07, "René Koch" <r.koch@ovido.at> ha scritto:
Hi,
The IPA (or Active Directory) admin user doesn't get admin permissions
You can change this with option -addPermissions:
-addPermissions In combination with -action=add/edit will add engine superuser permissions to the user. Default behaviour is not to add permissions.
Or login with admin@internal and give your IPA admin superuser
anymore. permissions in webadmin. Actually I prefer this new approach that I consider an enhancement. I plan to create a normal (from an ipa point of view) user named ovirtadmin and give him oVirt system admin privileges Thanks
A question about this - Do you think the message printed to the user (after the domain is added without -addPermissions) should be extended and have addition line like After "Users from this domain can be granted permissions from the Web administration interface." Maybe we should add "or the domain should be added/editted with the -addPermissions option". What do you think? ----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "users" <users@ovirt.org> Sent: Saturday, February 2, 2013 1:22:15 AM Subject: [Users] 3.2 beta and IPA domain question
Hello, I seem to remember in RHEV 3.0 that when you configured an IPA domain, its admin was automatically configured as an admin for RHEV itself. Is it true and in case does remain true for oVirt?
I configured IPA as shipped on CentOS 6.3+updates ipa-server-2.2.0-17.el6_3.1.x86_64
I successfully added it to y oVirt 3.2 beta setup
[root@f18engine ~]# engine-manage-domains -action=add -domain=LOCALDOMAIN.LOCAL -user=admin -provider=IPA -interactive Enter password:
The domain localdomain.local has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager. Users from this domain can be granted permissions from the Web administration interface. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully
Then [root@f18engine ~]# systemctl try-restart ovirt-engine.service [root@f18engine ~]# systemctl status ovirt-engine.service ovirt-engine.service - oVirt Engine Loaded: loaded (/usr/lib/systemd/system/ovirt-engine.service; enabled) Active: active (running) since Sat 2013-02-02 00:10:29 CET; 10s ago Process: 32512 ExecStop=/usr/bin/engine-service stop (code=exited, status=0/SUCCESS) Process: 32520 ExecStart=/usr/bin/engine-service start (code=exited, status=0/SUCCESS) Main PID: 32521 (java) CGroup: name=systemd:/system/ovirt-engine.service └─32521 engine-service -server -XX:+TieredCompilation -Xms1g -Xmx1g -XX:PermSize=256m -XX:MaxPe...
Feb 02 00:10:28 f18engine.localdomain.local systemd[1]: Starting oVirt Engine... Feb 02 00:10:29 f18engine.localdomain.local engine-service[32520]: Started engine process 32521. Feb 02 00:10:29 f18engine.localdomain.local engine-service[32520]: Starting engine-service: [ OK ] Feb 02 00:10:29 f18engine.localdomain.local systemd[1]: Started oVirt Engine.
Now from web admin portal I can choose the "localdomain.local" domain in drop down menu. But when I try to enter the webadmin portal I get:
User is not authorized to perform this action.
Do I need to grant IPA admin user from internal admin before, or should it just work?
Gianluca _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
After "Users from this domain can be granted permissions from the Web administration interface." Maybe we should add "or the domain should be added/editted with the -addPermissions option".
What do you think?
I think that, by the time this message is shown, the domain has been added. No point in telling about how the domain _could_ have been added. Something like "Users from this domain can be granted permissions from the Web administration interface, or by passing the -addPermissions flag to engine-manage-domains." Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thildred@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> Cc: "users" <users@ovirt.org> Sent: Sunday, February 3, 2013 4:13:58 PM Subject: Re: [Users] 3.2 beta and IPA domain question
A question about this - Do you think the message printed to the user (after the domain is added without -addPermissions) should be extended and have addition line like
After "Users from this domain can be granted permissions from the Web administration interface." Maybe we should add "or the domain should be added/editted with the -addPermissions option".
What do you think?
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "users" <users@ovirt.org> Sent: Saturday, February 2, 2013 1:22:15 AM Subject: [Users] 3.2 beta and IPA domain question
Hello, I seem to remember in RHEV 3.0 that when you configured an IPA domain, its admin was automatically configured as an admin for RHEV itself. Is it true and in case does remain true for oVirt?
I configured IPA as shipped on CentOS 6.3+updates ipa-server-2.2.0-17.el6_3.1.x86_64
I successfully added it to y oVirt 3.2 beta setup
[root@f18engine ~]# engine-manage-domains -action=add -domain=LOCALDOMAIN.LOCAL -user=admin -provider=IPA -interactive Enter password:
The domain localdomain.local has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager. Users from this domain can be granted permissions from the Web administration interface. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully
Then [root@f18engine ~]# systemctl try-restart ovirt-engine.service [root@f18engine ~]# systemctl status ovirt-engine.service ovirt-engine.service - oVirt Engine Loaded: loaded (/usr/lib/systemd/system/ovirt-engine.service; enabled) Active: active (running) since Sat 2013-02-02 00:10:29 CET; 10s ago Process: 32512 ExecStop=/usr/bin/engine-service stop (code=exited, status=0/SUCCESS) Process: 32520 ExecStart=/usr/bin/engine-service start (code=exited, status=0/SUCCESS) Main PID: 32521 (java) CGroup: name=systemd:/system/ovirt-engine.service └─32521 engine-service -server -XX:+TieredCompilation -Xms1g -Xmx1g -XX:PermSize=256m -XX:MaxPe...
Feb 02 00:10:28 f18engine.localdomain.local systemd[1]: Starting oVirt Engine... Feb 02 00:10:29 f18engine.localdomain.local engine-service[32520]: Started engine process 32521. Feb 02 00:10:29 f18engine.localdomain.local engine-service[32520]: Starting engine-service: [ OK ] Feb 02 00:10:29 f18engine.localdomain.local systemd[1]: Started oVirt Engine.
Now from web admin portal I can choose the "localdomain.local" domain in drop down menu. But when I try to enter the webadmin portal I get:
User is not authorized to perform this action.
Do I need to grant IPA admin user from internal admin before, or should it just work?
Gianluca _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
I'll file a bug for this. There is another issue here - -addPermissions can be used at action=edit, but if not provided during action=edit for domain I already added permissions for I get the print of - The domain example.com has been added to the engine as an authentication source but no users from that domain have been granted permissions Which is incorrect in this case. ----- Original Message -----
From: "Tim Hildred" <thildred@redhat.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "users" <users@ovirt.org>, "Gianluca Cecchi" <gianluca.cecchi@gmail.com> Sent: Tuesday, February 5, 2013 3:25:18 AM Subject: Re: [Users] 3.2 beta and IPA domain question
After "Users from this domain can be granted permissions from the Web administration interface." Maybe we should add "or the domain should be added/editted with the -addPermissions option".
What do you think?
I think that, by the time this message is shown, the domain has been added. No point in telling about how the domain _could_ have been added. Something like "Users from this domain can be granted permissions from the Web administration interface, or by passing the -addPermissions flag to engine-manage-domains."
Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thildred@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> Cc: "users" <users@ovirt.org> Sent: Sunday, February 3, 2013 4:13:58 PM Subject: Re: [Users] 3.2 beta and IPA domain question
A question about this - Do you think the message printed to the user (after the domain is added without -addPermissions) should be extended and have addition line like
After "Users from this domain can be granted permissions from the Web administration interface." Maybe we should add "or the domain should be added/editted with the -addPermissions option".
What do you think?
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "users" <users@ovirt.org> Sent: Saturday, February 2, 2013 1:22:15 AM Subject: [Users] 3.2 beta and IPA domain question
Hello, I seem to remember in RHEV 3.0 that when you configured an IPA domain, its admin was automatically configured as an admin for RHEV itself. Is it true and in case does remain true for oVirt?
I configured IPA as shipped on CentOS 6.3+updates ipa-server-2.2.0-17.el6_3.1.x86_64
I successfully added it to y oVirt 3.2 beta setup
[root@f18engine ~]# engine-manage-domains -action=add -domain=LOCALDOMAIN.LOCAL -user=admin -provider=IPA -interactive Enter password:
The domain localdomain.local has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager. Users from this domain can be granted permissions from the Web administration interface. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully
Then [root@f18engine ~]# systemctl try-restart ovirt-engine.service [root@f18engine ~]# systemctl status ovirt-engine.service ovirt-engine.service - oVirt Engine Loaded: loaded (/usr/lib/systemd/system/ovirt-engine.service; enabled) Active: active (running) since Sat 2013-02-02 00:10:29 CET; 10s ago Process: 32512 ExecStop=/usr/bin/engine-service stop (code=exited, status=0/SUCCESS) Process: 32520 ExecStart=/usr/bin/engine-service start (code=exited, status=0/SUCCESS) Main PID: 32521 (java) CGroup: name=systemd:/system/ovirt-engine.service └─32521 engine-service -server -XX:+TieredCompilation -Xms1g -Xmx1g -XX:PermSize=256m -XX:MaxPe...
Feb 02 00:10:28 f18engine.localdomain.local systemd[1]: Starting oVirt Engine... Feb 02 00:10:29 f18engine.localdomain.local engine-service[32520]: Started engine process 32521. Feb 02 00:10:29 f18engine.localdomain.local engine-service[32520]: Starting engine-service: [ OK ] Feb 02 00:10:29 f18engine.localdomain.local systemd[1]: Started oVirt Engine.
Now from web admin portal I can choose the "localdomain.local" domain in drop down menu. But when I try to enter the webadmin portal I get:
User is not authorized to perform this action.
Do I need to grant IPA admin user from internal admin before, or should it just work?
Gianluca _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (4)
-
Gianluca Cecchi -
René Koch -
Tim Hildred -
Yair Zaslavsky