[ovirt-users] User admin at internal can't login in oVirt 3.6
Ondra Machacek
omachace at redhat.com
Wed Jun 22 16:14:10 UTC 2016
On 06/22/2016 05:21 PM, Julián Tete wrote:
> S-O-L-V-E-D!!!
>
> You are a Wizard Ondra Machacek!!!
>
> Thank you very much !!! How Apache says: "It works"
Great! You are welcome
>
> A have a question for you
>
> In the command
>
> su - postgres -c "psql -t engine -c \"insert into permissions values
> ('0000001b-001b-001b-001b-00000000029f',
> '00000000-0000-0000-0000-000000000001',
> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
> 'aaa00000-0000-0000-0000-123456789aaa', 1);\"
>
> What's the meaning of:
>
> 0000001b-001b-001b-001b-00000000029f
This one is id of permission. It's auto generated.
>
> 00000000-0000-0000-0000-000000000001
This one is id of role. This is id of SuperUser as you can see by running:
select * from roles;
>
> aaa00000-0000-0000-0000-123456789aaa
This one is object id, in this case it's id of system.
>
> 1
This one represent object type, it is number that represent some object
for example 1 represent
system object, number 2 represent Vm, number 3 Host... etc
>
> ¿?
>
> Thanks again
>
>
> 2016-06-22 5:22 GMT-05:00 Ondra Machacek <omachace at redhat.com
> <mailto:omachace at redhat.com>>:
>
> On 06/21/2016 09:18 PM, Julián Tete wrote:
>
> Roger Ondra!
>
> 1) su - postgres -c "psql -t engine -c \"delete from users where
> user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""
>
> Output:
>
> DELETE 1
>
> 2) su - postgres -c "psql -t engine -c \"UPDATE users set
> domain='internal-authz' where
> user_id='fdfc627c-d875-11e0-90f0-83df133b58cc';\""
>
> Output:
>
> ERROR: duplicate key value violates unique constraint
> "users_domain_external_id_unique"
> DETAIL: Key (domain, external_id)=(internal-authz,
> fdfc627c-d875-11e0-90f0-83df133b58cc) already exists.
>
>
> OK, this is really strange, because this shouldn't be printed as you
> removed all contraints in step 1).
>
> So, can you please first stop ovirt-engine, before running steps
> above? So the steps now
> would be:
>
> 1) service ovirt-engine stop
>
> 2) remove admin at internal-authz
> (c9dcda67-9b3e-4255-aa9f-d69043a02b2b) (note id
> changed, from last time) If there is more admin users with domain
> internal-authz, please
> remove them all.
> $ su - postgres -c "psql -t engine -c \"delete from users
> where user_id='c9dcda67-9b3e-4255-aa9f-d69043a02b2b';\""
>
> 3) rename admin at internal to admin at internal-authz
> $ su - postgres -c "psql -t engine -c \"UPDATE users set
> domain='internal-authz' where
> user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""
>
> 4) service ovirt-engine start
>
>
> 3) systemctl restart ovirt-engine.service
>
> No login yet :(
>
> Look at this:
>
> ovirt-aaa-jdbc-tool user show admin
>
> Output:
> -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
> Namespace: *
> Name: admin
> ID: fdfc627c-d875-11e0-90f0-83df133b58cc
> Display Name:
> Email:
> First Name: admin
> Last Name:
> Department:
> Title:
> Description:
> Account Disabled: false
> Account Unlocked At: 1970-01-01 00:00:00Z
> Account Valid From: 2015-10-01 00:00:00Z
> Account Valid To: 2100-01-01 00:00:00Z
> Account Without Password: false
> Last successful Login At: 2016-06-21 19:15:59Z
> Last unsuccessful Login At: 2016-06-20 17:33:24Z
> Password Valid To: 2100-01-01 00:00:00Z
>
> su - postgres -c "psql -t engine -c \"select * from users;\""
>
> Output:
>
> fdfc627c-d875-11e0-90f0-83df133b58cc | admin | |
> internal | admin | |
> | | t |
> fdfc627c-d875-11e0-90f0-83df133b58cc
> | 2015-09-19 21:38:44.838161-
> 05 | 2016-06-18 20:42:18.883738-05 | *
> 16f666bb-b4c8-44c9-8264-30c3aff63a6e | | Administrator |
> udistritaloas.edu.co <http://udistritaloas.edu.co>
> <http://udistritaloas.edu.co> | admin
> | | | | f
> | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19 11:53:39.249812-
> 05 | 2016-06-19 12:24:41.590162-05 <tel:41.590162-05> | *
> c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete |
> internal-authz | julian | |
> danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>
> <mailto:danteconrad14 at gmail.com
> <mailto:danteconrad14 at gmail.com>> | | f |
> 1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20 11:22:56.483292-
> 05 | 2016-06-20 11:23:19.261686-05 | *
> c9dcda67-9b3e-4255-aa9f-d69043a02b2b | admin | |
> internal-authz | admin | |
> | | f |
> fdfc627c-d875-11e0-90f0-83df133b58cc
> | 2016-06-21 13:54:07.765767-
> 05 | 2016-06-21 14:15:59.352697-05 | *
>
>
> su - postgres -c "psql -t engine -c \"select * from permissions;\""
>
> Output:
>
> 00000004-0004-0004-0004-00000000025e |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 00000000-0000-0000-0000-000000000000 | 4 |
> 1447535033
> 0000000f-000f-000f-000f-000000000293 |
> def0000a-0000-0000-0000-def000000010 |
> eee00000-0000-0000-0000-123456789eee |
> 0000000e-000e-000e-000e-0000000002d6 | 27 |
> 1447535033
> 00000003-0003-0003-0003-00000000009c |
> 00000000-0000-0000-0000-000000000001 |
> fdfc627c-d875-11e0-90f0-83df133b58cc |
> aaa00000-0000-0000-0000-123456789aaa | 1 |
> 1447535033
> 00000006-0006-0006-0006-0000000000e3 |
> 00000000-0000-0000-0001-000000000002 |
> fdfc627c-d875-11e0-90f0-83df133b58cc |
> aaa00000-0000-0000-0000-123456789aaa | 1 |
> 1447535033
> 00000011-0011-0011-0011-0000000002a9 |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 00000010-0010-0010-0010-0000000001d1 | 4 |
> 1447535033
> 00000013-0013-0013-0013-00000000031e |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 00000012-0012-0012-0012-0000000001c6 | 4 |
> 1447535033
> 00000015-0015-0015-0015-0000000003b8 |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 00000014-0014-0014-0014-0000000002fd | 4 |
> 1447535033
> 00000017-0017-0017-0017-000000000388 |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 00000016-0016-0016-0016-0000000002b0 | 4 |
> 1447535033
> 00000019-0019-0019-0019-0000000003d5 |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 00000018-0018-0018-0018-000000000314 | 4 |
> 1447535033
> 00000027-0027-0027-0027-00000000027e |
> def00021-0000-0000-0000-def000000015 |
> eee00000-0000-0000-0000-123456789eee |
> aaa00000-0000-0000-0000-123456789aaa | 1 |
> 1447535037
> 7a3917ea-b2df-444f-938c-f768feeaee04 |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 |
> 1457665842
> e8abc833-b860-451c-b580-780c7d1049d4 |
> def0000a-0000-0000-0000-def00000000f |
> fdfc627c-d875-11e0-90f0-83df133b58cc |
> 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 |
> 1457665842
> c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
> def0000a-0000-0000-0000-def00000000b |
> fdfc627c-d875-11e0-90f0-83df133b58cc |
> 9881e686-90d0-4da3-85b4-b8a1b3638396 | 19 |
> 1463161875
>
>
>
>
> 2016-06-21 13:30 GMT-05:00 Ondra Machacek <omachace at redhat.com
> <mailto:omachace at redhat.com>
> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>:
>
>
> On 06/21/2016 04:54 PM, Julián Tete wrote:
>
> That's right I remove internal properties :/
>
> This is the output of the commands:
>
> */usr/share/ovirt-engine/bin/o**virt-engine-role.sh
> --command=add
> --user-name=admin --authz-name=internal-authz
> --role=SuperUser
>
> *
> *Output:
> *
>
> FATAL: Please specify provider namespace
>
>
> You don't have to run it, I've just send it for a future
> reference :)
> But if you for example want to add SuperUser permissions to user
> 'julian', you can run:
>
> /usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add
> --principal-id='c01c263a-78c5-4524-a94e-c9aa38141ea9'
> --role=SuperUser --user-name=julian --authz-name=internal-authz
> --principal-namespace=*
>
> And you don't need admin at internal-authz user.
>
>
> *su - postgres -c "psql -t engine -c \"select * from
> users;\""
>
> *
> *Output:*
>
> fdfc627c-d875-11e0-90f0-83df133b58cc | admin |
> |
> internal | admin | |
> | | t |
> fdfc627c-d875-11e0-90f0-83df133b58cc
> | 2015-09-19 21:38:44.838161-
> 05 | 2016-06-18 20:42:18.883738-05 | *
> 16f666bb-b4c8-44c9-8264-30c3aff63a6e | |
> Administrator |
> udistritaloas.edu.co <http://udistritaloas.edu.co>
> <http://udistritaloas.edu.co>
> <http://udistritaloas.edu.co> | admin
> | | | | f
> | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19
> 11:53:39.249812-
> 05 | 2016-06-19 12:24:41.590162-05 <tel:41.590162-05>
> <tel:41.590162-05 <tel:41.590162-05>> | *
> c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete
> |
> internal-authz | julian | |
> danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>
> <mailto:danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>>
> <mailto:danteconrad14 at gmail.com
> <mailto:danteconrad14 at gmail.com>
>
> <mailto:danteconrad14 at gmail.com
> <mailto:danteconrad14 at gmail.com>>> | | f
> |
> 1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20
> 11:22:56.483292-
> 05 | 2016-06-20 11:23:19.261686-05 | *
> 7f300f43-9972-4c0e-bfa9-e86df6f1659f | admin |
> |
> internal-authz | admin | |
> | | f |
> fdfc627c-d875-11e0-90f0-83df133b58cc
> | 2016-06-19 11:43:51.644981-
> 05 | 2016-06-20 16:06:49.138862-05 | *
> *
> su - postgres -c "psql -t engine -c \"select * from
> permissions;\""
>
>
> Ok, according to current status I would suggest you to:
>
> 1) remove admin at internal-authz
> (7f300f43-9972-4c0e-bfa9-e86df6f1659f)
> $ su - postgres -c "psql -t engine -c \"delete from users
> where user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""
>
> 2) rename admin at internal to admin at internal-authz
> $ su - postgres -c "psql -t engine -c \"UPDATE users set
> domain='internal-authz' where
> user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""
>
> Then restart ovirt-engine and try to login.
>
> The problem here is that it tries to login with admin user which
> don't have any permissions, and
> you have two admin users, because you have removed
> internal-*properties files, so it added
> another one.
>
>
> *
> *Otput:
> *
>
>
> 00000004-0004-0004-0004-00000000025e |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 00000000-0000-0000-0000-000000000000 | 4 |
> 1447535033
> 0000000f-000f-000f-000f-000000000293 |
> def0000a-0000-0000-0000-def000000010 |
> eee00000-0000-0000-0000-123456789eee |
> 0000000e-000e-000e-000e-0000000002d6 | 27 |
> 1447535033
> 00000003-0003-0003-0003-00000000009c |
> 00000000-0000-0000-0000-000000000001 |
> fdfc627c-d875-11e0-90f0-83df133b58cc |
> aaa00000-0000-0000-0000-123456789aaa | 1 |
> 1447535033
> 00000006-0006-0006-0006-0000000000e3 |
> 00000000-0000-0000-0001-000000000002 |
> fdfc627c-d875-11e0-90f0-83df133b58cc |
> aaa00000-0000-0000-0000-123456789aaa | 1 |
> 1447535033
> 00000011-0011-0011-0011-0000000002a9 |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 00000010-0010-0010-0010-0000000001d1 | 4 |
> 1447535033
> 00000013-0013-0013-0013-00000000031e |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 00000012-0012-0012-0012-0000000001c6 | 4 |
> 1447535033
> 00000015-0015-0015-0015-0000000003b8 |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 00000014-0014-0014-0014-0000000002fd | 4 |
> 1447535033
> 00000017-0017-0017-0017-000000000388 |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 00000016-0016-0016-0016-0000000002b0 | 4 |
> 1447535033
> 00000019-0019-0019-0019-0000000003d5 |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 00000018-0018-0018-0018-000000000314 | 4 |
> 1447535033
> 00000027-0027-0027-0027-00000000027e |
> def00021-0000-0000-0000-def000000015 |
> eee00000-0000-0000-0000-123456789eee |
> aaa00000-0000-0000-0000-123456789aaa | 1 |
> 1447535037
> 7a3917ea-b2df-444f-938c-f768feeaee04 |
> def00009-0000-0000-0000-def000000009 |
> eee00000-0000-0000-0000-123456789eee |
> 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 |
> 1457665842
> e8abc833-b860-451c-b580-780c7d1049d4 |
> def0000a-0000-0000-0000-def00000000f |
> fdfc627c-d875-11e0-90f0-83df133b58cc |
> 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 |
> 1457665842
> c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
> def0000a-0000-0000-0000-def00000000b |
> fdfc627c-d875-11e0-90f0-83df133b58cc |
> 9881e686-90d0-4da3-85b4-b8a1b3638396 | 19 |
> 1463161875
>
>
> 2016-06-21 9:18 GMT-05:00 Ondra Machacek
> <omachace at redhat.com <mailto:omachace at redhat.com>
> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>
> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>
> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>>:
>
>
> On 06/20/2016 08:33 PM, Julián Tete wrote:
>
> Thanks Ondra :)
>
> With the command:
>
> su - postgres -c "psql -t engine -c \"insert into
> permissions values
> ('0000001b-001b-001b-001b-00000000029f',
> '00000000-0000-0000-0000-000000000001',
> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
> 'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>
>
> I've just remembered, that there is bash script for it:
>
> /usr/share/ovirt-engine/bin/ovirt-engine-role.sh
>
> You can use it as follows:
>
> /usr/share/ovirt-engine/bin/ovirt-engine-role.sh
> --command=add
> --user-name=admin --authz-name=internal-authz
> --role=SuperUser
>
> But, as per your output above, obviously your
> problem is not
> missing
> permissions.
> I think the problem is that you removed
> internal*.properties
> files
> and then re-add it.
> Can you please send output of users table and
> permissions
> table. Thanks.
>
> su - postgres -c "psql -t engine -c \"select * from
> users;\""
> su - postgres -c "psql -t engine -c \"select * from
> permissions;\""
>
> I get:
>
> ERROR: duplicate key value violates unique
> constraint
> "idx_combined_ad_role_object"
> DETAIL: Key (ad_element_id, role_id,
> object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
> 00000000-0000-0000-0000-000000000001,
> aaa00000-0000-0000-0000-123456789aaa) already
> exists.
>
> History
>
> 261 yum install ovirt-engine-extension-aaa-ldap
> 262 cp -r
>
>
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
> /etc/ovirt-engine/
> 263 cd /etc/ovirt-engine/
> 264 ll
> 265 vim profile1.properties
> 266 ll
> 267 cd cp
>
>
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
> /etc/ovirt-engine/extensions.d/
> 268 cd cp
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/
> 269 cd
>
>
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
> 270 ll
> 271 cp
>
>
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
> /etc/ovirt-engine/extensions.d/
> 272 cd /etc/ovirt-engine/extensions.d/
> 273 ll
> 274 find / -type f -iname profile1.properties
> 275 cp -r
>
>
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
> /etc/ovirt-engine/aaa/
> 276 find / -type f -iname profile1.properties
> 277 vim /etc/ovirt-engine/aaa/profile1.properties
> 278 chown ovirt:ovirt
> /etc/ovirt-engine/aaa/profile1.properties
> 279 chmod 600
> /etc/ovirt-engine/aaa/profile1.properties
> 280 systemctl restart ovirt-engine
> 281 vim
> /etc/ovirt-engine/extensions.d/profile1-authn.properties
> 282 cd /usr/share/
> 283 ls
> 284 cd ovirt-engine-aaa-ldap
> 285 ls
> 286 cd ovirt-engine-extension-aaa-ldap/
> 287 ls
> 288 cd examples/
> 289 ls
> 290 cd ad
> 291 ls
> 292 cd extensions.d/
> 293 ls
> 294 vim profile1-authn.properties
> 295 pwd
> 296 cd ..
> 297 pwd
> 298 cd ..
> 299 ls
> 300 cd simple
> 301 ls
> 302 cd aaa/
> 303 ls
> 304 vim profile1.properties
> 305 pwd
> 306 rm -rf
> /etc/ovirt-engine/aaa/profile1.properties
> 307 cp -r
>
>
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
> /etc/ovirt-engine/aaa/
> 308 vim /etc/ovirt-engine/aaa/profile1.properties
> 309 history
> 310 chown ovirt:ovirt
> /etc/ovirt-engine/aaa/profile1.properties
> 311 chmod 600
> /etc/ovirt-engine/aaa/profile1.properties
> 312 systemctl restart ovirt-engine
> 313 updatedb
> 314 locate domain1-authn.properties
> 315 history
> 316 cd
>
>
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
> 317 ll
> 318 cd
>
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
> 319 ls
> 320 cd extensions.d/
> 321 ls
> 322 pwd
> 323 cd /etc/ovirt-engine/extensions.d/
> 324 ls
> 325 cp -r
>
>
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
> /etc/ovirt-engine/extensions.d/
> 326 cp -r
>
>
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
> /etc/ovirt-engine/extensions.d/
> 327 rm -rf
>
> /etc/ovirt-engine/extensions.d/profile1-authn.properties
> 328 rm -rf
>
> /etc/ovirt-engine/extensions.d/profile1-authz.properties
> 329 cp -r
>
>
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
> /etc/ovirt-engine/extensions.d/
> 330 ll
> 331 history
> 332 chown ovirt:ovirt
> /etc/ovirt-engine/extensions.d/*
> 333 chmod 600 /etc/ovirt-engine/extensions.d/*
> 334 ll
> 335 cd extensions.d/
> 336 ll
> 337 cd
> 338 engine-config -s SASL_QOP=auth
> 339 systemctl restart ovirt-engine
> 340 engine-manage-domains add
> --domain=udistritaloas.edu.co
> <http://udistritaloas.edu.co> <http://udistritaloas.edu.co>
> <http://udistritaloas.edu.co>
> <http://udistritaloas.edu.co> --provider=ipa
> --user=admin
> --ldap-servers=freeipa.udistritaloas.edu.co
> <http://freeipa.udistritaloas.edu.co>
> <http://freeipa.udistritaloas.edu.co>
> <http://freeipa.udistritaloas.edu.co>
> <http://freeipa.udistritaloas.edu.co>
> 341 systemctl restart ovirt-engine
> 342 engine-manage-domains list
> 343 history
> 344 cd /etc/ovirt-engine/extensions.d/
> 345 ll
> 346 rm -rf internal-authn.properties
> 347 rm -rf internal-authz.properties
> 348 rm -rf profile1-authn.properties
> 349 rm -rf profile1-authz.properties
> 350 history
> 351 cd /etc/ovirt-engine/aaa/
> 352 ll
> 353 rm -rf profile1.properties
> 354 vim internal.properties
> 355 systemctl restart ovirt-engine
> 356 ovirt-aaa-jdbc-tool user edit admin
> --account-valid-to="2100-01-01 00:00:00Z"
> 357 ovirt-aaa-jdbc-tool user password-reset admin
> --password-valid-to="2100-01-01 00:00:00Z"
> 358 engine-config -s AdminPassword=interactive
> 359 ovirt-aaa-jdbc-tool user password-reset admin
> --password-valid-to="2100-01-01 00:00:00Z"
> 360 systemctl restart ovirt-engine
> 361 exit
> 362 cd /etc/ovirt-engine/aaa/
> 363 ll
> 364 vim internal.properties
> 365 /etc/ovirt-engine/extensions.d/
> 366 cd /etc/ovirt-engine/extensions.d/
> 367 ll
> 368 cd extensions.d/
> 369 ll
> 370 pwd
> 371 ll
> 372 cd ..
> 373 ll
> 374 cd ..
> 375 ll
> 376 cd /etc/ovirt-engine/extensions.d/
> 377 ll
> 378 cd extensions.d/
> 379 ll
> 380 pwd
> 381 ll
> 382 cd ..
> 383 ll
> 384 systemctl restart ovirt-engine.service
> 385 ovirt-aaa-jdbc-tool user edit admin
> --account-valid-to="2100-01-01 00:00:00Z"
> 386 ovirt-aaa-jdbc-tool user password-reset admin
> --password-valid-to="2100-01-01 00:00:00Z"
> 387 systemctl restart ovirt-engine.service
> 388 ovirt-aaa-jdbc-tool user password-reset
> admin at internal
> --password-valid-to="2100-01-01 00:00:00Z"
> 389 yum install -y
> ovirt-engine-extension-aaa-jdbc
> 390 engine-setup
> 391 ovirt-aaa-jdbc-tool user show admin
> 392 ovirt-aaa-jdbc-tool settings show
> 393 cd /var/log
> 394 ll
> 395 cd ovirt-engine
> 396 ll
> 397 tail -f n 100 ui.log
> 398 ll
> 399 tail -f -n engine.log
> 400 tail -f -n 1000 engine.log
> 401 tail -n 5000 engine.log | grep admin at internal
> 402 ovirt-aaa-jdbc-tool user show admin
> 403 ovirt-aaa-jdbc-tool user show admin at internal
> 404 ovirt-aaa-jdbc-tool query --what=user
> 405 engine-config -s AdminPassword=interactive
> 406 vim
> /etc/ovirt-engine/extension.d/internal-authn.properties
> 407 vim
> /etc/ovirt-engine/extensions.d/internal-authn.properties
> 408 cd /etc/ovirt-engine/extensions.d/
> 409 ll
> 410 vim /etc/ovirt-engine/aaa/internal.properties
> 411 cd /etc/ovirt-engine/aaa/
> 412 ll
> 413 vim internal.properties
> 414 pwd
> 415 ovirt-aaa-jdbc-tool user add julian
> --attribute=firstName=Julian
> --attribute=lastName=Tete
> --attribute=email=danteconrad14 at gmail.com
> <mailto:danteconrad14 at gmail.com>
> <mailto:danteconrad14 at gmail.com
> <mailto:danteconrad14 at gmail.com>>
> <mailto:danteconrad14 at gmail.com
> <mailto:danteconrad14 at gmail.com>
> <mailto:danteconrad14 at gmail.com
> <mailto:danteconrad14 at gmail.com>>>
> <mailto:danteconrad14 at gmail.com
> <mailto:danteconrad14 at gmail.com> <mailto:danteconrad14 at gmail.com
> <mailto:danteconrad14 at gmail.com>>
> <mailto:danteconrad14 at gmail.com
> <mailto:danteconrad14 at gmail.com>
> <mailto:danteconrad14 at gmail.com
> <mailto:danteconrad14 at gmail.com>>>>
> 416 ovirt-aaa-jdbc-tool user password-reset
> julian
> --password-valid-to="2025-08-15 10:30:00Z"
> 417 history
> 418 tail -n 5000 engine.log | grep admin at internal
> 419 tail -n 5000
> /var/log/ovirt-engine/engine.log | grep
> admin at internal
> 420 ovirt-aaa-jdbc-tool user edit admin
> --account-valid-from="2015-10-01 00:00:00Z"
> 421 ovirt-aaa-jdbc-tool user password-reset
> admin --force
> --password-valid-to="2100-01-01 00:00:00Z"
> 422 systemctl restart ovirt-engine.service
> 423 history
> 424 ovirt-aaa-jdbc-tool query --what=user
> 425 updatedb
> 426 locate internal
> 427 yum install -y ovirt-engine-cli
> 428 cd /opt
> 429 cd /opt/
>
>
>
> 2016-06-20 13:24 GMT-05:00 Ondra Machacek
> <omachace at redhat.com <mailto:omachace at redhat.com>
> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>
> <mailto:omachace at redhat.com
> <mailto:omachace at redhat.com> <mailto:omachace at redhat.com
> <mailto:omachace at redhat.com>>>
> <mailto:omachace at redhat.com
> <mailto:omachace at redhat.com> <mailto:omachace at redhat.com
> <mailto:omachace at redhat.com>>
> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>
> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>>>:
>
>
>
> On 06/20/2016 06:36 PM, Julián Tete wrote:
>
> oVirt: 3.6.2
>
> Trying to use:
>
>
>
>
> https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>
> First use:
>
> engine-manage-domains add
> --domain=udistritaloas.edu.co
> <http://udistritaloas.edu.co> <http://udistritaloas.edu.co>
> <http://udistritaloas.edu.co>
> <http://udistritaloas.edu.co>
> <http://udistritaloas.edu.co> --provider=ipa
> --user=admin
>
> --ldap-servers=freeipa.udistritaloas.edu.co
> <http://freeipa.udistritaloas.edu.co>
> <http://freeipa.udistritaloas.edu.co>
> <http://freeipa.udistritaloas.edu.co>
> <http://freeipa.udistritaloas.edu.co>
> <http://freeipa.udistritaloas.edu.co>
>
>
> The domain was added, but a I can't
> access to the
> webadmin portal :/
>
> I get the message:
>
> "User is not authorized to perform this
> action."
>
> In ovirt-cli
>
> [401] - Unauthorized
>
> tail -n 5000
> /var/log/ovirt-engine/engine.log | grep
> admin at internal
>
> 2016-06-20 10:52:22,835 ERROR
>
>
>
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-32) [] Correlation ID:
> null, Call
> Stack:
> null, Custom
> Event ID: -1, Message: User admin at internal
> failed to log in.
> 2016-06-20 10:52:22,836 WARN
>
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> (default
> task-32)
> [] CanDoAction of action
> 'LoginAdminUser' failed
> for user
> admin at internal. Reasons:
> USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 2016-06-20 11:00:37,679 ERROR
>
>
>
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-3) [] Correlation ID:
> null, Call
> Stack: null,
> Custom Event
> ID: -1, Message: User admin at internal
> failed to
> log in.
> 2016-06-20 11:00:37,679 WARN
>
> [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
> (default task-3) []
> CanDoAction of action 'LoginUser' failed
> for user
> admin at internal.
> Reasons:
> USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 2016-06-20 11:01:04,016 ERROR
>
>
>
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-4) [] Correlation ID:
> null, Call
> Stack: null,
> Custom Event
> ID: -1, Message: User admin at internal
> failed to
> log in.
> 2016-06-20 11:01:04,016 WARN
>
> [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
> (default task-4) []
> CanDoAction of action 'LoginUser' failed
> for user
> admin at internal.
> Reasons:
> USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>
>
> I am little bit lost, what was your steps,
> to get
> into this
> state,
> but it looks that your admin at internal user was
> removed SuperUser
> permissions, I am really not sure how could
> you achieve
> that, but to
> fix it please run following command:
>
> $ su - postgres -c "psql -t engine -c
> \"insert into
> permissions
> values ('0000001b-001b-001b-001b-00000000029f',
> '00000000-0000-0000-0000-000000000001',
> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
> 'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>
> This command will add your admin at internal
> SuperUser
> permissions on
> system.
>
> Can you please describe what have you done a bit
> more, so we can
> understand the problem?
>
> Thanks.
>
>
> Properties of Internal domain:
>
> cat
> /etc/ovirt-engine/aaa/internal.properties
>
> ovirt.engine.extension.name
> <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name> =
> internal-authn
> ovirt.engine.extension.bindings.method =
> jbossmodule
>
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine.extension.aaa.jdbc
>
> ovirt.engine.extension.binding.jbossmodule.class =
>
>
>
> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name
> <http://ovirt.engine.aaa.authn.profile.name>
> <http://ovirt.engine.aaa.authn.profile.name>
> <http://ovirt.engine.aaa.authn.profile.name>
> <http://ovirt.engine.aaa.authn.profile.name>
>
> <http://ovirt.engine.aaa.authn.profile.name> =
> internal
> ovirt.engine.aaa.authn.authz.plugin =
> internal-authz
> config.datasource.file =
> /etc/ovirt-engine/aaa/internal.properties
>
> cat
> /etc/ovirt-engine/extensions.d/internal-authn.properties
>
> ovirt.engine.extension.name
> <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name> =
> internal-authn
> ovirt.engine.extension.bindings.method =
> jbossmodule
>
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine.extension.aaa.jdbc
>
> ovirt.engine.extension.binding.jbossmodule.class =
>
>
>
> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name
> <http://ovirt.engine.aaa.authn.profile.name>
> <http://ovirt.engine.aaa.authn.profile.name>
> <http://ovirt.engine.aaa.authn.profile.name>
> <http://ovirt.engine.aaa.authn.profile.name>
>
> <http://ovirt.engine.aaa.authn.profile.name> =
> internal
> ovirt.engine.aaa.authn.authz.plugin =
> internal-authz
> config.datasource.file =
> /etc/ovirt-engine/aaa/internal.properties
>
> cat
> /etc/ovirt-engine/extensions.d/internal-authz.properties
>
> ovirt.engine.extension.name
> <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name>
> <http://ovirt.engine.extension.name> =
>
> internal-authz
> ovirt.engine.extension.bindings.method =
> jbossmodule
>
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine.extension.aaa.jdbc
>
> ovirt.engine.extension.binding.jbossmodule.class =
>
>
>
> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authz
> config.datasource.file =
> /etc/ovirt-engine/aaa/internal.properties
>
> Properties of admin at internal user:
>
> ovirt-aaa-jdbc-tool user show admin
>
> -- User
> admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
> Namespace: *
> Name: admin
> ID: fdfc627c-d875-11e0-90f0-83df133b58cc
> Display Name:
> Email:
> First Name: admin
> Last Name:
> Department:
> Title:
> Description:
> Account Disabled: false
> Account Unlocked At: 1970-01-01 00:00:00Z
> Account Valid From: 2015-10-01 00:00:00Z
> Account Valid To: 2100-01-01 00:00:00Z
> Account Without Password: false
> Last successful Login At: 2016-06-20
> 16:01:03Z
> Last unsuccessful Login At: 2016-06-19
> 16:53:07Z
> Password Valid To: 2100-01-01 00:00:00Z
>
> ¿ Can I assign privilegies to the user ?
> ¿ Any
> idea ?
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>>
>
> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
>
>
More information about the Users
mailing list