[Engine-devel] users cannot log into userportal
Einav Cohen
ecohen at redhat.com
Fri Aug 9 14:22:21 UTC 2013
> ----- Original Message -----
> From: "Alexander Wels" <awels at redhat.com>
> Sent: Friday, August 9, 2013 10:11:07 AM
>
> On Friday, August 09, 2013 08:28:15 AM Einav Cohen wrote:
> > > ----- Original Message -----
> > > From: "Alexander Wels" <awels at redhat.com>
> > > Sent: Friday, August 9, 2013 8:19:34 AM
> > >
> > > On Thursday, August 08, 2013 09:10:33 PM Einav Cohen wrote:
> > > > > ----- Original Message -----
> > > > > From: "Dead Horse" <deadhorseconsulting at gmail.com>
> > > > > Sent: Thursday, August 8, 2013 7:51:03 PM
> > > > >
> > > > > I verified the fix against current master with multiple installs and
> > > > > browsers. Thanks guys!
> > > > >
> > > > > Fix verified to work with:
> > > > > Firefox Version 22.0-1
> > > > > Google Chrome Version 28.0.1500.95
> > > > >
> > > > > I still noted an odd issue with Firefox Version 17.0.8-1 (Current
> > > > > Firefox
> > > > > EL6 Version).
> > > > > The login into the user portal succeeds and a successful login is
> > > > > logged,
> > > > > however the login remains hung at the login dialog indefinitely.
> > > > > Reloading the page and closing the browser does not change things.
> > > > > Also removing ~/<username>/.mozilla and starting fresh results in the
> > > > > same.
> > > > > Can someone else check and verify similar oddness with EL6 Firefox.
> > > >
> > > > similar oddness was indeed encountered lately. Alexander (added) is
> > > > currently investigating.
> > > > @Alexander - can you please update on the investigation progress in
> > > > this
> > > > thread?
> > >
> > > As noted this seems to only happen with FF 17 ESR, which is the current
> > > EL6
> > > version. If I use firebug or attach a GWT debugger, the problem goes
> > > away.
> > > Heck
> > > if I compile GWT in draft mode the problem goes away. I did however make
> > > some
> > > progress yesterday in determining the cause. It seems to me that for some
> > > reason revealDefaultPlace in the user portal is called multiple times and
> > > in certain cases the second time the method is called it never finishes
> > > which causes the behavior we are seeing.
> > >
> > > Still no solution, but this is my top priority to get working.
> >
> > many thanks for the update, Alexander.
> > this is a long shot, but it just occurred to me that recently the Message
> > of
> > the day feature has been introduced to the user portal login page [1].
> > @Alexander - maybe worth investigating in that direction (i.e. if this
> > patch is reverted, does the problem go away?)
> >
> > [1] http://gerrit.ovirt.org/#/c/17545/
> >
>
> I reversed that patch, but it had no effect on the problem. It did make the
> weird looking box underneath the login box go away, so at least I know where
> that came from.
thanks, Alex - I just realized that the issue has originally been reported [1]
before MoTD was introduced, so MoTD isn't the root cause of this problem.
in that same bug report, it is also mentioned that it used to work before the GWT
upgrade has been introduced, so the problem is probably related to the GWT upgrade
somehow.
[1] Bug 992960 - Cannot log into User Portal - login page is stuck after being submitted
https://bugzilla.redhat.com/992960
>
> > > Alexander
> > >
> > > > > - DHC
> > > > >
> > > > >
> > > > > On Wed, Aug 7, 2013 at 1:50 PM, Dead Horse <
> > > > > deadhorseconsulting at gmail.com
> > > > >
> > > > > > wrote:
> > > > > I see the fix in Gerrit/GIT. Thanks guys! I will test and update
> > > > > results
> > > > > tomorrow morning.
> > > > > - DHC
> > > > >
> > > > >
> > > > > On Wed, Aug 7, 2013 at 1:01 PM, Yair Zaslavsky < yzaslavs at redhat.com
> > > > > >
> > > > > wrote:
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > >
> > > > > > From: "Yair Zaslavsky" < yzaslavs at redhat.com >
> > > > > > To: "Dead Horse" < deadhorseconsulting at gmail.com >
> > > > > > Cc: "engine-devel" < engine-devel at ovirt.org >
> > > > > > Sent: Wednesday, August 7, 2013 9:00:34 PM
> > > > > > Subject: Re: [Engine-devel] users cannot log into userportal
> > > > > >
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > >
> > > > > > > From: "Dead Horse" < deadhorseconsulting at gmail.com >
> > > > > > > To: "Itamar Heim" < iheim at redhat.com >
> > > > > > > Cc: "engine-devel" < engine-devel at ovirt.org >, "Yair Zaslavsky"
> > > > > > > < yzaslavs at redhat.com >
> > > > > > > Sent: Wednesday, August 7, 2013 6:14:02 PM
> > > > > > > Subject: Re: [Engine-devel] users cannot log into userportal
> > > > > > >
> > > > > > > BZ994604 ( https://bugzilla.redhat.com/show_bug.cgi?id=994604 )
> > > > > > > has
> > > > > > > been
> > > > > > > opened.
> > > > > > > - DHC
> > > > > >
> > > > > > Thanks for your help DHC,
> > > > > > This was already fixed by rnori.
> > > > >
> > > > > Of course "already fixed" comparing with current time. This was
> > > > > indeed
> > > > > a
> > > > > real issue.
> > > > >
> > > > > > > On Wed, Aug 7, 2013 at 5:35 AM, Itamar Heim < iheim at redhat.com >
> > >
> > > wrote:
> > > > > > > > On 08/07/2013 12:10 AM, Dead Horse wrote:
> > > > > > > >> I have found some steps to reproduce this easily.
> > > > > > > >>
> > > > > > > >> Start the engine bound to an AD for authentication
> > > > > > > >> log in to the user portal as an AD user which has been granted
> > > > > > > >> a
> > > > > > > >> Role
> > > > > > > >> (I
> > > > > > > >> used PowerUserRole)
> > > > > > > >>
> > > > > > > >> Result: Login will succeed
> > > > > > > >> Data from engine.log:
> > > > > > > >> 2013-08-06 15:54:10,088 INFO
> > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
> > > > > > > >> (ajp--127.0.0.1-8702-10)
> > > > > > > >> Running command: LoginUserCommand internal: false.
> > > > > > > >> 2013-08-06 15:54:10,139 INFO
> > > > > > > >> [org.ovirt.engine.core.dal.**dbbroker.auditloghandling.**
> > > > > > > >> AuditLogDirector]
> > > > > > > >> (ajp--127.0.0.1-8702-10) Correlation ID: 23c4709, Call Stack:
> > > > > > > >> null,
> > > > > > > >> Custom Event ID: -1, Message: User ovirttest logged in.
> > > > > > > >>
> > > > > > > >> log out of the user portal
> > > > > > > >> Result: log out succeeds
> > > > > > > >> Data from engine.log:
> > > > > > > >> 2013-08-06 15:54:12,448 INFO
> > > > > > > >> [org.ovirt.engine.core.bll.**LogoutUserCommand]
> > > > > > > >> (ajp--127.0.0.1-8702-2)
> > > > > > > >> Running command: LogoutUserCommand internal: false.
> > > > > > > >> 2013-08-06 15:54:12,474 INFO
> > > > > > > >> [org.ovirt.engine.core.dal.**dbbroker.auditloghandling.**
> > > > > > > >> AuditLogDirector]
> > > > > > > >> (ajp--127.0.0.1-8702-2) Correlation ID: 52a89e7d, Call Stack:
> > > > > > > >> null,
> > > > > > > >> Custom Event ID: -1, Message: User ovirttest logged out.
> > > > > > > >>
> > > > > > > >> As the same user log in to the user portal again but this
> > > > > > > >> purposely
> > > > > > > >> input the wrong password.
> > > > > > > >> Result: log in will fail
> > > > > > > >> Data from engine.log:
> > > > > > > >> 2013-08-06 15:54:20,830 ERROR
> > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthent
> > > > > > > >> icat
> > > > > > > >> ion**
> > > > > > > >> Strategy]
> > > > > > > >> (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication
> > > > > > > >> information
> > > > > > > >> was invalid (24)
> > > > > > > >> 2013-08-06 15:54:20,832 ERROR
> > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthent
> > > > > > > >> icat
> > > > > > > >> ion**
> > > > > > > >> Strategy]
> > > > > > > >> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify
> > > > > > > >> the
> > > > > > > >> username and password.
> > > > > > > >> 2013-08-06 15:54:20,843 ERROR
> > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher]
> > > > > > > >> (ajp--127.0.0.1-8702-7) Failed ldap search server
> > > > > > > >> LDAP://foodc02.foo.test.com:**389 <
> > > > > > > >> http://foodc02.foo.test.com:389
> > > > > > > >>
> > > > > > > >> <
> > > > > > > >> http://foodc02.foo.test.com:**389 <
> > > > > > > >> http://foodc02.foo.test.com:389
> > > > > > > >>
> > > > > > > >> using
> > > > > > > >> user ovirttest at FOO.TEST.COM <mailto: ovirttest at FOO.TEST.COM
> > > > > > > >> **>
> > > > > > > >> due
> > > > > > > >> to
> > > > > > > >>
> > > > > > > >> Authentication Failed. Please verify the username and
> > > > > > > >> password..
> > > > > > > >> We
> > > > > > > >> should not try the next server
> > > > > > > >> 2013-08-06 15:54:20,850 ERROR
> > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthent
> > > > > > > >> icat
> > > > > > > >> ion**
> > > > > > > >> Strategy]
> > > > > > > >> (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication
> > > > > > > >> information
> > > > > > > >> was invalid (24)
> > > > > > > >> 2013-08-06 15:54:20,851 ERROR
> > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthent
> > > > > > > >> icat
> > > > > > > >> ion**
> > > > > > > >> Strategy]
> > > > > > > >> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify
> > > > > > > >> the
> > > > > > > >> username and password.
> > > > > > > >> 2013-08-06 15:54:20,852 ERROR
> > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher]
> > > > > > > >> (ajp--127.0.0.1-8702-7) Failed ldap search server
> > > > > > > >> LDAP://foodc01.foo.test.com:**389 <
> > > > > > > >> http://foodc01.foo.test.com:389
> > > > > > > >>
> > > > > > > >> <
> > > > > > > >> http://foodc01.foo.test.com:**389 <
> > > > > > > >> http://foodc01.foo.test.com:389
> > > > > > > >>
> > > > > > > >> using
> > > > > > > >> user ovirttest at FOO.TEST.COM <mailto: ovirttest at FOO.TEST.COM
> > > > > > > >> **>
> > > > > > > >> due
> > > > > > > >> to
> > > > > > > >>
> > > > > > > >> Authentication Failed. Please verify the username and
> > > > > > > >> password..
> > > > > > > >> We
> > > > > > > >> should not try the next server
> > > > > > > >> 2013-08-06 15:54:20,853 ERROR
> > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCom
> > > > > > > >> mand
> > > > > > > >> ]
> > > > > > > >> (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest
> > > > > > > >> to
> > > > > > > >> domain
> > > > > > > >> gso.med.ge.com < http://gso.med.ge.com >. Ldap Query Type is
> > > > > > > >> getUserByName
> > > > > > > >>
> > > > > > > >> 2013-08-06 15:54:20,854 ERROR
> > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCom
> > > > > > > >> mand
> > > > > > > >> ]
> > > > > > > >> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify
> > > > > > > >> the
> > > > > > > >> username and password.
> > > > > > > >> 2013-08-06 15:54:20,855 ERROR
> > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
> > > > > > > >> (ajp--127.0.0.1-8702-7)
> > > > > > > >> USER_FAILED_TO_AUTHENTICATE_**WRONG_USERNAME_OR_PASSWORD :
> > > > > > > >> ovirttest
> > > > > > > >> 2013-08-06 15:54:20,856 WARN
> > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
> > > > > > > >> (ajp--127.0.0.1-8702-7)
> > > > > > > >> CanDoAction of action LoginUser failed.
> > > > > > > >> Reasons:USER_FAILED_TO_**AUTHENTICATE_WRONG_USERNAME_**OR_PASSW
> > > > > > > >> ORD
> > > > > > > >>
> > > > > > > >> Try again to log in as the same user this time typing the
> > > > > > > >> correct
> > > > > > > >> password.
> > > > > > > >> Result: Login fails!
> > > > > > > >> Data from engine.log:
> > > > > > > >> 2013-08-06 15:54:25,186 ERROR
> > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCom
> > > > > > > >> mand
> > > > > > > >> ]
> > > > > > > >> (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest
> > > > > > > >> to
> > > > > > > >> domain
> > > > > > > >> gso.med.ge.com < http://gso.med.ge.com >. Ldap Query Type is
> > > > > > > >> getUserByName
> > > > > > > >>
> > > > > > > >> 2013-08-06 15:54:25,187 ERROR
> > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
> > > > > > > >> (ajp--127.0.0.1-8702-7)
> > > > > > > >> USER_FAILED_TO_AUTHENTICATE : ovirttest
> > > > > > > >> 2013-08-06 15:54:25,187 WARN
> > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
> > > > > > > >> (ajp--127.0.0.1-8702-7)
> > > > > > > >> CanDoAction of action LoginUser failed.
> > > > > > > >> Reasons:USER_FAILED_TO_**
> > > > > > > >> AUTHENTICATE
> > > > > > > >>
> > > > > > > >> Try again with another AD user.
> > > > > > > >> Result: Login fails!
> > > > > > > >> Data from engine.log:
> > > > > > > >> 2013-08-06 15:54:38,056 ERROR
> > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCom
> > > > > > > >> mand
> > > > > > > >> ]
> > > > > > > >> (ajp--127.0.0.1-8702-5) Failed authenticating user: ovirtadmin
> > > > > > > >> to
> > > > > > > >> domain
> > > > > > > >> gso.med.ge.com < http://gso.med.ge.com >. Ldap Query Type is
> > > > > > > >> getUserByName
> > > > > > > >>
> > > > > > > >> 2013-08-06 15:54:38,057 ERROR
> > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
> > > > > > > >> (ajp--127.0.0.1-8702-5)
> > > > > > > >> USER_FAILED_TO_AUTHENTICATE : ovirtadmin
> > > > > > > >> 2013-08-06 15:54:38,058 WARN
> > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
> > > > > > > >> (ajp--127.0.0.1-8702-5)
> > > > > > > >> CanDoAction of action LoginUser failed.
> > > > > > > >> Reasons:USER_FAILED_TO_**
> > > > > > > >> AUTHENTICATE
> > > > > > > >>
> > > > > > > >> Logging into the admin portal as the admin at internal user will
> > > > > > > >> yield
> > > > > > > >> that
> > > > > > > >> engine seems to have forgotten about and can no longer
> > > > > > > >> enumerate
> > > > > > > >> AD
> > > > > > > >> users and groups.
> > > > > > > >> engine stays in this state until it has been restarted.
> > > > > > > >>
> > > > > > > >> I also note the two following errors in the engine log file as
> > > > > > > >> well:
> > > > > > > >> 2013-08-06 15:53:41,098 ERROR
> > > > > > > >> [org.ovirt.engine.core.dal.**dbbroker.generic.**DBConfigUtils]
> > > > > > > >> (MSC
> > > > > > > >> service
> > > > > > > >> thread 1-9) Could not parse option AutoRecoveryAllowedTypes
> > > > > > > >> value.
> > > > > > > >> 2013-08-06 15:53:41,161 ERROR
> > > > > > > >> [org.ovirt.engine.core.dal.**dbbroker.generic.**DBConfigUtils]
> > > > > > > >> (MSC
> > > > > > > >> service
> > > > > > > >> thread 1-9) Failed to decrypt value for property
> > > > > > > >> AttestationTruststorePass will be used encrypted value:
> > > > > > > >> javax.crypto.**BadPaddingException: Data must start with zero
> > > > > > > >>
> > > > > > > >> - DHC
> > > > > > > >>
> > > > > > > >>
> > > > > > > >>
> > > > > > > >> On Tue, Aug 6, 2013 at 1:31 PM, Dead Horse
> > > > > > > >> < deadhorseconsulting at gmail.com
> > > > > > > >> <mailto: deadhorseconsulting@ ** gmail.com <
> > > > > > > >> deadhorseconsulting at gmail.com >
> > > > > > > >>
> > > > > > > >>
> > > > > > > >> wrote:
> > > > > > > >>
> > > > > > > >> Really attaching logs from other install.
> > > > > > > >> - DHC
> > > > > > > >>
> > > > > > > >>
> > > > > > > >> On Tue, Aug 6, 2013 at 1:30 PM, Dead Horse
> > > > > > > >> < deadhorseconsulting at gmail.com
> > > > > > > >> <mailto: deadhorseconsulting@ ** gmail.com <
> > > > > > > >> deadhorseconsulting at gmail.com >>>
> > > > > > > >> wrote:
> > > > > > > >>
> > > > > > > >> Also I note that he login does succeed in the AD servers logs
> > > > > > > >> as
> > > > > > > >> well as the engine also acknowledges the same. However the
> > > > > > > >> login
> > > > > > > >> ends up in either the user logging in and the dialog sitting
> > > > > > > >> in
> > > > > > > >> space forever and/or the engine no longer enumerating the AD
> > > > > > > >> users/groups.
> > > > > > > >>
> > > > > > > >> Attached are logs from another install seeing the same thing.
> > > > > > > >> -DHC
> > > > > > > >>
> > > > > > > >>
> > > > > > > >> On Tue, Aug 6, 2013 at 1:20 PM, Dead Horse
> > > > > > > >> < deadhorseconsulting at gmail.com
> > > > > > > >> <mailto: deadhorseconsulting@ ** gmail.com <
> > > > > > > >> deadhorseconsulting at gmail.com >>>
> > > > > > > >> wrote:
> > > > > > > >>
> > > > > > > >>
> > > > > > > >> Seeing and issue where users are not able to log in. Also
> > > > > > > >> for some reason the engine is seemingly forgeting about AD
> > > > > > > >> users. Removing the AD domain via engine-manage-domains and
> > > > > > > >> re-adding it works for enumerating the users, however the
> > > > > > > >> first attempt to login as a user results in the engine no
> > > > > > > >> longer enumerating the users nor allowing logins.
> > > > > > > >> Attached are the pertinent logs.
> > > > > > > >>
> > > > > > > >> Engine is built and running from current master as of this
> > > > > > > >> morning, and was installed/built and upgraded via RPMs
> > > > > > > >> yum/engine-upgrade
> > > > > > > >>
> > > > > > > >> - DHC
> > > > > > > >>
> > > > > > > >>
> > > > > > > >>
> > > > > > > >>
> > > > > > > >>
> > > > > > > >>
> > > > > > > >> ______________________________**_________________
> > > > > > > >> Engine-devel mailing list
> > > > > > > >> Engine-devel at ovirt.org
> > > > > > > >> http://lists.ovirt.org/**mailman/listinfo/engine-devel <
> > > > > > > >> http://lists.ovirt.org/mailman/listinfo/engine-devel >
> > > > > > > >
> > > > > > > > thanks for reproducing with such clear steps. can you please
> > > > > > > > open a
> > > > > > > > bug?
> > > > > > > > yair - can you try and reproduce as well (I tried on an older
> > > > > > > > rhev
> > > > > > > > 3.2
> > > > > > > > i
> > > > > > > > have and couldn't with the IPA provider)
> > > > > >
> > > > > > _______________________________________________
> > > > > > Engine-devel mailing list
> > > > > > Engine-devel at ovirt.org
> > > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > > >
> > > > > _______________________________________________
> > > > > Engine-devel mailing list
> > > > > Engine-devel at ovirt.org
> > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel
>
More information about the Engine-devel
mailing list