[Users] ovirt-report Forbidden access error
Alessandro Bianchi
a.bianchi at skynet.it
Tue Feb 4 07:49:47 EST 2014
Il 04/02/2014 12:55, Yedidyah Bar David ha scritto:
>
> *From: *"Alessandro Bianchi" <a.bianchi at skynet.it>
> *To: *"Gianluca Cecchi" <gianluca.cecchi at gmail.com>
> *Cc: *"Yedidyah Bar David" <didi at redhat.com>, "users"
> <users at ovirt.org>
> *Sent: *Tuesday, February 4, 2014 1:19:43 PM
> *Subject: *Re: [Users] ovirt-report Forbidden access error
>
>
>
> Il 04/02/2014 11:30, Gianluca Cecchi ha scritto:
>
> On Tue, Feb 4, 2014 at 11:10 AM, Alessandro Bianchi<a.bianchi at skynet.it> wrote:
>
> Il 04/02/2014 09:55, Gianluca Cecchi ha scritto:
>
> On Tue, Feb 4, 2014 at 9:10 AM, Alessandro Bianchi wrote:
>
> in working directory '/usr/share/ovirt-engine-dwh/db-scripts'
> 2014-02-04 09:01:26::DEBUG::common_utils::962::root:: output =
> 2014-02-04 09:01:26::DEBUG::common_utils::963::root:: stderr = psql: FATALE:
> autenticazione con password fallita per l'utente "engine_history"
> password retrieved from file "/tmp/pgpassNkKGNp.tmp"
>
> (autenticazione con password fallita per l'utente "engine_history" =
> authentication failed for user "engine_history" system language is italian)
>
> so it seems a user creation permission problem on the database
>
> since I'm not too familiar with pgsql how is it supposed to fix this?
>
> It look like it misses the password in some ovirt configuration file but
> where to edit and how o fix it?
>
> Any hint?
>
> Thank you
>
> See this thread of mine if you want to start from scratch and you
> don't have any previous reports/dwh data or you don't mind to loose
> them. Engine and its data is not impacted at all.
> Eventually I'm going to open a bug for bad mgmt of pre-existing DB
> user during setup (eg due to a previously failed in the middle
> install).
>
> http://lists.ovirt.org/pipermail/users/2014-February/020740.html
>
> Let us know how it goes.
>
> Gianluca
>
> Ok with this 2b extra step it works
>
> I have installed everything with no errors, but still have Forbidden access
> right clicking on Vms -> reports
>
> If I click on the "reports portal" I see this link
>
> *ATTENZIONE: i link numerici sono spesso utilizzati da malintenzionati* http://10.0.0.5/OvirtEngineWeb/ReportsRedirectServlet
>
> I suspect this is something related to apache configuration
>
> access.log shows nothing so were may I see a log of what's happening?
>
> Thank you
>
> Alessandro
>
> I too see that redirect and then when I click I land to
> https://my-engine/ovirt-engine-reports/login.html
>
> and then after login/pwd :
> https://my-engine/ovirt-engine-reports/flow.html?_flowId=searchFlow
>
> I have SpiceProxy configured.
> Don't know if this impacts apache configuration.
> In my case it works and in /etc/httpd/conf.d
> Ihave
> # ls -lrt
> total 68
> -rw-r--r--. 1 root root 926 Mar 31 2013 BackupPC.conf
> -rw-r--r--. 1 root root 298 Jul 23 2013 squid.conf
> -rw-r--r--. 1 root root 516 Jul 31 2013 welcome.conf
> -rw-r--r--. 1 root root 1252 Jul 31 2013 userdir.conf
> -rw-r--r--. 1 root root 9426 Jul 31 2013 ssl.conf.20131003112151
> -rw-r--r--. 1 root root 2893 Jul 31 2013 autoindex.conf
> -rw-r--r--. 1 root root 366 Jul 31 2013 README
> -rw-r--r--. 1 root root 2778 Oct 3 11:21
> z-ovirt-engine-proxy.conf.20131119125706
> -rw-r--r--. 1 root root 33 Oct 3 11:21 ovirt-engine-root-redirect.conf
> -rw-r--r--. 1 root root 9444 Oct 3 11:21 ssl.conf
> -rw-r--r--. 1 root root 2775 Nov 19 12:57
> z-ovirt-engine-proxy.conf.20140115003015
> -rw-r--r--. 1 root root 1251 Jan 7 15:54 z-ovirt-engine-reports-proxy.conf
> -rw-r--r--. 1 root root 2788 Jan 15 00:30 z-ovirt-engine-proxy.conf
>
> z-ovirt-engine-reports-proxy.conf:
> <IfModule proxy_ajp_module>
>
> <Proxy ajp://localhost:8702>
> # This is needed to make sure that connections to the application server
> # are recovered in a short time interval (5 seconds at the moment)
> # otherwise when the application server is restarted the web server will
> # refuse to connect during 60 seconds.
> ProxySet retry=5
>
> # This is needed to make sure that long RESTAPI requests have time to
> # finish before the web server aborts the request as the default timeout
> # (controlled by the Timeout directive in httpd.conf) is 60 seconds.
> ProxySet timeout=3600
> </Proxy>
>
> <Location /ovirt-engine-reports>
> ProxyPass ajp://localhost:8702/ovirt-engine-reports
> <IfModule deflate_module>
> AddOutputFilterByType DEFLATE text/javascript text/css
> text/html text/xml text/json application/xml application/json
> application/x-yaml
> </IfModule>
> </Location>
>
> </IfModule>
>
> Uuuuuuh
>
> enterig the URL you showed directely I can login and see reports ok
>
> so it looks link in ovirt main page is somehow wrong!
>
>
> This should work. To help debug this, please check/post these:
>
> /etc/httpd/conf.d/z-ovirt-engine-proxy.conf
> /etc/httpd/conf.d/z-ovirt-engine-reports-proxy.conf
> /var/log/httpd/error_log
> /var/log/httpd/ssl_error_log
> /var/log/httpd/access_log
> /var/log/httpd/ssl_access_log
>
> As user postgres, output of:
> psql engine -c "select * from vdc_options where
> option_name='RedirectServletReportsPage';"
>
> Thanks!
> --
> Didi
>
>
> --
> Il messaggio è stato analizzato alla ricerca di virus o
> contenuti pericolosi da *SkyNet Srl <http://www.skynet.it/>*, ed è
> risultato non infetto.
>
> This message has been checked for virus or dangerous content
> by *SkyNet SRL <http://www.skynet.it/>* and seems to be clean.
Ok let's go
z-ovirt-engine-proxy.conf
#
# The name of this file name is very important, the "z-" prefix is used
# to force the web server to load this file after all the other
# configurations, in particular after the configuration of the required
# proxy modules, otherwise the "IfModule" directives fail.
#
<IfModule proxy_ajp_module>
#
# Remove the Expect headers from API requests (this is needed to fix a
# problem with some API clients):
#
# This is required because otherwise Expect header, which is hop-by-hop
# will be caught by the Apache and will NOT be forwared to the proxy.
#
# It currenly is used here, which means GLOBALLY for the server. It
is done
# this way because RequestHeader 'early' doesn't allow using in either
# 'Directory' or 'Location' nested clauses.
#
# TODO: find a way to filter Expect headers for /api name space only.
<IfModule headers_module>
RequestHeader unset Expect early
</IfModule>
<Proxy ajp://127.0.0.1:8702>
# This is needed to make sure that connections to the
application server
# are recovered in a short time interval (5 seconds at the moment)
# otherwise when the application server is restarted the web
server will
# refuse to connect during 60 seconds.
ProxySet retry=5
# This is needed to make sure that long RESTAPI requests have
time to
# finish before the web server aborts the request as the
default timeout
# (controlled by the Timeout directive in httpd.conf) is 60
seconds.
ProxySet timeout=3600
</Proxy>
Redirect /ovirt-engine /ovirt-engine/
<Location /ovirt-engine/>
ProxyPass ajp://127.0.0.1:8702/
</Location>
<LocationMatch
^/(UserPortal($|/)|RHEVManagerWeb($|/)|OvirtEngineWeb($|/)|webadmin($|/)|docs($|/)|ovirt-engine-theme/|ovirt-engine-theme-resource/|ca.crt$|engine.ssh.key.txt$|rhevm.ssh.key.txt$|ovirt-engine-files/|ovirt-engine-attachment/|ovirt-engine-novnc-main.html$|ovirt-engine-spicehtml5-main.html$)>
ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600
<IfModule deflate_module>
AddOutputFilterByType DEFLATE text/javascript text/css
text/html text/xml text/json application/xml application/json
application/x-yaml
</IfModule>
</LocationMatch>
<Location /api>
#
# The timeout has to be specified here again because versions of
# Apache older than 2.4 don't copy the setting from the Proxy
# directive:
#
ProxyPass ajp://127.0.0.1:8702/api timeout=3600
<IfModule deflate_module>
AddOutputFilterByType DEFLATE text/javascript text/css
text/html text/xml text/json application/xml application/json
application/x-yaml
</IfModule>
</Location>
</IfModule>
z-ovirt-engine-reports-proxy.conf
#
# The name of this file name is very important, the "z-" prefix is used
# to force the web server to load this file after all the other
# configurations, in particular after the configuration of the required
# proxy modules, otherwise the "IfModule" directives fail.
#
<IfModule proxy_ajp_module>
#
# Remove the Expect headers from API requests (this is needed to fix a
# problem with some API clients):
#
# This is required because otherwise Expect header, which is hop-by-hop
# will be caught by the Apache and will NOT be forwared to the proxy.
#
# It currenly is used here, which means GLOBALLY for the server. It
is done
# this way because RequestHeader 'early' doesn't allow using in either
# 'Directory' or 'Location' nested clauses.
#
# TODO: find a way to filter Expect headers for /api name space only.
<IfModule headers_module>
RequestHeader unset Expect early
</IfModule>
<Proxy ajp://127.0.0.1:8702>
# This is needed to make sure that connections to the
application server
# are recovered in a short time interval (5 seconds at the moment)
# otherwise when the application server is restarted the web
server will
# refuse to connect during 60 seconds.
ProxySet retry=5
# This is needed to make sure that long RESTAPI requests have
time to
# finish before the web server aborts the request as the
default timeout
# (controlled by the Timeout directive in httpd.conf) is 60
seconds.
ProxySet timeout=3600
</Proxy>
Redirect /ovirt-engine /ovirt-engine/
<Location /ovirt-engine/>
ProxyPass ajp://127.0.0.1:8702/
</Location>
<LocationMatch
^/(UserPortal($|/)|RHEVManagerWeb($|/)|OvirtEngineWeb($|/)|webadmin($|/)|docs($|/)|ovirt-engine-theme/|ovirt-engine-theme-resource/|ca.crt$|engine.ssh.key.txt$|rhevm.ssh.key.txt$|ovirt-engine-files/|ovirt-engine-attachment/|ovirt-engine-novnc-main.html$|ovirt-engine-spicehtml5-main.html$)>
ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600
<IfModule deflate_module>
AddOutputFilterByType DEFLATE text/javascript text/css
text/html text/xml text/json application/xml application/json
application/x-yaml
</IfModule>
</LocationMatch>
<Location /api>
#
# The timeout has to be specified here again because versions of
# Apache older than 2.4 don't copy the setting from the Proxy
# directive:
#
ProxyPass ajp://127.0.0.1:8702/api timeout=3600
<IfModule deflate_module>
AddOutputFilterByType DEFLATE text/javascript text/css
text/html text/xml text/json application/xml application/json
application/x-yaml
</IfModule>
</Location>
</IfModule>
[root at hypervisor conf.d]# :q
-bash: :q: command not found
[root at hypervisor conf.d]# cat z-ovirt-engine-reports-proxy.conf
#
# The name of this file name is very important, the "z-" prefix is used
# to force the web server to load this file after all the other
# configurations, in particular after the configuration of the required
# proxy modules, otherwise the "IfModule" directives fail.
#
<IfModule proxy_ajp_module>
<Proxy ajp://localhost:8702>
# This is needed to make sure that connections to the
application server
# are recovered in a short time interval (5 seconds at the moment)
# otherwise when the application server is restarted the web
server will
# refuse to connect during 60 seconds.
ProxySet retry=5
# This is needed to make sure that long RESTAPI requests have
time to
# finish before the web server aborts the request as the
default timeout
# (controlled by the Timeout directive in httpd.conf) is 60
seconds.
ProxySet timeout=3600
</Proxy>
<Location /ovirt-engine-reports>
ProxyPass ajp://localhost:8702/ovirt-engine-reports
<IfModule deflate_module>
AddOutputFilterByType DEFLATE text/javascript text/css
text/html text/xml text/json application/xml application/json
application/x-yaml
</IfModule>
</Location>
</IfModule>
ssl_error_log
[Tue Feb 04 10:50:46.221639 2014] [proxy_ajp:error] [pid 7533] [client
192.168.0.17:48201] AH00896: failed to make connection to backend:
127.0.0.1, referer:
https://10.0.0.5/webadmin/webadmin/WebAdmin.html?locale=en_US
[Tue Feb 04 10:50:51.221036 2014] [proxy:error] [pid 7532]
(111)Connection refused: AH00957: AJP: attempt to connect to
127.0.0.1:8702 (127.0.0.1) failed
[Tue Feb 04 10:50:51.221057 2014] [proxy:error] [pid 7532] AH00959:
ap_proxy_connect_backend disabling worker for (127.0.0.1) for 5s
[Tue Feb 04 10:50:51.221062 2014] [proxy_ajp:error] [pid 7532] [client
192.168.0.17:48202] AH00896: failed to make connection to backend:
127.0.0.1, referer:
https://10.0.0.5/webadmin/webadmin/WebAdmin.html?locale=en_US
[Tue Feb 04 10:50:56.220894 2014] [proxy:error] [pid 7607]
(111)Connection refused: AH00957: AJP: attempt to connect to
127.0.0.1:8702 (127.0.0.1) failed
[Tue Feb 04 10:50:56.220915 2014] [proxy:error] [pid 7607] AH00959:
ap_proxy_connect_backend disabling worker for (127.0.0.1) for 5s
[Tue Feb 04 10:50:56.220920 2014] [proxy_ajp:error] [pid 7607] [client
192.168.0.17:48203] AH00896: failed to make connection to backend:
127.0.0.1, referer:
https://10.0.0.5/webadmin/webadmin/WebAdmin.html?locale=en_US
[Tue Feb 04 10:54:58.223880 2014] [proxy:error] [pid 7611]
(111)Connection refused: AH00957: AJP: attempt to connect to
127.0.0.1:8702 (127.0.0.1) failed
[Tue Feb 04 10:54:58.223901 2014] [proxy:error] [pid 7611] AH00959:
ap_proxy_connect_backend disabling worker for (127.0.0.1) for 5s
[Tue Feb 04 10:54:58.223906 2014] [proxy_ajp:error] [pid 7611] [client
192.168.0.17:48210] AH00896: failed to make connection to backend: 127.0.0.1
ssl_access_log
192.168.0.17 - - [04/Feb/2014:12:54:31 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:36 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:41 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:46 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:51 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:56 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:55:01 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:55:06 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:55:11 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 177
192.168.0.17 - - [04/Feb/2014:12:55:11 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 260
access_log
::1 - - [04/Feb/2014:11:00:26 +0100] "OPTIONS * HTTP/1.0" 200 - "-"
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy
connection)"
::1 - - [04/Feb/2014:11:01:48 +0100] "OPTIONS * HTTP/1.0" 200 - "-"
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy
connection)"
192.168.0.17 - - [04/Feb/2014:11:02:10 +0100] "GET /pippo.htm HTTP/1.1"
404 207 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101
Firefox/27.0"
192.168.0.17 - - [04/Feb/2014:11:02:10 +0100] "GET /favicon.ico
HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:27.0)
Gecko/20100101 Firefox/27.0"
192.168.0.17 - - [04/Feb/2014:11:02:10 +0100] "GET /favicon.ico
HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:27.0)
Gecko/20100101 Firefox/27.0"
::1 - - [04/Feb/2014:11:54:16 +0100] "OPTIONS * HTTP/1.0" 200 - "-"
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy
connection)"
192.168.0.17 - - [04/Feb/2014:12:17:42 +0100] "GET
/ovirt-engine-reports/login.html HTTP/1.1" 302 - "-" "Mozilla/5.0 (X11;
Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0"
::1 - - [04/Feb/2014:12:17:51 +0100] "OPTIONS * HTTP/1.0" 200 - "-"
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy
connection)"
::1 - - [04/Feb/2014:12:17:52 +0100] "OPTIONS * HTTP/1.0" 200 - "-"
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy
connection)"
::1 - - [04/Feb/2014:12:55:17 +0100] "OPTIONS * HTTP/1.0" 200 - "-"
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy
connection)"
the login you see is the one after entering
http://10.0.0.5/ovirt-engine-reports/login.html as url
error_log
[Tue Feb 04 10:55:04.198829 2014] [mpm_prefork:notice] [pid 9665]
AH00170: caught SIGWINCH, shutting down gracefully
[Tue Feb 04 10:55:05.284349 2014] [core:notice] [pid 11365] SELinux
policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Feb 04 10:55:05.285048 2014] [suexec:notice] [pid 11365] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Feb 04 10:55:05.315355 2014] [proxy:warn] [pid 11365] AH01146:
Ignoring parameter 'timeout=3600' for worker 'ajp://127.0.0.1:8702'
because of worker sharing
[Tue Feb 04 10:55:05.315381 2014] [proxy:warn] [pid 11365] AH01146:
Ignoring parameter 'timeout=3600' for worker 'ajp://127.0.0.1:8702'
because of worker sharing
AH00558: httpd: Could not reliably determine the server's fully
qualified domain name, using hypervisor.skynet.it. Set the 'ServerName'
directive globally to suppress this message
[Tue Feb 04 10:55:05.315826 2014] [auth_digest:notice] [pid 11365]
AH01757: generating secret for digest authentication ...
[Tue Feb 04 10:55:05.316461 2014] [lbmethod_heartbeat:notice] [pid
11365] AH02282: No slotmem from mod_heartmonitor
[Tue Feb 04 10:55:05.354876 2014] [mpm_prefork:notice] [pid 11365]
AH00163: Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 configured
-- resuming normal operations
[Tue Feb 04 10:55:05.354895 2014] [core:notice] [pid 11365] AH00094:
Command line: '/usr/sbin/httpd -D FOREGROUND'
postgres-# select * from vdc_options where
option_name='RedirectServletReportsPage'
postgres-#
(no results)
Let me know if anything else may be useful
Thank you and best regards
--
SkyNet SRL
Via Maggiate 67/a - 28021 Borgomanero (NO) - tel. +39 0322-836487/834765
- fax +39 0322-836608
http://www.skynet.it <http://www.skynet.it/>
Autorizzazione Ministeriale n.197
Le informazioni contenute in questo messaggio sono riservate e
confidenziali ed è vietata la diffusione in qualunque modo eseguita.
Qualora Lei non fosse la persona a cui il presente messaggio è
destinato, La invitiamo ad eliminarlo ed a distruggerlo non
divulgandolo, dandocene gentilmente comunicazione.
Per qualsiasi informazione si prega di contattare info at skynet.it (e-mail
dell'azienda). Rif. D.L. 196/2003
More information about the Users
mailing list