[ovirt-users] User admin at internal can't login in oVirt 3.6

Ondra Machacek omachace at redhat.com
Mon Jun 20 18:24:51 UTC 2016 

On 06/20/2016 06:36 PM, Julián Tete wrote:
> oVirt: 3.6.2
>
> Trying to use:
>
> https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>
> First use:
>
> engine-manage-domains add --domain=udistritaloas.edu.co
> <http://udistritaloas.edu.co> --provider=ipa --user=admin
> --ldap-servers=freeipa.udistritaloas.edu.co
> <http://freeipa.udistritaloas.edu.co>
>
> The domain was added, but a I can't access to the webadmin portal :/
>
> I get the message:
>
> "User is not authorized to perform this action."
>
> In ovirt-cli
>
> [401] - Unauthorized
>
> tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin at internal
>
> 2016-06-20 10:52:22,835 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-32) [] Correlation ID: null, Call Stack: null, Custom
> Event ID: -1, Message: User admin at internal failed to log in.
> 2016-06-20 10:52:22,836 WARN
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default task-32)
> [] CanDoAction of action 'LoginAdminUser' failed for user
> admin at internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 2016-06-20 11:00:37,679 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-3) [] Correlation ID: null, Call Stack: null, Custom Event
> ID: -1, Message: User admin at internal failed to log in.
> 2016-06-20 11:00:37,679 WARN
> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3) []
> CanDoAction of action 'LoginUser' failed for user admin at internal.
> Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 2016-06-20 11:01:04,016 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-4) [] Correlation ID: null, Call Stack: null, Custom Event
> ID: -1, Message: User admin at internal failed to log in.
> 2016-06-20 11:01:04,016 WARN
> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4) []
> CanDoAction of action 'LoginUser' failed for user admin at internal.
> Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

I am little bit lost, what was your steps, to get into this state, but 
it looks that your admin at internal user was removed SuperUser 
permissions, I am really not sure how could you achieve that, but to fix 
it please run following command:

  $ su - postgres -c "psql -t engine -c \"insert into permissions values 
('0000001b-001b-001b-001b-00000000029f', 
'00000000-0000-0000-0000-000000000001', 
'fdfc627c-d875-11e0-90f0-83df133b58cc', 
'aaa00000-0000-0000-0000-123456789aaa', 1);\""

This command will add your admin at internal SuperUser permissions on system.

Can you please describe what have you done a bit more, so we can 
understand the problem?

Thanks.

>
> Properties of Internal domain:
>
> cat /etc/ovirt-engine/aaa/internal.properties
>
> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
> internal-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine.extension.aaa.jdbc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name
> <http://ovirt.engine.aaa.authn.profile.name> = internal
> ovirt.engine.aaa.authn.authz.plugin = internal-authz
> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>
> cat /etc/ovirt-engine/extensions.d/internal-authn.properties
>
> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
> internal-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine.extension.aaa.jdbc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name
> <http://ovirt.engine.aaa.authn.profile.name> = internal
> ovirt.engine.aaa.authn.authz.plugin = internal-authz
> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>
> cat /etc/ovirt-engine/extensions.d/internal-authz.properties
>
> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
> internal-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine.extension.aaa.jdbc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>
> Properties of admin at internal user:
>
> ovirt-aaa-jdbc-tool user show admin
>
> -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
> Namespace: *
> Name: admin
> ID: fdfc627c-d875-11e0-90f0-83df133b58cc
> Display Name:
> Email:
> First Name: admin
> Last Name:
> Department:
> Title:
> Description:
> Account Disabled: false
> Account Unlocked At: 1970-01-01 00:00:00Z
> Account Valid From: 2015-10-01 00:00:00Z
> Account Valid To: 2100-01-01 00:00:00Z
> Account Without Password: false
> Last successful Login At: 2016-06-20 16:01:03Z
> Last unsuccessful Login At: 2016-06-19 16:53:07Z
> Password Valid To: 2100-01-01 00:00:00Z
>
> ¿ Can I assign privilegies to the user ? ¿ Any idea ?
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list