[ovirt-users] User admin at internal can't login in oVirt 3.6

Julián Tete danteconrad14 at gmail.com
Tue Jun 21 14:54:39 UTC 2016


That's right I remove internal properties :/

This is the output of the commands:

*/usr/share/ovirt-engine/bin/o*

*virt-engine-role.sh --command=add --user-name=admin
--authz-name=internal-authz --role=SuperUser*

*Output:*

FATAL: Please specify provider namespace



*su - postgres -c "psql -t engine -c \"select * from users;\""*
*Output:*

fdfc627c-d875-11e0-90f0-83df133b58cc | admin  |               |
internal             | admin    |            |
|      | t                       | fdfc627c-d875-11e0-90f0-83df133b58cc |
2015-09-19 21:38:44.838161-
05 | 2016-06-18 20:42:18.883738-05 | *
 16f666bb-b4c8-44c9-8264-30c3aff63a6e |        | Administrator |
udistritaloas.edu.co | admin    |            |
|      | f                       | 41cd26a2-0e0a-11e6-aa00-001a4a160159 |
2016-06-19 11:53:39.249812-
05 | 2016-06-19 12:24:41.590162-05 | *
 c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete          |
internal-authz       | julian   |            | danteconrad14 at gmail.com
|      | f                       | 1ad3dc19-b15a-493c-9610-2ccdd0dac6af |
2016-06-20 11:22:56.483292-
05 | 2016-06-20 11:23:19.261686-05 | *
 7f300f43-9972-4c0e-bfa9-e86df6f1659f | admin  |               |
internal-authz       | admin    |            |
|      | f                       | fdfc627c-d875-11e0-90f0-83df133b58cc |
2016-06-19 11:43:51.644981-
05 | 2016-06-20 16:06:49.138862-05 | *



*su - postgres -c "psql -t engine -c \"select * from permissions;\""*

*Otput:*

 00000004-0004-0004-0004-00000000025e |
def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee
| 00000000-0000-0000-0000-000000000000 |              4 |    1447535033
 0000000f-000f-000f-000f-000000000293 |
def0000a-0000-0000-0000-def000000010 | eee00000-0000-0000-0000-123456789eee
| 0000000e-000e-000e-000e-0000000002d6 |             27 |    1447535033
 00000003-0003-0003-0003-00000000009c |
00000000-0000-0000-0000-000000000001 | fdfc627c-d875-11e0-90f0-83df133b58cc
| aaa00000-0000-0000-0000-123456789aaa |              1 |    1447535033
 00000006-0006-0006-0006-0000000000e3 |
00000000-0000-0000-0001-000000000002 | fdfc627c-d875-11e0-90f0-83df133b58cc
| aaa00000-0000-0000-0000-123456789aaa |              1 |    1447535033
 00000011-0011-0011-0011-0000000002a9 |
def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee
| 00000010-0010-0010-0010-0000000001d1 |              4 |    1447535033
 00000013-0013-0013-0013-00000000031e |
def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee
| 00000012-0012-0012-0012-0000000001c6 |              4 |    1447535033
 00000015-0015-0015-0015-0000000003b8 |
def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee
| 00000014-0014-0014-0014-0000000002fd |              4 |    1447535033
 00000017-0017-0017-0017-000000000388 |
def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee
| 00000016-0016-0016-0016-0000000002b0 |              4 |    1447535033
 00000019-0019-0019-0019-0000000003d5 |
def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee
| 00000018-0018-0018-0018-000000000314 |              4 |    1447535033
 00000027-0027-0027-0027-00000000027e |
def00021-0000-0000-0000-def000000015 | eee00000-0000-0000-0000-123456789eee
| aaa00000-0000-0000-0000-123456789aaa |              1 |    1447535037
 7a3917ea-b2df-444f-938c-f768feeaee04 |
def00009-0000-0000-0000-def000000009 | eee00000-0000-0000-0000-123456789eee
| 8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |    1457665842
 e8abc833-b860-451c-b580-780c7d1049d4 |
def0000a-0000-0000-0000-def00000000f | fdfc627c-d875-11e0-90f0-83df133b58cc
| 8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |    1457665842
 c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
def0000a-0000-0000-0000-def00000000b | fdfc627c-d875-11e0-90f0-83df133b58cc
| 9881e686-90d0-4da3-85b4-b8a1b3638396 |             19 |    1463161875


2016-06-21 9:18 GMT-05:00 Ondra Machacek <omachace at redhat.com>:

> On 06/20/2016 08:33 PM, Julián Tete wrote:
>
>> Thanks Ondra :)
>>
>> With the command:
>>
>> su - postgres -c "psql -t engine -c \"insert into permissions values
>> ('0000001b-001b-001b-001b-00000000029f',
>> '00000000-0000-0000-0000-000000000001',
>> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
>> 'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>>
>>
> I've just remembered, that there is bash script for it:
>
>  /usr/share/ovirt-engine/bin/ovirt-engine-role.sh
>
> You can use it as follows:
>
>  /usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add
> --user-name=admin --authz-name=internal-authz --role=SuperUser
>
> But, as per your output above, obviously your problem is not missing
> permissions.
> I think the problem is that you removed internal*.properties files and
> then re-add it.
> Can you please send output of users table and permissions table. Thanks.
>
>  su - postgres -c "psql -t engine -c \"select * from users;\""
>  su - postgres -c "psql -t engine -c \"select * from permissions;\""
>
> I get:
>>
>> ERROR:  duplicate key value violates unique constraint
>> "idx_combined_ad_role_object"
>> DETAIL:  Key (ad_element_id, role_id,
>> object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
>> 00000000-0000-0000-0000-000000000001,
>> aaa00000-0000-0000-0000-123456789aaa) already exists.
>>
>> History
>>
>>   261  yum install ovirt-engine-extension-aaa-ldap
>>   262  cp -r
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
>> /etc/ovirt-engine/
>>   263  cd /etc/ovirt-engine/
>>   264  ll
>>   265  vim profile1.properties
>>   266  ll
>>   267  cd cp
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>> /etc/ovirt-engine/extensions.d/
>>   268  cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/
>>   269  cd
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
>>   270  ll
>>   271  cp
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>> /etc/ovirt-engine/extensions.d/
>>   272  cd /etc/ovirt-engine/extensions.d/
>>   273  ll
>>   274  find / -type f -iname profile1.properties
>>   275  cp -r
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
>> /etc/ovirt-engine/aaa/
>>   276  find / -type f -iname profile1.properties
>>   277  vim /etc/ovirt-engine/aaa/profile1.properties
>>   278  chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
>>   279  chmod 600 /etc/ovirt-engine/aaa/profile1.properties
>>   280  systemctl restart ovirt-engine
>>   281  vim /etc/ovirt-engine/extensions.d/profile1-authn.properties
>>   282  cd /usr/share/
>>   283  ls
>>   284  cd ovirt-engine-aaa-ldap
>>   285  ls
>>   286  cd ovirt-engine-extension-aaa-ldap/
>>   287  ls
>>   288  cd examples/
>>   289  ls
>>   290  cd ad
>>   291  ls
>>   292  cd extensions.d/
>>   293  ls
>>   294  vim profile1-authn.properties
>>   295  pwd
>>   296  cd ..
>>   297  pwd
>>   298  cd ..
>>   299  ls
>>   300  cd simple
>>   301  ls
>>   302  cd aaa/
>>   303  ls
>>   304  vim profile1.properties
>>   305  pwd
>>   306  rm -rf /etc/ovirt-engine/aaa/profile1.properties
>>   307  cp -r
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
>> /etc/ovirt-engine/aaa/
>>   308  vim /etc/ovirt-engine/aaa/profile1.properties
>>   309  history
>>   310  chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
>>   311  chmod 600 /etc/ovirt-engine/aaa/profile1.properties
>>   312  systemctl restart ovirt-engine
>>   313  updatedb
>>   314  locate domain1-authn.properties
>>   315  history
>>   316  cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
>>   317  ll
>>   318  cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
>>   319  ls
>>   320  cd extensions.d/
>>   321  ls
>>   322  pwd
>>   323  cd /etc/ovirt-engine/extensions.d/
>>   324  ls
>>   325  cp -r
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
>> /etc/ovirt-engine/extensions.d/
>>   326   cp -r
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>> /etc/ovirt-engine/extensions.d/
>>   327  rm -rf /etc/ovirt-engine/extensions.d/profile1-authn.properties
>>   328  rm -rf /etc/ovirt-engine/extensions.d/profile1-authz.properties
>>   329   cp -r
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>> /etc/ovirt-engine/extensions.d/
>>   330  ll
>>   331  history
>>   332  chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
>>   333  chmod 600 /etc/ovirt-engine/extensions.d/*
>>   334  ll
>>   335  cd extensions.d/
>>   336  ll
>>   337  cd
>>   338  engine-config -s SASL_QOP=auth
>>   339  systemctl restart ovirt-engine
>>   340  engine-manage-domains add --domain=udistritaloas.edu.co
>> <http://udistritaloas.edu.co> --provider=ipa --user=admin
>> --ldap-servers=freeipa.udistritaloas.edu.co
>> <http://freeipa.udistritaloas.edu.co>
>>   341  systemctl restart ovirt-engine
>>   342  engine-manage-domains list
>>   343  history
>>   344  cd /etc/ovirt-engine/extensions.d/
>>   345  ll
>>   346  rm -rf internal-authn.properties
>>   347  rm -rf internal-authz.properties
>>   348  rm -rf profile1-authn.properties
>>   349  rm -rf profile1-authz.properties
>>   350  history
>>   351  cd /etc/ovirt-engine/aaa/
>>   352  ll
>>   353  rm -rf profile1.properties
>>   354  vim internal.properties
>>   355  systemctl restart ovirt-engine
>>   356  ovirt-aaa-jdbc-tool user edit admin
>> --account-valid-to="2100-01-01 00:00:00Z"
>>   357  ovirt-aaa-jdbc-tool user password-reset admin
>> --password-valid-to="2100-01-01 00:00:00Z"
>>   358  engine-config -s AdminPassword=interactive
>>   359  ovirt-aaa-jdbc-tool user password-reset admin
>> --password-valid-to="2100-01-01 00:00:00Z"
>>   360  systemctl restart ovirt-engine
>>   361  exit
>>   362  cd /etc/ovirt-engine/aaa/
>>   363  ll
>>   364  vim internal.properties
>>   365  /etc/ovirt-engine/extensions.d/
>>   366  cd /etc/ovirt-engine/extensions.d/
>>   367  ll
>>   368  cd extensions.d/
>>   369  ll
>>   370  pwd
>>   371  ll
>>   372  cd ..
>>   373  ll
>>   374  cd ..
>>   375  ll
>>   376  cd /etc/ovirt-engine/extensions.d/
>>   377  ll
>>   378  cd extensions.d/
>>   379  ll
>>   380  pwd
>>   381  ll
>>   382  cd ..
>>   383  ll
>>   384  systemctl restart ovirt-engine.service
>>   385  ovirt-aaa-jdbc-tool user edit admin
>> --account-valid-to="2100-01-01 00:00:00Z"
>>   386  ovirt-aaa-jdbc-tool user password-reset admin
>> --password-valid-to="2100-01-01 00:00:00Z"
>>   387  systemctl restart ovirt-engine.service
>>   388  ovirt-aaa-jdbc-tool user password-reset admin at internal
>> --password-valid-to="2100-01-01 00:00:00Z"
>>   389  yum install -y ovirt-engine-extension-aaa-jdbc
>>   390  engine-setup
>>   391  ovirt-aaa-jdbc-tool user show admin
>>   392  ovirt-aaa-jdbc-tool settings show
>>   393  cd /var/log
>>   394  ll
>>   395  cd ovirt-engine
>>   396  ll
>>   397  tail -f n 100 ui.log
>>   398  ll
>>   399  tail -f -n engine.log
>>   400  tail -f -n 1000 engine.log
>>   401  tail -n 5000 engine.log | grep admin at internal
>>   402  ovirt-aaa-jdbc-tool user show admin
>>   403  ovirt-aaa-jdbc-tool user show admin at internal
>>   404  ovirt-aaa-jdbc-tool query --what=user
>>   405  engine-config -s AdminPassword=interactive
>>   406  vim /etc/ovirt-engine/extension.d/internal-authn.properties
>>   407  vim /etc/ovirt-engine/extensions.d/internal-authn.properties
>>   408  cd /etc/ovirt-engine/extensions.d/
>>   409  ll
>>   410  vim /etc/ovirt-engine/aaa/internal.properties
>>   411  cd /etc/ovirt-engine/aaa/
>>   412  ll
>>   413  vim internal.properties
>>   414  pwd
>>   415  ovirt-aaa-jdbc-tool user add julian
>> --attribute=firstName=Julian     --attribute=lastName=Tete
>> --attribute=email=danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com
>> >
>>   416  ovirt-aaa-jdbc-tool user password-reset julian
>> --password-valid-to="2025-08-15 10:30:00Z"
>>   417  history
>>   418  tail -n 5000 engine.log | grep admin at internal
>>   419  tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin at internal
>>   420  ovirt-aaa-jdbc-tool user edit admin
>> --account-valid-from="2015-10-01 00:00:00Z"
>>   421  ovirt-aaa-jdbc-tool user password-reset admin --force
>> --password-valid-to="2100-01-01 00:00:00Z"
>>   422  systemctl restart ovirt-engine.service
>>   423  history
>>   424  ovirt-aaa-jdbc-tool query --what=user
>>   425  updatedb
>>   426  locate internal
>>   427  yum install -y ovirt-engine-cli
>>   428  cd /opt
>>   429  cd /opt/
>>
>>
>>
>> 2016-06-20 13:24 GMT-05:00 Ondra Machacek <omachace at redhat.com
>> <mailto:omachace at redhat.com>>:
>>
>>
>>     On 06/20/2016 06:36 PM, Julián Tete wrote:
>>
>>         oVirt: 3.6.2
>>
>>         Trying to use:
>>
>>         https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>>
>>         First use:
>>
>>         engine-manage-domains add --domain=udistritaloas.edu.co
>>         <http://udistritaloas.edu.co>
>>         <http://udistritaloas.edu.co> --provider=ipa --user=admin
>>         --ldap-servers=freeipa.udistritaloas.edu.co
>>         <http://freeipa.udistritaloas.edu.co>
>>         <http://freeipa.udistritaloas.edu.co>
>>
>>
>>         The domain was added, but a I can't access to the webadmin portal
>> :/
>>
>>         I get the message:
>>
>>         "User is not authorized to perform this action."
>>
>>         In ovirt-cli
>>
>>         [401] - Unauthorized
>>
>>         tail -n 5000 /var/log/ovirt-engine/engine.log | grep
>> admin at internal
>>
>>         2016-06-20 10:52:22,835 ERROR
>>
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>         (default task-32) [] Correlation ID: null, Call Stack: null,
>> Custom
>>         Event ID: -1, Message: User admin at internal failed to log in.
>>         2016-06-20 10:52:22,836 WARN
>>         [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default
>>         task-32)
>>         [] CanDoAction of action 'LoginAdminUser' failed for user
>>         admin at internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>         2016-06-20 11:00:37,679 ERROR
>>
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>         (default task-3) [] Correlation ID: null, Call Stack: null,
>>         Custom Event
>>         ID: -1, Message: User admin at internal failed to log in.
>>         2016-06-20 11:00:37,679 WARN
>>         [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3)
>> []
>>         CanDoAction of action 'LoginUser' failed for user admin at internal.
>>         Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>         2016-06-20 11:01:04,016 ERROR
>>
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>         (default task-4) [] Correlation ID: null, Call Stack: null,
>>         Custom Event
>>         ID: -1, Message: User admin at internal failed to log in.
>>         2016-06-20 11:01:04,016 WARN
>>         [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4)
>> []
>>         CanDoAction of action 'LoginUser' failed for user admin at internal.
>>         Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>
>>
>>     I am little bit lost, what was your steps, to get into this state,
>>     but it looks that your admin at internal user was removed SuperUser
>>     permissions, I am really not sure how could you achieve that, but to
>>     fix it please run following command:
>>
>>      $ su - postgres -c "psql -t engine -c \"insert into permissions
>>     values ('0000001b-001b-001b-001b-00000000029f',
>>     '00000000-0000-0000-0000-000000000001',
>>     'fdfc627c-d875-11e0-90f0-83df133b58cc',
>>     'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>>
>>     This command will add your admin at internal SuperUser permissions on
>>     system.
>>
>>     Can you please describe what have you done a bit more, so we can
>>     understand the problem?
>>
>>     Thanks.
>>
>>
>>         Properties of Internal domain:
>>
>>         cat /etc/ovirt-engine/aaa/internal.properties
>>
>>         ovirt.engine.extension.name <http://ovirt.engine.extension.name>
>>         <http://ovirt.engine.extension.name> =
>>         internal-authn
>>         ovirt.engine.extension.bindings.method = jbossmodule
>>         ovirt.engine.extension.binding.jbossmodule.module =
>>         org.ovirt.engine.extension.aaa.jdbc
>>         ovirt.engine.extension.binding.jbossmodule.class =
>>         org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>>         ovirt.engine.extension.provides =
>>         org.ovirt.engine.api.extensions.aaa.Authn
>>         ovirt.engine.aaa.authn.profile.name
>>         <http://ovirt.engine.aaa.authn.profile.name>
>>         <http://ovirt.engine.aaa.authn.profile.name> = internal
>>         ovirt.engine.aaa.authn.authz.plugin = internal-authz
>>         config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>>
>>         cat /etc/ovirt-engine/extensions.d/internal-authn.properties
>>
>>         ovirt.engine.extension.name <http://ovirt.engine.extension.name>
>>         <http://ovirt.engine.extension.name> =
>>         internal-authn
>>         ovirt.engine.extension.bindings.method = jbossmodule
>>         ovirt.engine.extension.binding.jbossmodule.module =
>>         org.ovirt.engine.extension.aaa.jdbc
>>         ovirt.engine.extension.binding.jbossmodule.class =
>>         org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>>         ovirt.engine.extension.provides =
>>         org.ovirt.engine.api.extensions.aaa.Authn
>>         ovirt.engine.aaa.authn.profile.name
>>         <http://ovirt.engine.aaa.authn.profile.name>
>>         <http://ovirt.engine.aaa.authn.profile.name> = internal
>>         ovirt.engine.aaa.authn.authz.plugin = internal-authz
>>         config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>>
>>         cat /etc/ovirt-engine/extensions.d/internal-authz.properties
>>
>>         ovirt.engine.extension.name <http://ovirt.engine.extension.name>
>>         <http://ovirt.engine.extension.name> =
>>
>>         internal-authz
>>         ovirt.engine.extension.bindings.method = jbossmodule
>>         ovirt.engine.extension.binding.jbossmodule.module =
>>         org.ovirt.engine.extension.aaa.jdbc
>>         ovirt.engine.extension.binding.jbossmodule.class =
>>         org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
>>         ovirt.engine.extension.provides =
>>         org.ovirt.engine.api.extensions.aaa.Authz
>>         config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>>
>>         Properties of admin at internal user:
>>
>>         ovirt-aaa-jdbc-tool user show admin
>>
>>         -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
>>         Namespace: *
>>         Name: admin
>>         ID: fdfc627c-d875-11e0-90f0-83df133b58cc
>>         Display Name:
>>         Email:
>>         First Name: admin
>>         Last Name:
>>         Department:
>>         Title:
>>         Description:
>>         Account Disabled: false
>>         Account Unlocked At: 1970-01-01 00:00:00Z
>>         Account Valid From: 2015-10-01 00:00:00Z
>>         Account Valid To: 2100-01-01 00:00:00Z
>>         Account Without Password: false
>>         Last successful Login At: 2016-06-20 16:01:03Z
>>         Last unsuccessful Login At: 2016-06-19 16:53:07Z
>>         Password Valid To: 2100-01-01 00:00:00Z
>>
>>         ¿ Can I assign privilegies to the user ? ¿ Any idea ?
>>
>>
>>         _______________________________________________
>>         Users mailing list
>>         Users at ovirt.org <mailto:Users at ovirt.org>
>>         http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160621/3c78a53f/attachment-0001.html>


More information about the Users mailing list