[ovirt-devel] oVirt desktopLogin using ovirtsdk for python

Juan Hernández jhernand at redhat.com
Tue Dec 16 14:05:03 UTC 2014 

On 12/16/2014 11:01 AM, Pavel Zelensky wrote:
> Hi
> 
> What version of the engine are you using exactly? And what is your
> authentication configuration?
> 
> [root at ovirt ~]# rpm -qa|grep ovirt-eng
> ovirt-engine-3.5.0.1-1.el6.noarch
> 
> # engine-manage-domains list
> Domain: ov.jetlab.local
>     User name: pzelensky at OV.JETLAB.LOCAL
> Manage Domains completed successfully
> 
> # cat engine-manage-domains.conf
> jaasFile=/usr/share/ovirt-engine/conf/jaas.conf
> krb5confFile=/etc/ovirt-engine/krb5.conf
> engineConfigExecutable=/usr/share/ovirt-engine/bin/engine-config.sh
> localHostEntry=localhost
> useDnsLookup=true
> [root at ovirt engine-manage-domains]# cat /etc/ovirt-engine/krb5.conf
> 
> [libdefaults]
> 
> default_realm = OV.JETLAB.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 10h
> renew_lifetime = 7d
> forwardable = no
> default_tkt_enctypes = arcfour-hmac-md5
> udp_preference_limit = 1
> 
> #realms
> 
> And also SDK version: ovirt_engine_sdk_python-3.5.0.8-py2.7
> So oVirt authenticates users using connection to MS AD which is based on
> Windows 2012R2
> 
> --
> Pavel
> 

I reproduced this in my environment. Apparently the password is lost
somewhere in the authentication process. Yair, can you please take a look?

>  
> 
> 
> On Tue, Dec 16, 2014 at 12:04 PM, Juan Hernández <jhernand at redhat.com
> <mailto:jhernand at redhat.com>> wrote:
> 
>     On 12/15/2014 08:37 PM, Pavel Zelensky wrote:
>     > Hi
>     >
>     > I think it's not good idea, but I've done it:
>     >
>     > 2014-12-15 22:21:37,485 INFO  [org.ovirt.engine.core.bll.VmLogonCommand]
>     > (ajp--127.0.0.1-8702-6) [None] Running command: VmLogonCommand internal:
>     > false. Entities affected :  ID: 202ca21f-5167-4107-b1dd-2a7a5d64b32a
>     > Type: VMAction group CONNECT_TO_VM with role type USER
>     > 2014-12-15 22:21:37,495 INFO
>     >  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
>     > (ajp--127.0.0.1-8702-6) [None] START, VmLogonVDSCommand(HostName =
>     > ceph2, HostId = c7a7c873-b68a-44f8-bebf-37ca3aa1caa8,
>     > vmId=202ca21f-5167-4107-b1dd-2a7a5d64b32a, domain=internal,
>     > password=null, userName=admin), log id: 776ac4b1
>     > 2014-12-15 22:21:37,514 INFO
>     >  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
>     > (ajp--127.0.0.1-8702-6) [None] FINISH, VmLogonVDSCommand, log id: 776ac4b1
>     > 2014-12-15 22:21:41,155 INFO
>     >  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>     > (DefaultQuartzScheduler_Worker-47) Correlation ID: null, Call Stack:
>     > null, Custom Event ID: -1, Message: User admin is connected to VM w7ent-01.
>     >
>     > Looks pretty the same, also trying to login as admin at internal into Win7
>     > workstation assigned to MS domain shouldn't work.
>     >
> 
>     I just wanted to check if with admin at internal you still get
>     password=null (they use different authentication mechanisms).
> 
>     > BTW, when I'm connecting to the same VM using the same domain user
>     > account through user portal - everything is Ok, and SSO works pretty
>     > good. In that case in logfile I'm getting this (password=[asterisks]):
>     > 2014-12-14 22:45:21,010 INFO
>     >  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
>     > (ajp--127.0.0.1-8702-4) [6f5a076f] START, VmLogonVDSCommand(HostName =
>     > ceph2, HostId = c7a7c873-b68a-44f8-bebf-37ca3aa1caa8,
>     > vmId=202ca21f-5167-4107-b1dd-2a7a5d64b32a, domain=ov.jetlab.local,
>     > password=******, userName=test4), log id: 7cc2d16a
>     >
>     > that's why I think that problem is in python sdk. It uses JSESSIONID and
>     > not sending password every time it executing command through REST API.
>     > May be with api.vm.logon() method It should send password again? But how
>     > I can do it?
>     >
>     > Pavel
>     >
> 
>     No, you shouldn't (and can't) sent the password again. This isn't a
>     problem in the Python SDK, but in the backend or the RESTAPI.
> 
> 
>     >
>     > On Mon, Dec 15, 2014 at 8:41 PM, Juan Hernández <jhernand at redhat.com <mailto:jhernand at redhat.com>
>     > <mailto:jhernand at redhat.com <mailto:jhernand at redhat.com>>> wrote:
>     >
>     >     On 12/15/2014 05:57 PM, Pavel Zelensky wrote:
>     >     >
>     >     > Hi guys,
>     >     >
>     >     > I'm expiriencing some problems trying to invoke
>     api.vm.logon() method
>     >     > which I believe will call for desktopLogin on the VM and
>     provide vm
>     >     > console with user logged in for remote-viewer.
>     >     >
>     >     > But it results in the following records in logfile:
>     >     > 2014-12-12 16:07:01,314 INFO
>     >     [org.ovirt.engine.core.bll.VmLogonCommand]
>     >     > (ajp--127.0.0.1-8702-3) [7cfe61d3] Running command:
>     VmLogonCommand
>     >     > internal: false. Entities affected :  ID:
>     >     > a7c151a4-2d63-4172-a840-190748a3dbc1 Type: VMAction group
>     >     CONNECT_TO_VM
>     >     > with role type USER
>     >     > 2014-12-12 16:07:01,320 INFO
>     >     > [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
>     >     > (ajp--127.0.0.1-8702-3) [7cfe61d3] START,
>     VmLogonVDSCommand(HostName =
>     >     > ceph4, HostId = bbaad505-34a3-4a52-ab52-0446724cae30,
>     >     > vmId=a7c151a4-2d63-4172-a840-190748a3dbc1,
>     domain=ov.jetlab.local,
>     >     > password=null, userName=test4), log id: 5d458d88
>     >     > 2014-12-12 16:07:01,536 INFO
>     >     > [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
>     >     > (ajp--127.0.0.1-8702-3) [7cfe61d3] FINISH,
>     VmLogonVDSCommand, log id:
>     >     > 5d458d88
>     >     >
>     >     > I think that problem is in second line: 'password=null'. Engine
>     >     doesn't
>     >     > get user password thus desktopLogin fails. In remote-viewer I'm
>     >     getting
>     >     > black screen instead of users's desktop.
>     >     >
>     >     > Is there any solution for this?
>     >     >
>     >
>     >     Looks like an authentication problem. Can you try the same with
>     >     admin at internal?
>     >
>     >     --
>     >     Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3,
>     planta
>     >     3ºD, 28016 Madrid, Spain
>     >     Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 -
>     Red Hat
>     >     S.L.
>     >
>     >
>     >
>     > --
>     > Pavel
> 
> 
>     --
>     Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
>     3ºD, 28016 Madrid, Spain
>     Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat
>     S.L.
> 
> 
> 
> -- 
> ПЗ


-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.

More information about the Devel mailing list