[ovirt-users] User admin at internal can't login in oVirt 3.6
Ondra Machacek
omachace at redhat.com
Tue Jun 21 14:18:09 UTC 2016
On 06/20/2016 08:33 PM, Julián Tete wrote:
> Thanks Ondra :)
>
> With the command:
>
> su - postgres -c "psql -t engine -c \"insert into permissions values
> ('0000001b-001b-001b-001b-00000000029f',
> '00000000-0000-0000-0000-000000000001',
> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
> 'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>
I've just remembered, that there is bash script for it:
/usr/share/ovirt-engine/bin/ovirt-engine-role.sh
You can use it as follows:
/usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add
--user-name=admin --authz-name=internal-authz --role=SuperUser
But, as per your output above, obviously your problem is not missing
permissions.
I think the problem is that you removed internal*.properties files and
then re-add it.
Can you please send output of users table and permissions table. Thanks.
su - postgres -c "psql -t engine -c \"select * from users;\""
su - postgres -c "psql -t engine -c \"select * from permissions;\""
> I get:
>
> ERROR: duplicate key value violates unique constraint
> "idx_combined_ad_role_object"
> DETAIL: Key (ad_element_id, role_id,
> object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
> 00000000-0000-0000-0000-000000000001,
> aaa00000-0000-0000-0000-123456789aaa) already exists.
>
> History
>
> 261 yum install ovirt-engine-extension-aaa-ldap
> 262 cp -r
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
> /etc/ovirt-engine/
> 263 cd /etc/ovirt-engine/
> 264 ll
> 265 vim profile1.properties
> 266 ll
> 267 cd cp
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
> /etc/ovirt-engine/extensions.d/
> 268 cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/
> 269 cd
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
> 270 ll
> 271 cp
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
> /etc/ovirt-engine/extensions.d/
> 272 cd /etc/ovirt-engine/extensions.d/
> 273 ll
> 274 find / -type f -iname profile1.properties
> 275 cp -r
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
> /etc/ovirt-engine/aaa/
> 276 find / -type f -iname profile1.properties
> 277 vim /etc/ovirt-engine/aaa/profile1.properties
> 278 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
> 279 chmod 600 /etc/ovirt-engine/aaa/profile1.properties
> 280 systemctl restart ovirt-engine
> 281 vim /etc/ovirt-engine/extensions.d/profile1-authn.properties
> 282 cd /usr/share/
> 283 ls
> 284 cd ovirt-engine-aaa-ldap
> 285 ls
> 286 cd ovirt-engine-extension-aaa-ldap/
> 287 ls
> 288 cd examples/
> 289 ls
> 290 cd ad
> 291 ls
> 292 cd extensions.d/
> 293 ls
> 294 vim profile1-authn.properties
> 295 pwd
> 296 cd ..
> 297 pwd
> 298 cd ..
> 299 ls
> 300 cd simple
> 301 ls
> 302 cd aaa/
> 303 ls
> 304 vim profile1.properties
> 305 pwd
> 306 rm -rf /etc/ovirt-engine/aaa/profile1.properties
> 307 cp -r
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
> /etc/ovirt-engine/aaa/
> 308 vim /etc/ovirt-engine/aaa/profile1.properties
> 309 history
> 310 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
> 311 chmod 600 /etc/ovirt-engine/aaa/profile1.properties
> 312 systemctl restart ovirt-engine
> 313 updatedb
> 314 locate domain1-authn.properties
> 315 history
> 316 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
> 317 ll
> 318 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
> 319 ls
> 320 cd extensions.d/
> 321 ls
> 322 pwd
> 323 cd /etc/ovirt-engine/extensions.d/
> 324 ls
> 325 cp -r
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
> /etc/ovirt-engine/extensions.d/
> 326 cp -r
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/
> 327 rm -rf /etc/ovirt-engine/extensions.d/profile1-authn.properties
> 328 rm -rf /etc/ovirt-engine/extensions.d/profile1-authz.properties
> 329 cp -r
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/
> 330 ll
> 331 history
> 332 chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
> 333 chmod 600 /etc/ovirt-engine/extensions.d/*
> 334 ll
> 335 cd extensions.d/
> 336 ll
> 337 cd
> 338 engine-config -s SASL_QOP=auth
> 339 systemctl restart ovirt-engine
> 340 engine-manage-domains add --domain=udistritaloas.edu.co
> <http://udistritaloas.edu.co> --provider=ipa --user=admin
> --ldap-servers=freeipa.udistritaloas.edu.co
> <http://freeipa.udistritaloas.edu.co>
> 341 systemctl restart ovirt-engine
> 342 engine-manage-domains list
> 343 history
> 344 cd /etc/ovirt-engine/extensions.d/
> 345 ll
> 346 rm -rf internal-authn.properties
> 347 rm -rf internal-authz.properties
> 348 rm -rf profile1-authn.properties
> 349 rm -rf profile1-authz.properties
> 350 history
> 351 cd /etc/ovirt-engine/aaa/
> 352 ll
> 353 rm -rf profile1.properties
> 354 vim internal.properties
> 355 systemctl restart ovirt-engine
> 356 ovirt-aaa-jdbc-tool user edit admin
> --account-valid-to="2100-01-01 00:00:00Z"
> 357 ovirt-aaa-jdbc-tool user password-reset admin
> --password-valid-to="2100-01-01 00:00:00Z"
> 358 engine-config -s AdminPassword=interactive
> 359 ovirt-aaa-jdbc-tool user password-reset admin
> --password-valid-to="2100-01-01 00:00:00Z"
> 360 systemctl restart ovirt-engine
> 361 exit
> 362 cd /etc/ovirt-engine/aaa/
> 363 ll
> 364 vim internal.properties
> 365 /etc/ovirt-engine/extensions.d/
> 366 cd /etc/ovirt-engine/extensions.d/
> 367 ll
> 368 cd extensions.d/
> 369 ll
> 370 pwd
> 371 ll
> 372 cd ..
> 373 ll
> 374 cd ..
> 375 ll
> 376 cd /etc/ovirt-engine/extensions.d/
> 377 ll
> 378 cd extensions.d/
> 379 ll
> 380 pwd
> 381 ll
> 382 cd ..
> 383 ll
> 384 systemctl restart ovirt-engine.service
> 385 ovirt-aaa-jdbc-tool user edit admin
> --account-valid-to="2100-01-01 00:00:00Z"
> 386 ovirt-aaa-jdbc-tool user password-reset admin
> --password-valid-to="2100-01-01 00:00:00Z"
> 387 systemctl restart ovirt-engine.service
> 388 ovirt-aaa-jdbc-tool user password-reset admin at internal
> --password-valid-to="2100-01-01 00:00:00Z"
> 389 yum install -y ovirt-engine-extension-aaa-jdbc
> 390 engine-setup
> 391 ovirt-aaa-jdbc-tool user show admin
> 392 ovirt-aaa-jdbc-tool settings show
> 393 cd /var/log
> 394 ll
> 395 cd ovirt-engine
> 396 ll
> 397 tail -f n 100 ui.log
> 398 ll
> 399 tail -f -n engine.log
> 400 tail -f -n 1000 engine.log
> 401 tail -n 5000 engine.log | grep admin at internal
> 402 ovirt-aaa-jdbc-tool user show admin
> 403 ovirt-aaa-jdbc-tool user show admin at internal
> 404 ovirt-aaa-jdbc-tool query --what=user
> 405 engine-config -s AdminPassword=interactive
> 406 vim /etc/ovirt-engine/extension.d/internal-authn.properties
> 407 vim /etc/ovirt-engine/extensions.d/internal-authn.properties
> 408 cd /etc/ovirt-engine/extensions.d/
> 409 ll
> 410 vim /etc/ovirt-engine/aaa/internal.properties
> 411 cd /etc/ovirt-engine/aaa/
> 412 ll
> 413 vim internal.properties
> 414 pwd
> 415 ovirt-aaa-jdbc-tool user add julian
> --attribute=firstName=Julian --attribute=lastName=Tete
> --attribute=email=danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>
> 416 ovirt-aaa-jdbc-tool user password-reset julian
> --password-valid-to="2025-08-15 10:30:00Z"
> 417 history
> 418 tail -n 5000 engine.log | grep admin at internal
> 419 tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin at internal
> 420 ovirt-aaa-jdbc-tool user edit admin
> --account-valid-from="2015-10-01 00:00:00Z"
> 421 ovirt-aaa-jdbc-tool user password-reset admin --force
> --password-valid-to="2100-01-01 00:00:00Z"
> 422 systemctl restart ovirt-engine.service
> 423 history
> 424 ovirt-aaa-jdbc-tool query --what=user
> 425 updatedb
> 426 locate internal
> 427 yum install -y ovirt-engine-cli
> 428 cd /opt
> 429 cd /opt/
>
>
>
> 2016-06-20 13:24 GMT-05:00 Ondra Machacek <omachace at redhat.com
> <mailto:omachace at redhat.com>>:
>
> On 06/20/2016 06:36 PM, Julián Tete wrote:
>
> oVirt: 3.6.2
>
> Trying to use:
>
> https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>
> First use:
>
> engine-manage-domains add --domain=udistritaloas.edu.co
> <http://udistritaloas.edu.co>
> <http://udistritaloas.edu.co> --provider=ipa --user=admin
> --ldap-servers=freeipa.udistritaloas.edu.co
> <http://freeipa.udistritaloas.edu.co>
> <http://freeipa.udistritaloas.edu.co>
>
>
> The domain was added, but a I can't access to the webadmin portal :/
>
> I get the message:
>
> "User is not authorized to perform this action."
>
> In ovirt-cli
>
> [401] - Unauthorized
>
> tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin at internal
>
> 2016-06-20 10:52:22,835 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-32) [] Correlation ID: null, Call Stack: null, Custom
> Event ID: -1, Message: User admin at internal failed to log in.
> 2016-06-20 10:52:22,836 WARN
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default
> task-32)
> [] CanDoAction of action 'LoginAdminUser' failed for user
> admin at internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 2016-06-20 11:00:37,679 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-3) [] Correlation ID: null, Call Stack: null,
> Custom Event
> ID: -1, Message: User admin at internal failed to log in.
> 2016-06-20 11:00:37,679 WARN
> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3) []
> CanDoAction of action 'LoginUser' failed for user admin at internal.
> Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 2016-06-20 11:01:04,016 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-4) [] Correlation ID: null, Call Stack: null,
> Custom Event
> ID: -1, Message: User admin at internal failed to log in.
> 2016-06-20 11:01:04,016 WARN
> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4) []
> CanDoAction of action 'LoginUser' failed for user admin at internal.
> Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>
>
> I am little bit lost, what was your steps, to get into this state,
> but it looks that your admin at internal user was removed SuperUser
> permissions, I am really not sure how could you achieve that, but to
> fix it please run following command:
>
> $ su - postgres -c "psql -t engine -c \"insert into permissions
> values ('0000001b-001b-001b-001b-00000000029f',
> '00000000-0000-0000-0000-000000000001',
> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
> 'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>
> This command will add your admin at internal SuperUser permissions on
> system.
>
> Can you please describe what have you done a bit more, so we can
> understand the problem?
>
> Thanks.
>
>
> Properties of Internal domain:
>
> cat /etc/ovirt-engine/aaa/internal.properties
>
> ovirt.engine.extension.name <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name> =
> internal-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine.extension.aaa.jdbc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name
> <http://ovirt.engine.aaa.authn.profile.name>
> <http://ovirt.engine.aaa.authn.profile.name> = internal
> ovirt.engine.aaa.authn.authz.plugin = internal-authz
> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>
> cat /etc/ovirt-engine/extensions.d/internal-authn.properties
>
> ovirt.engine.extension.name <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name> =
> internal-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine.extension.aaa.jdbc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name
> <http://ovirt.engine.aaa.authn.profile.name>
> <http://ovirt.engine.aaa.authn.profile.name> = internal
> ovirt.engine.aaa.authn.authz.plugin = internal-authz
> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>
> cat /etc/ovirt-engine/extensions.d/internal-authz.properties
>
> ovirt.engine.extension.name <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name> =
>
> internal-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine.extension.aaa.jdbc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authz
> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>
> Properties of admin at internal user:
>
> ovirt-aaa-jdbc-tool user show admin
>
> -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
> Namespace: *
> Name: admin
> ID: fdfc627c-d875-11e0-90f0-83df133b58cc
> Display Name:
> Email:
> First Name: admin
> Last Name:
> Department:
> Title:
> Description:
> Account Disabled: false
> Account Unlocked At: 1970-01-01 00:00:00Z
> Account Valid From: 2015-10-01 00:00:00Z
> Account Valid To: 2100-01-01 00:00:00Z
> Account Without Password: false
> Last successful Login At: 2016-06-20 16:01:03Z
> Last unsuccessful Login At: 2016-06-19 16:53:07Z
> Password Valid To: 2100-01-01 00:00:00Z
>
> ¿ Can I assign privilegies to the user ? ¿ Any idea ?
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org>
> http://lists.ovirt.org/mailman/listinfo/users
>
>
More information about the Users
mailing list