[ovirt-users] User admin at internal can't login in oVirt 3.6

Ondra Machacek omachace at redhat.com
Tue Jun 21 14:18:09 UTC 2016


On 06/20/2016 08:33 PM, Julián Tete wrote:
> Thanks Ondra :)
>
> With the command:
>
> su - postgres -c "psql -t engine -c \"insert into permissions values
> ('0000001b-001b-001b-001b-00000000029f',
> '00000000-0000-0000-0000-000000000001',
> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
> 'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>

I've just remembered, that there is bash script for it:

  /usr/share/ovirt-engine/bin/ovirt-engine-role.sh

You can use it as follows:

  /usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add 
--user-name=admin --authz-name=internal-authz --role=SuperUser

But, as per your output above, obviously your problem is not missing 
permissions.
I think the problem is that you removed internal*.properties files and 
then re-add it.
Can you please send output of users table and permissions table. Thanks.

  su - postgres -c "psql -t engine -c \"select * from users;\""
  su - postgres -c "psql -t engine -c \"select * from permissions;\""

> I get:
>
> ERROR:  duplicate key value violates unique constraint
> "idx_combined_ad_role_object"
> DETAIL:  Key (ad_element_id, role_id,
> object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
> 00000000-0000-0000-0000-000000000001,
> aaa00000-0000-0000-0000-123456789aaa) already exists.
>
> History
>
>   261  yum install ovirt-engine-extension-aaa-ldap
>   262  cp -r
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
> /etc/ovirt-engine/
>   263  cd /etc/ovirt-engine/
>   264  ll
>   265  vim profile1.properties
>   266  ll
>   267  cd cp
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
> /etc/ovirt-engine/extensions.d/
>   268  cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/
>   269  cd
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
>   270  ll
>   271  cp
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
> /etc/ovirt-engine/extensions.d/
>   272  cd /etc/ovirt-engine/extensions.d/
>   273  ll
>   274  find / -type f -iname profile1.properties
>   275  cp -r
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
> /etc/ovirt-engine/aaa/
>   276  find / -type f -iname profile1.properties
>   277  vim /etc/ovirt-engine/aaa/profile1.properties
>   278  chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
>   279  chmod 600 /etc/ovirt-engine/aaa/profile1.properties
>   280  systemctl restart ovirt-engine
>   281  vim /etc/ovirt-engine/extensions.d/profile1-authn.properties
>   282  cd /usr/share/
>   283  ls
>   284  cd ovirt-engine-aaa-ldap
>   285  ls
>   286  cd ovirt-engine-extension-aaa-ldap/
>   287  ls
>   288  cd examples/
>   289  ls
>   290  cd ad
>   291  ls
>   292  cd extensions.d/
>   293  ls
>   294  vim profile1-authn.properties
>   295  pwd
>   296  cd ..
>   297  pwd
>   298  cd ..
>   299  ls
>   300  cd simple
>   301  ls
>   302  cd aaa/
>   303  ls
>   304  vim profile1.properties
>   305  pwd
>   306  rm -rf /etc/ovirt-engine/aaa/profile1.properties
>   307  cp -r
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
> /etc/ovirt-engine/aaa/
>   308  vim /etc/ovirt-engine/aaa/profile1.properties
>   309  history
>   310  chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
>   311  chmod 600 /etc/ovirt-engine/aaa/profile1.properties
>   312  systemctl restart ovirt-engine
>   313  updatedb
>   314  locate domain1-authn.properties
>   315  history
>   316  cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
>   317  ll
>   318  cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
>   319  ls
>   320  cd extensions.d/
>   321  ls
>   322  pwd
>   323  cd /etc/ovirt-engine/extensions.d/
>   324  ls
>   325  cp -r
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
> /etc/ovirt-engine/extensions.d/
>   326   cp -r
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/
>   327  rm -rf /etc/ovirt-engine/extensions.d/profile1-authn.properties
>   328  rm -rf /etc/ovirt-engine/extensions.d/profile1-authz.properties
>   329   cp -r
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/
>   330  ll
>   331  history
>   332  chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
>   333  chmod 600 /etc/ovirt-engine/extensions.d/*
>   334  ll
>   335  cd extensions.d/
>   336  ll
>   337  cd
>   338  engine-config -s SASL_QOP=auth
>   339  systemctl restart ovirt-engine
>   340  engine-manage-domains add --domain=udistritaloas.edu.co
> <http://udistritaloas.edu.co> --provider=ipa --user=admin
> --ldap-servers=freeipa.udistritaloas.edu.co
> <http://freeipa.udistritaloas.edu.co>
>   341  systemctl restart ovirt-engine
>   342  engine-manage-domains list
>   343  history
>   344  cd /etc/ovirt-engine/extensions.d/
>   345  ll
>   346  rm -rf internal-authn.properties
>   347  rm -rf internal-authz.properties
>   348  rm -rf profile1-authn.properties
>   349  rm -rf profile1-authz.properties
>   350  history
>   351  cd /etc/ovirt-engine/aaa/
>   352  ll
>   353  rm -rf profile1.properties
>   354  vim internal.properties
>   355  systemctl restart ovirt-engine
>   356  ovirt-aaa-jdbc-tool user edit admin
> --account-valid-to="2100-01-01 00:00:00Z"
>   357  ovirt-aaa-jdbc-tool user password-reset admin
> --password-valid-to="2100-01-01 00:00:00Z"
>   358  engine-config -s AdminPassword=interactive
>   359  ovirt-aaa-jdbc-tool user password-reset admin
> --password-valid-to="2100-01-01 00:00:00Z"
>   360  systemctl restart ovirt-engine
>   361  exit
>   362  cd /etc/ovirt-engine/aaa/
>   363  ll
>   364  vim internal.properties
>   365  /etc/ovirt-engine/extensions.d/
>   366  cd /etc/ovirt-engine/extensions.d/
>   367  ll
>   368  cd extensions.d/
>   369  ll
>   370  pwd
>   371  ll
>   372  cd ..
>   373  ll
>   374  cd ..
>   375  ll
>   376  cd /etc/ovirt-engine/extensions.d/
>   377  ll
>   378  cd extensions.d/
>   379  ll
>   380  pwd
>   381  ll
>   382  cd ..
>   383  ll
>   384  systemctl restart ovirt-engine.service
>   385  ovirt-aaa-jdbc-tool user edit admin
> --account-valid-to="2100-01-01 00:00:00Z"
>   386  ovirt-aaa-jdbc-tool user password-reset admin
> --password-valid-to="2100-01-01 00:00:00Z"
>   387  systemctl restart ovirt-engine.service
>   388  ovirt-aaa-jdbc-tool user password-reset admin at internal
> --password-valid-to="2100-01-01 00:00:00Z"
>   389  yum install -y ovirt-engine-extension-aaa-jdbc
>   390  engine-setup
>   391  ovirt-aaa-jdbc-tool user show admin
>   392  ovirt-aaa-jdbc-tool settings show
>   393  cd /var/log
>   394  ll
>   395  cd ovirt-engine
>   396  ll
>   397  tail -f n 100 ui.log
>   398  ll
>   399  tail -f -n engine.log
>   400  tail -f -n 1000 engine.log
>   401  tail -n 5000 engine.log | grep admin at internal
>   402  ovirt-aaa-jdbc-tool user show admin
>   403  ovirt-aaa-jdbc-tool user show admin at internal
>   404  ovirt-aaa-jdbc-tool query --what=user
>   405  engine-config -s AdminPassword=interactive
>   406  vim /etc/ovirt-engine/extension.d/internal-authn.properties
>   407  vim /etc/ovirt-engine/extensions.d/internal-authn.properties
>   408  cd /etc/ovirt-engine/extensions.d/
>   409  ll
>   410  vim /etc/ovirt-engine/aaa/internal.properties
>   411  cd /etc/ovirt-engine/aaa/
>   412  ll
>   413  vim internal.properties
>   414  pwd
>   415  ovirt-aaa-jdbc-tool user add julian
> --attribute=firstName=Julian     --attribute=lastName=Tete
> --attribute=email=danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>
>   416  ovirt-aaa-jdbc-tool user password-reset julian
> --password-valid-to="2025-08-15 10:30:00Z"
>   417  history
>   418  tail -n 5000 engine.log | grep admin at internal
>   419  tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin at internal
>   420  ovirt-aaa-jdbc-tool user edit admin
> --account-valid-from="2015-10-01 00:00:00Z"
>   421  ovirt-aaa-jdbc-tool user password-reset admin --force
> --password-valid-to="2100-01-01 00:00:00Z"
>   422  systemctl restart ovirt-engine.service
>   423  history
>   424  ovirt-aaa-jdbc-tool query --what=user
>   425  updatedb
>   426  locate internal
>   427  yum install -y ovirt-engine-cli
>   428  cd /opt
>   429  cd /opt/
>
>
>
> 2016-06-20 13:24 GMT-05:00 Ondra Machacek <omachace at redhat.com
> <mailto:omachace at redhat.com>>:
>
>     On 06/20/2016 06:36 PM, Julián Tete wrote:
>
>         oVirt: 3.6.2
>
>         Trying to use:
>
>         https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>
>         First use:
>
>         engine-manage-domains add --domain=udistritaloas.edu.co
>         <http://udistritaloas.edu.co>
>         <http://udistritaloas.edu.co> --provider=ipa --user=admin
>         --ldap-servers=freeipa.udistritaloas.edu.co
>         <http://freeipa.udistritaloas.edu.co>
>         <http://freeipa.udistritaloas.edu.co>
>
>
>         The domain was added, but a I can't access to the webadmin portal :/
>
>         I get the message:
>
>         "User is not authorized to perform this action."
>
>         In ovirt-cli
>
>         [401] - Unauthorized
>
>         tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin at internal
>
>         2016-06-20 10:52:22,835 ERROR
>         [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>         (default task-32) [] Correlation ID: null, Call Stack: null, Custom
>         Event ID: -1, Message: User admin at internal failed to log in.
>         2016-06-20 10:52:22,836 WARN
>         [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default
>         task-32)
>         [] CanDoAction of action 'LoginAdminUser' failed for user
>         admin at internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>         2016-06-20 11:00:37,679 ERROR
>         [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>         (default task-3) [] Correlation ID: null, Call Stack: null,
>         Custom Event
>         ID: -1, Message: User admin at internal failed to log in.
>         2016-06-20 11:00:37,679 WARN
>         [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3) []
>         CanDoAction of action 'LoginUser' failed for user admin at internal.
>         Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>         2016-06-20 11:01:04,016 ERROR
>         [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>         (default task-4) [] Correlation ID: null, Call Stack: null,
>         Custom Event
>         ID: -1, Message: User admin at internal failed to log in.
>         2016-06-20 11:01:04,016 WARN
>         [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4) []
>         CanDoAction of action 'LoginUser' failed for user admin at internal.
>         Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>
>
>     I am little bit lost, what was your steps, to get into this state,
>     but it looks that your admin at internal user was removed SuperUser
>     permissions, I am really not sure how could you achieve that, but to
>     fix it please run following command:
>
>      $ su - postgres -c "psql -t engine -c \"insert into permissions
>     values ('0000001b-001b-001b-001b-00000000029f',
>     '00000000-0000-0000-0000-000000000001',
>     'fdfc627c-d875-11e0-90f0-83df133b58cc',
>     'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>
>     This command will add your admin at internal SuperUser permissions on
>     system.
>
>     Can you please describe what have you done a bit more, so we can
>     understand the problem?
>
>     Thanks.
>
>
>         Properties of Internal domain:
>
>         cat /etc/ovirt-engine/aaa/internal.properties
>
>         ovirt.engine.extension.name <http://ovirt.engine.extension.name>
>         <http://ovirt.engine.extension.name> =
>         internal-authn
>         ovirt.engine.extension.bindings.method = jbossmodule
>         ovirt.engine.extension.binding.jbossmodule.module =
>         org.ovirt.engine.extension.aaa.jdbc
>         ovirt.engine.extension.binding.jbossmodule.class =
>         org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>         ovirt.engine.extension.provides =
>         org.ovirt.engine.api.extensions.aaa.Authn
>         ovirt.engine.aaa.authn.profile.name
>         <http://ovirt.engine.aaa.authn.profile.name>
>         <http://ovirt.engine.aaa.authn.profile.name> = internal
>         ovirt.engine.aaa.authn.authz.plugin = internal-authz
>         config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>
>         cat /etc/ovirt-engine/extensions.d/internal-authn.properties
>
>         ovirt.engine.extension.name <http://ovirt.engine.extension.name>
>         <http://ovirt.engine.extension.name> =
>         internal-authn
>         ovirt.engine.extension.bindings.method = jbossmodule
>         ovirt.engine.extension.binding.jbossmodule.module =
>         org.ovirt.engine.extension.aaa.jdbc
>         ovirt.engine.extension.binding.jbossmodule.class =
>         org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>         ovirt.engine.extension.provides =
>         org.ovirt.engine.api.extensions.aaa.Authn
>         ovirt.engine.aaa.authn.profile.name
>         <http://ovirt.engine.aaa.authn.profile.name>
>         <http://ovirt.engine.aaa.authn.profile.name> = internal
>         ovirt.engine.aaa.authn.authz.plugin = internal-authz
>         config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>
>         cat /etc/ovirt-engine/extensions.d/internal-authz.properties
>
>         ovirt.engine.extension.name <http://ovirt.engine.extension.name>
>         <http://ovirt.engine.extension.name> =
>
>         internal-authz
>         ovirt.engine.extension.bindings.method = jbossmodule
>         ovirt.engine.extension.binding.jbossmodule.module =
>         org.ovirt.engine.extension.aaa.jdbc
>         ovirt.engine.extension.binding.jbossmodule.class =
>         org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
>         ovirt.engine.extension.provides =
>         org.ovirt.engine.api.extensions.aaa.Authz
>         config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>
>         Properties of admin at internal user:
>
>         ovirt-aaa-jdbc-tool user show admin
>
>         -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
>         Namespace: *
>         Name: admin
>         ID: fdfc627c-d875-11e0-90f0-83df133b58cc
>         Display Name:
>         Email:
>         First Name: admin
>         Last Name:
>         Department:
>         Title:
>         Description:
>         Account Disabled: false
>         Account Unlocked At: 1970-01-01 00:00:00Z
>         Account Valid From: 2015-10-01 00:00:00Z
>         Account Valid To: 2100-01-01 00:00:00Z
>         Account Without Password: false
>         Last successful Login At: 2016-06-20 16:01:03Z
>         Last unsuccessful Login At: 2016-06-19 16:53:07Z
>         Password Valid To: 2100-01-01 00:00:00Z
>
>         ¿ Can I assign privilegies to the user ? ¿ Any idea ?
>
>
>         _______________________________________________
>         Users mailing list
>         Users at ovirt.org <mailto:Users at ovirt.org>
>         http://lists.ovirt.org/mailman/listinfo/users
>
>



More information about the Users mailing list