[Users] ovirt-report Forbidden access error

Alessandro Bianchi a.bianchi at skynet.it
Tue Feb 4 07:49:47 EST 2014



Il 04/02/2014 12:55, Yedidyah Bar David ha scritto:
>
>     *From: *"Alessandro Bianchi" <a.bianchi at skynet.it>
>     *To: *"Gianluca Cecchi" <gianluca.cecchi at gmail.com>
>     *Cc: *"Yedidyah Bar David" <didi at redhat.com>, "users"
>     <users at ovirt.org>
>     *Sent: *Tuesday, February 4, 2014 1:19:43 PM
>     *Subject: *Re: [Users] ovirt-report Forbidden access error
>
>
>
>     Il 04/02/2014 11:30, Gianluca Cecchi ha scritto:
>
>         On Tue, Feb 4, 2014 at 11:10 AM, Alessandro Bianchi<a.bianchi at skynet.it>  wrote:
>
>             Il 04/02/2014 09:55, Gianluca Cecchi ha scritto:
>
>             On Tue, Feb 4, 2014 at 9:10 AM, Alessandro Bianchi wrote:
>
>             in working directory '/usr/share/ovirt-engine-dwh/db-scripts'
>             2014-02-04 09:01:26::DEBUG::common_utils::962::root:: output =
>             2014-02-04 09:01:26::DEBUG::common_utils::963::root:: stderr = psql: FATALE:
>             autenticazione con password fallita per l'utente "engine_history"
>             password retrieved from file "/tmp/pgpassNkKGNp.tmp"
>
>             (autenticazione con password fallita per l'utente "engine_history" =
>             authentication failed for user "engine_history" system language is italian)
>
>             so it seems a user creation permission problem on the database
>
>             since I'm not too familiar with pgsql how is it supposed to fix this?
>
>             It look like it misses the password in some ovirt configuration file but
>             where to edit and how o fix it?
>
>             Any hint?
>
>             Thank you
>
>             See this thread of mine if you want to start from scratch and you
>             don't have any previous reports/dwh data or you don't mind to loose
>             them. Engine and its data is not impacted at all.
>             Eventually I'm going to open a bug for bad mgmt of pre-existing DB
>             user during setup (eg due to a previously failed in the middle
>             install).
>
>             http://lists.ovirt.org/pipermail/users/2014-February/020740.html
>
>             Let us know how it goes.
>
>             Gianluca
>
>             Ok with this 2b extra step it works
>
>             I have installed everything with no errors, but still have Forbidden access
>             right clicking on Vms -> reports
>
>             If I click on the "reports portal" I see this link
>
>             *ATTENZIONE: i link numerici sono spesso utilizzati da malintenzionati*  http://10.0.0.5/OvirtEngineWeb/ReportsRedirectServlet
>
>             I suspect this is something related to apache configuration
>
>             access.log shows nothing so were may I see a log of what's happening?
>
>             Thank you
>
>             Alessandro
>
>         I too see that redirect and then when I click I land to
>         https://my-engine/ovirt-engine-reports/login.html
>
>         and then after login/pwd :
>         https://my-engine/ovirt-engine-reports/flow.html?_flowId=searchFlow
>
>         I have SpiceProxy configured.
>         Don't know if this impacts apache configuration.
>         In my case it works and in /etc/httpd/conf.d
>         Ihave
>         # ls -lrt
>         total 68
>         -rw-r--r--. 1 root root  926 Mar 31  2013 BackupPC.conf
>         -rw-r--r--. 1 root root  298 Jul 23  2013 squid.conf
>         -rw-r--r--. 1 root root  516 Jul 31  2013 welcome.conf
>         -rw-r--r--. 1 root root 1252 Jul 31  2013 userdir.conf
>         -rw-r--r--. 1 root root 9426 Jul 31  2013 ssl.conf.20131003112151
>         -rw-r--r--. 1 root root 2893 Jul 31  2013 autoindex.conf
>         -rw-r--r--. 1 root root  366 Jul 31  2013 README
>         -rw-r--r--. 1 root root 2778 Oct  3 11:21
>         z-ovirt-engine-proxy.conf.20131119125706
>         -rw-r--r--. 1 root root   33 Oct  3 11:21 ovirt-engine-root-redirect.conf
>         -rw-r--r--. 1 root root 9444 Oct  3 11:21 ssl.conf
>         -rw-r--r--. 1 root root 2775 Nov 19 12:57
>         z-ovirt-engine-proxy.conf.20140115003015
>         -rw-r--r--. 1 root root 1251 Jan  7 15:54 z-ovirt-engine-reports-proxy.conf
>         -rw-r--r--. 1 root root 2788 Jan 15 00:30 z-ovirt-engine-proxy.conf
>
>         z-ovirt-engine-reports-proxy.conf:
>         <IfModule proxy_ajp_module>
>
>              <Proxy ajp://localhost:8702>
>                  # This is needed to make sure that connections to the application server
>                  # are recovered in a short time interval (5 seconds at the moment)
>                  # otherwise when the application server is restarted the web server will
>                  # refuse to connect during 60 seconds.
>                  ProxySet retry=5
>
>                  # This is needed to make sure that long RESTAPI requests have time to
>                  # finish before the web server aborts the request as the default timeout
>                  # (controlled by the Timeout directive in httpd.conf) is 60 seconds.
>                  ProxySet timeout=3600
>              </Proxy>
>
>              <Location /ovirt-engine-reports>
>                  ProxyPass ajp://localhost:8702/ovirt-engine-reports
>                  <IfModule deflate_module>
>                      AddOutputFilterByType DEFLATE text/javascript text/css
>         text/html text/xml text/json application/xml application/json
>         application/x-yaml
>                  </IfModule>
>              </Location>
>
>         </IfModule>
>
>     Uuuuuuh
>
>     enterig the URL you showed directely I can login and see reports ok
>
>     so it looks link in ovirt main page is somehow wrong!
>
>
> This should work. To help debug this, please check/post these:
>
> /etc/httpd/conf.d/z-ovirt-engine-proxy.conf
> /etc/httpd/conf.d/z-ovirt-engine-reports-proxy.conf
> /var/log/httpd/error_log
> /var/log/httpd/ssl_error_log
> /var/log/httpd/access_log
> /var/log/httpd/ssl_access_log
>
> As user postgres, output of:
> psql engine -c "select * from vdc_options where 
> option_name='RedirectServletReportsPage';"
>
> Thanks!
> -- 
> Didi
>
>
> -- 
> Il messaggio è stato analizzato alla ricerca di virus o
> contenuti pericolosi da *SkyNet Srl <http://www.skynet.it/>*, ed è
> risultato non infetto.
>
> This message has been checked for virus or dangerous content
> by *SkyNet SRL <http://www.skynet.it/>* and seems to be clean. 
Ok let's go


z-ovirt-engine-proxy.conf


#
# The name of this file name is very important, the "z-" prefix is used
# to force the web server to load this file after all the other
# configurations, in particular after the configuration of the required
# proxy modules, otherwise the "IfModule" directives fail.
#
<IfModule proxy_ajp_module>

     #
     # Remove the Expect headers from API requests (this is needed to fix a
     # problem with some API clients):
     #
     # This is required because otherwise Expect header, which is hop-by-hop
     # will be caught by the Apache and will NOT be forwared to the proxy.
     #
     # It currenly is used here, which means GLOBALLY for the server. It 
is done
     # this way because RequestHeader 'early' doesn't allow using in either
     # 'Directory' or 'Location' nested clauses.
     #
     # TODO: find a way to filter Expect headers for /api name space only.
     <IfModule headers_module>
         RequestHeader unset Expect early
     </IfModule>

     <Proxy ajp://127.0.0.1:8702>
         # This is needed to make sure that connections to the 
application server
         # are recovered in a short time interval (5 seconds at the moment)
         # otherwise when the application server is restarted the web 
server will
         # refuse to connect during 60 seconds.
         ProxySet retry=5

         # This is needed to make sure that long RESTAPI requests have 
time to
         # finish before the web server aborts the request as the 
default timeout
         # (controlled by the Timeout directive in httpd.conf) is 60 
seconds.
         ProxySet timeout=3600
     </Proxy>
  Redirect /ovirt-engine /ovirt-engine/

     <Location /ovirt-engine/>
         ProxyPass ajp://127.0.0.1:8702/
     </Location>

     <LocationMatch 
^/(UserPortal($|/)|RHEVManagerWeb($|/)|OvirtEngineWeb($|/)|webadmin($|/)|docs($|/)|ovirt-engine-theme/|ovirt-engine-theme-resource/|ca.crt$|engine.ssh.key.txt$|rhevm.ssh.key.txt$|ovirt-engine-files/|ovirt-engine-attachment/|ovirt-engine-novnc-main.html$|ovirt-engine-spicehtml5-main.html$)>
         ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600
         <IfModule deflate_module>
             AddOutputFilterByType DEFLATE text/javascript text/css 
text/html text/xml text/json application/xml application/json 
application/x-yaml
         </IfModule>
     </LocationMatch>

     <Location /api>
         #
         # The timeout has to be specified here again because versions of
         # Apache older than 2.4 don't copy the setting from the Proxy
         # directive:
         #
         ProxyPass ajp://127.0.0.1:8702/api timeout=3600

         <IfModule deflate_module>
             AddOutputFilterByType DEFLATE text/javascript text/css 
text/html text/xml text/json application/xml application/json 
application/x-yaml
         </IfModule>
     </Location>

</IfModule>

z-ovirt-engine-reports-proxy.conf

#
# The name of this file name is very important, the "z-" prefix is used
# to force the web server to load this file after all the other
# configurations, in particular after the configuration of the required
# proxy modules, otherwise the "IfModule" directives fail.
#
<IfModule proxy_ajp_module>

     #
     # Remove the Expect headers from API requests (this is needed to fix a
     # problem with some API clients):
     #
     # This is required because otherwise Expect header, which is hop-by-hop
     # will be caught by the Apache and will NOT be forwared to the proxy.
     #
     # It currenly is used here, which means GLOBALLY for the server. It 
is done
     # this way because RequestHeader 'early' doesn't allow using in either
     # 'Directory' or 'Location' nested clauses.
     #
     # TODO: find a way to filter Expect headers for /api name space only.
     <IfModule headers_module>
         RequestHeader unset Expect early
     </IfModule>

     <Proxy ajp://127.0.0.1:8702>
         # This is needed to make sure that connections to the 
application server
         # are recovered in a short time interval (5 seconds at the moment)
         # otherwise when the application server is restarted the web 
server will
         # refuse to connect during 60 seconds.
         ProxySet retry=5

         # This is needed to make sure that long RESTAPI requests have 
time to
         # finish before the web server aborts the request as the 
default timeout
         # (controlled by the Timeout directive in httpd.conf) is 60 
seconds.
         ProxySet timeout=3600
     </Proxy>

     Redirect /ovirt-engine /ovirt-engine/

     <Location /ovirt-engine/>
         ProxyPass ajp://127.0.0.1:8702/
     </Location>

     <LocationMatch 
^/(UserPortal($|/)|RHEVManagerWeb($|/)|OvirtEngineWeb($|/)|webadmin($|/)|docs($|/)|ovirt-engine-theme/|ovirt-engine-theme-resource/|ca.crt$|engine.ssh.key.txt$|rhevm.ssh.key.txt$|ovirt-engine-files/|ovirt-engine-attachment/|ovirt-engine-novnc-main.html$|ovirt-engine-spicehtml5-main.html$)>
         ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600
         <IfModule deflate_module>
             AddOutputFilterByType DEFLATE text/javascript text/css 
text/html text/xml text/json application/xml application/json 
application/x-yaml
         </IfModule>
     </LocationMatch>

     <Location /api>
         #
         # The timeout has to be specified here again because versions of
         # Apache older than 2.4 don't copy the setting from the Proxy
         # directive:
         #
         ProxyPass ajp://127.0.0.1:8702/api timeout=3600

         <IfModule deflate_module>
             AddOutputFilterByType DEFLATE text/javascript text/css 
text/html text/xml text/json application/xml application/json 
application/x-yaml
         </IfModule>
     </Location>

</IfModule>
[root at hypervisor conf.d]# :q
-bash: :q: command not found
[root at hypervisor conf.d]# cat z-ovirt-engine-reports-proxy.conf
#
# The name of this file name is very important, the "z-" prefix is used
# to force the web server to load this file after all the other
# configurations, in particular after the configuration of the required
# proxy modules, otherwise the "IfModule" directives fail.
#
<IfModule proxy_ajp_module>

     <Proxy ajp://localhost:8702>
         # This is needed to make sure that connections to the 
application server
         # are recovered in a short time interval (5 seconds at the moment)
         # otherwise when the application server is restarted the web 
server will
         # refuse to connect during 60 seconds.
         ProxySet retry=5

         # This is needed to make sure that long RESTAPI requests have 
time to
         # finish before the web server aborts the request as the 
default timeout
         # (controlled by the Timeout directive in httpd.conf) is 60 
seconds.
         ProxySet timeout=3600
     </Proxy>

     <Location /ovirt-engine-reports>
         ProxyPass ajp://localhost:8702/ovirt-engine-reports
         <IfModule deflate_module>
             AddOutputFilterByType DEFLATE text/javascript text/css 
text/html text/xml text/json application/xml application/json 
application/x-yaml
         </IfModule>
     </Location>

</IfModule>

ssl_error_log

[Tue Feb 04 10:50:46.221639 2014] [proxy_ajp:error] [pid 7533] [client 
192.168.0.17:48201] AH00896: failed to make connection to backend: 
127.0.0.1, referer: 
https://10.0.0.5/webadmin/webadmin/WebAdmin.html?locale=en_US
[Tue Feb 04 10:50:51.221036 2014] [proxy:error] [pid 7532] 
(111)Connection refused: AH00957: AJP: attempt to connect to 
127.0.0.1:8702 (127.0.0.1) failed
[Tue Feb 04 10:50:51.221057 2014] [proxy:error] [pid 7532] AH00959: 
ap_proxy_connect_backend disabling worker for (127.0.0.1) for 5s
[Tue Feb 04 10:50:51.221062 2014] [proxy_ajp:error] [pid 7532] [client 
192.168.0.17:48202] AH00896: failed to make connection to backend: 
127.0.0.1, referer: 
https://10.0.0.5/webadmin/webadmin/WebAdmin.html?locale=en_US
[Tue Feb 04 10:50:56.220894 2014] [proxy:error] [pid 7607] 
(111)Connection refused: AH00957: AJP: attempt to connect to 
127.0.0.1:8702 (127.0.0.1) failed
[Tue Feb 04 10:50:56.220915 2014] [proxy:error] [pid 7607] AH00959: 
ap_proxy_connect_backend disabling worker for (127.0.0.1) for 5s
[Tue Feb 04 10:50:56.220920 2014] [proxy_ajp:error] [pid 7607] [client 
192.168.0.17:48203] AH00896: failed to make connection to backend: 
127.0.0.1, referer: 
https://10.0.0.5/webadmin/webadmin/WebAdmin.html?locale=en_US
[Tue Feb 04 10:54:58.223880 2014] [proxy:error] [pid 7611] 
(111)Connection refused: AH00957: AJP: attempt to connect to 
127.0.0.1:8702 (127.0.0.1) failed
[Tue Feb 04 10:54:58.223901 2014] [proxy:error] [pid 7611] AH00959: 
ap_proxy_connect_backend disabling worker for (127.0.0.1) for 5s
[Tue Feb 04 10:54:58.223906 2014] [proxy_ajp:error] [pid 7611] [client 
192.168.0.17:48210] AH00896: failed to make connection to backend: 127.0.0.1

ssl_access_log
192.168.0.17 - - [04/Feb/2014:12:54:31 +0100] "POST 
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:36 +0100] "POST 
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:41 +0100] "POST 
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:46 +0100] "POST 
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:51 +0100] "POST 
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:56 +0100] "POST 
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:55:01 +0100] "POST 
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:55:06 +0100] "POST 
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:55:11 +0100] "POST 
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 177
192.168.0.17 - - [04/Feb/2014:12:55:11 +0100] "POST 
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 260


access_log
::1 - - [04/Feb/2014:11:00:26 +0100] "OPTIONS * HTTP/1.0" 200 - "-" 
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy 
connection)"
::1 - - [04/Feb/2014:11:01:48 +0100] "OPTIONS * HTTP/1.0" 200 - "-" 
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy 
connection)"
192.168.0.17 - - [04/Feb/2014:11:02:10 +0100] "GET /pippo.htm HTTP/1.1" 
404 207 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 
Firefox/27.0"
192.168.0.17 - - [04/Feb/2014:11:02:10 +0100] "GET /favicon.ico 
HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:27.0) 
Gecko/20100101 Firefox/27.0"
192.168.0.17 - - [04/Feb/2014:11:02:10 +0100] "GET /favicon.ico 
HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:27.0) 
Gecko/20100101 Firefox/27.0"
::1 - - [04/Feb/2014:11:54:16 +0100] "OPTIONS * HTTP/1.0" 200 - "-" 
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy 
connection)"
192.168.0.17 - - [04/Feb/2014:12:17:42 +0100] "GET 
/ovirt-engine-reports/login.html HTTP/1.1" 302 - "-" "Mozilla/5.0 (X11; 
Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0"
::1 - - [04/Feb/2014:12:17:51 +0100] "OPTIONS * HTTP/1.0" 200 - "-" 
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy 
connection)"
::1 - - [04/Feb/2014:12:17:52 +0100] "OPTIONS * HTTP/1.0" 200 - "-" 
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy 
connection)"
::1 - - [04/Feb/2014:12:55:17 +0100] "OPTIONS * HTTP/1.0" 200 - "-" 
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy 
connection)"

the login you see is the one after entering 
http://10.0.0.5/ovirt-engine-reports/login.html as url

error_log
[Tue Feb 04 10:55:04.198829 2014] [mpm_prefork:notice] [pid 9665] 
AH00170: caught SIGWINCH, shutting down gracefully
[Tue Feb 04 10:55:05.284349 2014] [core:notice] [pid 11365] SELinux 
policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Feb 04 10:55:05.285048 2014] [suexec:notice] [pid 11365] AH01232: 
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Feb 04 10:55:05.315355 2014] [proxy:warn] [pid 11365] AH01146: 
Ignoring parameter 'timeout=3600' for worker 'ajp://127.0.0.1:8702' 
because of worker sharing
[Tue Feb 04 10:55:05.315381 2014] [proxy:warn] [pid 11365] AH01146: 
Ignoring parameter 'timeout=3600' for worker 'ajp://127.0.0.1:8702' 
because of worker sharing
AH00558: httpd: Could not reliably determine the server's fully 
qualified domain name, using hypervisor.skynet.it. Set the 'ServerName' 
directive globally to suppress this message
[Tue Feb 04 10:55:05.315826 2014] [auth_digest:notice] [pid 11365] 
AH01757: generating secret for digest authentication ...
[Tue Feb 04 10:55:05.316461 2014] [lbmethod_heartbeat:notice] [pid 
11365] AH02282: No slotmem from mod_heartmonitor
[Tue Feb 04 10:55:05.354876 2014] [mpm_prefork:notice] [pid 11365] 
AH00163: Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 configured 
-- resuming normal operations
[Tue Feb 04 10:55:05.354895 2014] [core:notice] [pid 11365] AH00094: 
Command line: '/usr/sbin/httpd -D FOREGROUND'


postgres-# select * from vdc_options where 
option_name='RedirectServletReportsPage'
postgres-#
(no results)


Let me know if anything else may be useful

Thank you and best regards
-- 

SkyNet SRL

Via Maggiate 67/a - 28021 Borgomanero (NO) - tel. +39 0322-836487/834765 
- fax +39 0322-836608

http://www.skynet.it <http://www.skynet.it/>

Autorizzazione Ministeriale n.197

Le informazioni contenute in questo messaggio sono riservate e 
confidenziali ed è vietata la diffusione in qualunque modo eseguita.
Qualora Lei non fosse la persona a cui il presente messaggio è 
destinato, La invitiamo ad eliminarlo ed a distruggerlo non 
divulgandolo, dandocene gentilmente comunicazione.
Per qualsiasi informazione si prega di contattare info at skynet.it (e-mail 
dell'azienda). Rif. D.L. 196/2003




More information about the Users mailing list