[ovirt-devel] oVirt desktopLogin using ovirtsdk for python

Pavel Zelensky pzelensky at gmail.com
Tue Dec 16 10:01:03 UTC 2014


Hi

What version of the engine are you using exactly? And what is your
authentication configuration?

[root at ovirt ~]# rpm -qa|grep ovirt-eng
ovirt-engine-3.5.0.1-1.el6.noarch

# engine-manage-domains list
Domain: ov.jetlab.local
    User name: pzelensky at OV.JETLAB.LOCAL
Manage Domains completed successfully

# cat engine-manage-domains.conf
jaasFile=/usr/share/ovirt-engine/conf/jaas.conf
krb5confFile=/etc/ovirt-engine/krb5.conf
engineConfigExecutable=/usr/share/ovirt-engine/bin/engine-config.sh
localHostEntry=localhost
useDnsLookup=true
[root at ovirt engine-manage-domains]# cat /etc/ovirt-engine/krb5.conf

[libdefaults]

default_realm = OV.JETLAB.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1

#realms

And also SDK version: ovirt_engine_sdk_python-3.5.0.8-py2.7
So oVirt authenticates users using connection to MS AD which is based on
Windows 2012R2

--
Pavel




On Tue, Dec 16, 2014 at 12:04 PM, Juan Hernández <jhernand at redhat.com>
wrote:
>
> On 12/15/2014 08:37 PM, Pavel Zelensky wrote:
> > Hi
> >
> > I think it's not good idea, but I've done it:
> >
> > 2014-12-15 22:21:37,485 INFO  [org.ovirt.engine.core.bll.VmLogonCommand]
> > (ajp--127.0.0.1-8702-6) [None] Running command: VmLogonCommand internal:
> > false. Entities affected :  ID: 202ca21f-5167-4107-b1dd-2a7a5d64b32a
> > Type: VMAction group CONNECT_TO_VM with role type USER
> > 2014-12-15 22:21:37,495 INFO
> >  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
> > (ajp--127.0.0.1-8702-6) [None] START, VmLogonVDSCommand(HostName =
> > ceph2, HostId = c7a7c873-b68a-44f8-bebf-37ca3aa1caa8,
> > vmId=202ca21f-5167-4107-b1dd-2a7a5d64b32a, domain=internal,
> > password=null, userName=admin), log id: 776ac4b1
> > 2014-12-15 22:21:37,514 INFO
> >  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
> > (ajp--127.0.0.1-8702-6) [None] FINISH, VmLogonVDSCommand, log id:
> 776ac4b1
> > 2014-12-15 22:21:41,155 INFO
> >  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> > (DefaultQuartzScheduler_Worker-47) Correlation ID: null, Call Stack:
> > null, Custom Event ID: -1, Message: User admin is connected to VM
> w7ent-01.
> >
> > Looks pretty the same, also trying to login as admin at internal into Win7
> > workstation assigned to MS domain shouldn't work.
> >
>
> I just wanted to check if with admin at internal you still get
> password=null (they use different authentication mechanisms).
>
> > BTW, when I'm connecting to the same VM using the same domain user
> > account through user portal - everything is Ok, and SSO works pretty
> > good. In that case in logfile I'm getting this (password=[asterisks]):
> > 2014-12-14 22:45:21,010 INFO
> >  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
> > (ajp--127.0.0.1-8702-4) [6f5a076f] START, VmLogonVDSCommand(HostName =
> > ceph2, HostId = c7a7c873-b68a-44f8-bebf-37ca3aa1caa8,
> > vmId=202ca21f-5167-4107-b1dd-2a7a5d64b32a, domain=ov.jetlab.local,
> > password=******, userName=test4), log id: 7cc2d16a
> >
> > that's why I think that problem is in python sdk. It uses JSESSIONID and
> > not sending password every time it executing command through REST API.
> > May be with api.vm.logon() method It should send password again? But how
> > I can do it?
> >
> > Pavel
> >
>
> No, you shouldn't (and can't) sent the password again. This isn't a
> problem in the Python SDK, but in the backend or the RESTAPI.
>
>
> >
> > On Mon, Dec 15, 2014 at 8:41 PM, Juan Hernández <jhernand at redhat.com
> > <mailto:jhernand at redhat.com>> wrote:
> >
> >     On 12/15/2014 05:57 PM, Pavel Zelensky wrote:
> >     >
> >     > Hi guys,
> >     >
> >     > I'm expiriencing some problems trying to invoke api.vm.logon()
> method
> >     > which I believe will call for desktopLogin on the VM and provide vm
> >     > console with user logged in for remote-viewer.
> >     >
> >     > But it results in the following records in logfile:
> >     > 2014-12-12 16:07:01,314 INFO
> >     [org.ovirt.engine.core.bll.VmLogonCommand]
> >     > (ajp--127.0.0.1-8702-3) [7cfe61d3] Running command: VmLogonCommand
> >     > internal: false. Entities affected :  ID:
> >     > a7c151a4-2d63-4172-a840-190748a3dbc1 Type: VMAction group
> >     CONNECT_TO_VM
> >     > with role type USER
> >     > 2014-12-12 16:07:01,320 INFO
> >     > [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
> >     > (ajp--127.0.0.1-8702-3) [7cfe61d3] START,
> VmLogonVDSCommand(HostName =
> >     > ceph4, HostId = bbaad505-34a3-4a52-ab52-0446724cae30,
> >     > vmId=a7c151a4-2d63-4172-a840-190748a3dbc1, domain=ov.jetlab.local,
> >     > password=null, userName=test4), log id: 5d458d88
> >     > 2014-12-12 16:07:01,536 INFO
> >     > [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
> >     > (ajp--127.0.0.1-8702-3) [7cfe61d3] FINISH, VmLogonVDSCommand, log
> id:
> >     > 5d458d88
> >     >
> >     > I think that problem is in second line: 'password=null'. Engine
> >     doesn't
> >     > get user password thus desktopLogin fails. In remote-viewer I'm
> >     getting
> >     > black screen instead of users's desktop.
> >     >
> >     > Is there any solution for this?
> >     >
> >
> >     Looks like an authentication problem. Can you try the same with
> >     admin at internal?
> >
> >     --
> >     Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
> >     3ºD, 28016 Madrid, Spain
> >     Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat
> >     S.L.
> >
> >
> >
> > --
> > Pavel
>
>
> --
> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
> 3ºD, 28016 Madrid, Spain
> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
>


-- 
ПЗ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20141216/a545e209/attachment.html>


More information about the Devel mailing list