[ovirt-users] ovirt with 389 server inactive groups

Yair Zaslavsky yzaslavs at redhat.com
Thu Aug 14 02:49:25 UTC 2014



----- Original Message -----
> From: "Paul Robert Marino" <prmarino1 at gmail.com>
> To: "Yair Zaslavsky" <yzaslavs at redhat.com>
> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
> Sent: Wednesday, August 13, 2014 11:47:40 PM
> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> 
> Ok so before I open a bug ticket I want to confirm I'm not doing any
> thing wrong here.
> I upgraded to 3.4
> now it says "Active:    false " on LDAP groups.
> 
> Again I tried to add the sysadmin group from the directory server and
> set the power user and super user roles on the group
> it shows up as "<domain name>/Groups/sysadmin"
> I adder the permisions by clicking on the configure link on the top of
> the screen and set them in the "System Permissions" tab

Sounds good so far.
I assume also you see the permissiosn in the permissions sub tab when you click the group.

> 
> I added a user (pmarino) to the system which shows in the "Directory
> Group" tab shows "sysadmin    groups       <domian name>" among others
> however it only shows in the Permissions tab the permissions inherited
> by "Everyone" it does not show any permissions inherited by the
> sysadmin group.

This is not good - I mean, should have worked.

> 
> just to prove it didnt work I logged out and attempted to log back in
> as the user (pmarino) it wouldn't let me log in
> 
> I logged back in as the internal admin user then I added the SuperUser
> permissions directly to the pmarino account and logged back out again.
> Now when I logged in as pmarino it gave me the access I expected.

Can I please ask you to provide some database info ?

It will be awesome if you can provide the following SQL queries results -

select group_ids, groups from users where username ilike '%pmarino%';

In addition, please perform - select id, name from ad_groups;

Thanks for your help.

P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well.



> 
> 
> 
> Here is the relevant portion of the engine log
> "
> 2014-08-13 16:00:38,801 INFO
> [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5)
> [1e7fa420] Running command: AddGroupCommand internal: false. Entities
> affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type: System
> 2014-08-13 16:00:38,813 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call
> Stack: null, Custom Event ID: -1, Message: User '<domain
> name>/Groups/sysadmin' was added successfully to the system.
> 2014-08-13 16:09:01,352 INFO
> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command:
> AddSystemPermissionCommand internal: false. Entities affected :  ID:
> aaa00000-0000-0000-0000-123456789aaa Type: System,  ID:
> aaa00000-0000-0000-0000-123456789aaa Type: System
> 2014-08-13 16:09:01,371 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID:
> 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group
> <domain name>/Groups/sysadmin was granted permission for Role
> SuperUser on System by admin.
> 2014-08-13 16:10:40,963 INFO
> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command:
> AddSystemPermissionCommand internal: false. Entities affected :  ID:
> aaa00000-0000-0000-0000-123456789aaa Type: System,  ID:
> aaa00000-0000-0000-0000-123456789aaa Type: System
> 2014-08-13 16:10:40,979 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb,
> Call Stack: null, Custom Event ID: -1, Message: User/Group <domain
> name>/Groups/sysadmin was granted permission for Role PowerUserRole on
> System by admin.
> 2014-08-13 16:20:53,891 INFO
> [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4)
> [58e00be1] Running command: AddUserCommand internal: false. Entities
> affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type: System
> 2014-08-13 16:20:53,919 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call
> Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added
> successfully to the system.
> 2014-08-13 16:35:52,202 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null,
> Custom Event ID: -1, Message: User pmarino failed to log in.
> 2014-08-13 16:35:52,202 WARN
> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
> (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed.
> Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 2014-08-13 16:39:48,048 INFO
> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command:
> AddSystemPermissionCommand internal: false. Entities affected :  ID:
> aaa00000-0000-0000-0000-123456789aaa Type: System
> 2014-08-13 16:39:48,069 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID:
> 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group
> pmarino was granted permission for Role SuperUser on System by admin.
> 2014-08-13 16:40:43,357 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom
> Event ID: -1, Message: User pmarino logged in.
> 
> "
> 
> On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs at redhat.com> wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Yair Zaslavsky" <yzaslavs at redhat.com>
> >> To: "Itamar Heim" <iheim at redhat.com>
> >> Cc: users at ovirt.org
> >> Sent: Monday, August 11, 2014 8:13:53 PM
> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>
> >> I have checked the codebase of 3.3 -
> >> the "active" field is used for presentation purpose only.
> >
> > Presentation wise only - means that it is not used for our permissions
> > calculation , for example.
> >
> >> Alon has addressed our plans for this in his previous comments.
> >> I hope this clarifies more..
> >>
> >> Yair
> >>
> >>
> >> ----- Original Message -----
> >> > From: "Itamar Heim" <iheim at redhat.com>
> >> > To: "Alon Bar-Lev" <alonbl at redhat.com>, "Paul Robert Marino"
> >> > <prmarino1 at gmail.com>
> >> > Cc: users at ovirt.org
> >> > Sent: Sunday, August 10, 2014 11:54:05 PM
> >> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >> >
> >> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
> >> > >
> >> > >
> >> > > ----- Original Message -----
> >> > >> From: "Paul Robert Marino" <prmarino1 at gmail.com>
> >> > >> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >> > >> Cc: "Maurice James" <mjames at media-node.com>, users at ovirt.org
> >> > >> Sent: Sunday, August 10, 2014 10:43:14 PM
> >> > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >> > >>
> >> > >> Sorry for my delayed response to this
> >> > >>
> >> > >> I am using ovirt 3.3.
> >> > >> I am using Kerberos 5, and all of the DNS requirements are in place.
> >> > >> Finally 389 server is the upstream project for RHDS and one of the
> >> > >> upstream projects for IPA.
> >> > >> So I chose to set it as RHDS because its an identical match.
> >> > >>
> >> > >> User authentication works just fine my problem is adding roles to
> >> > >> groups.
> >> > >> I can assign a role to a group but the group always shows an inactive
> >> > >> status; however if I assign a role directly to to a user it works
> >> > >> fine.
> >> > >> In addition if I drill down into a user it knows what groups in the
> >> > >> 389 server the user is a member of.
> >> > >>
> >> > >> finally I can't see any error in the logs when adding a role to a
> >> > >> group
> >> > >>
> >> > >
> >> > > Please open a bug, I am unsure that it will be addressed before 3.5,
> >> > > as
> >> > > we
> >> > > have done major rework for the authentication and authorization to
> >> > > make
> >> > > it
> >> > > much more versatile. Even if there will be a fix it will be provided
> >> > > to
> >> > > 3.4.z.
> >> > >
> >> > > It will be best if you want to test this scenario in 3.5 release
> >> > > candidate
> >> > > and the new ldap provider, so we can address the issue before 3.5
> >> > > release
> >> > > if exists.
> >> > >
> >> >
> >> > could also be one of these fixed in 3.4:
> >> > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it
> >> > does not inherit the group permissions
> >> > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to
> >> > a group indirectly, it does not inherit the group permissions
> >> >
> >> > >>
> >> > >>
> >> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl at redhat.com>
> >> > >> wrote:
> >> > >>>
> >> > >>>
> >> > >>> ----- Original Message -----
> >> > >>>> From: "Maurice James" <mjames at media-node.com>
> >> > >>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >> > >>>> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
> >> > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM
> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >> > >>>>
> >> > >>>> Does this still require the use of kerberos? Will 389-ds work on
> >> > >>>> its
> >> > >>>> own?
> >> > >>>
> >> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the
> >> > >>> kerberos/ldap
> >> > >>> mix.
> >> > >>>
> >> > >>> It will be great to receive feedback[2].
> >> > >>>
> >> > >>> 389ds is not supported directly, I think it is similar to IPA as it
> >> > >>> uses
> >> > >>> 389. Maybe I should rename the profile of ipa to 389 if it works
> >> > >>> properly.
> >> > >>>
> >> > >>> Regards,
> >> > >>> Alon
> >> > >>>
> >> > >>> [1]
> >> > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master
> >> > >>> [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
> >> > >>>
> >> > >>>>
> >> > >>>> ----- Original Message -----
> >> > >>>> From: "Alon Bar-Lev" <alonbl at redhat.com>
> >> > >>>> To: "Itamar Heim" <iheim at redhat.com>
> >> > >>>> Cc: users at ovirt.org
> >> > >>>> Sent: Friday, August 8, 2014 3:45:07 PM
> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >> > >>>>
> >> > >>>>
> >> > >>>>
> >> > >>>> ----- Original Message -----
> >> > >>>>> From: "Itamar Heim" <iheim at redhat.com>
> >> > >>>>> To: "Paul Robert Marino" <prmarino1 at gmail.com>, users at ovirt.org
> >> > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM
> >> > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >> > >>>>>
> >> > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
> >> > >>>>>> I have ovirt engine running and connected to a 389 server with
> >> > >>>>>> the
> >> > >>>>>> memberof plugin enabled and working properly.
> >> > >>>>>>
> >> > >>>>>> I can add users and assign them to roles without any issues.
> >> > >>>>>>
> >> > >>>>>> when I look at a user I can see all the LDAP groups they are a
> >> > >>>>>> member
> >> > >>>>>> of.
> >> > >>>>>>
> >> > >>>>>> when I run engine-manage-domains  -action=validate it tells me
> >> > >>>>>> the
> >> > >>>>>> domain is valid.
> >> > >>>>>>
> >> > >>>>>> here is my problem when I try to assign a role to an LDAP group
> >> > >>>>>> it
> >> > >>>>>> looks like it works but in the general tab when under the group
> >> > >>>>>> it
> >> > >>>>>> tells me the status is Inactive.
> >> > >>>>>>
> >> > >>>>>> dose any one know how to enable the group?
> >> > >>>>>> _______________________________________________
> >> > >>>>>> Users mailing list
> >> > >>>>>> Users at ovirt.org
> >> > >>>>>> http://lists.ovirt.org/mailman/listinfo/users
> >> > >>>>>>
> >> > >>>>>
> >> > >>>>> 3.4 or new 3.5 Generic LDAP provider?
> >> > >>>>
> >> > >>>>
> >> > >>>> On case this is 3.5 it is known issue, all groups will be seen as
> >> > >>>> inactive,
> >> > >>>> this field will probably be removed from UI, as groups are no
> >> > >>>> longer
> >> > >>>> fetched
> >> > >>>> periodically.
> >> > >>>> This field is totally ignored.
> >> > >>>>
> >> > >>>> Alon
> >> > >>>> _______________________________________________
> >> > >>>> Users mailing list
> >> > >>>> Users at ovirt.org
> >> > >>>> http://lists.ovirt.org/mailman/listinfo/users
> >> > >>>>
> >> > >>> _______________________________________________
> >> > >>> Users mailing list
> >> > >>> Users at ovirt.org
> >> > >>> http://lists.ovirt.org/mailman/listinfo/users
> >> > >>
> >> > > _______________________________________________
> >> > > Users mailing list
> >> > > Users at ovirt.org
> >> > > http://lists.ovirt.org/mailman/listinfo/users
> >> > >
> >> >
> >> > _______________________________________________
> >> > Users mailing list
> >> > Users at ovirt.org
> >> > http://lists.ovirt.org/mailman/listinfo/users
> >> >
> >> _______________________________________________
> >> Users mailing list
> >> Users at ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> 



More information about the Users mailing list