[ovirt-users] User admin at internal can't login in oVirt 3.6

Ondra Machacek omachace at redhat.com
Wed Jun 22 16:14:10 UTC 2016


On 06/22/2016 05:21 PM, Julián Tete wrote:
> S-O-L-V-E-D!!!
>
> You are a Wizard Ondra Machacek!!!
>
> Thank you very much !!! How Apache says: "It works"

Great! You are welcome

>
> A have a question for you
>
> In the command
>
> su - postgres -c "psql -t engine -c \"insert into permissions values
> ('0000001b-001b-001b-001b-00000000029f',
> '00000000-0000-0000-0000-000000000001',
> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
> 'aaa00000-0000-0000-0000-123456789aaa', 1);\"
>
> What's the meaning of:
>
> 0000001b-001b-001b-001b-00000000029f

This one is id of permission. It's auto generated.

>
> 00000000-0000-0000-0000-000000000001

This one is id of role. This is id of SuperUser as you can see by running:

  select * from roles;

>
> aaa00000-0000-0000-0000-123456789aaa

This one is object id, in this case it's id of system.

>
> 1

This one represent object type, it is number that represent some object 
for example 1 represent
system object, number 2 represent Vm, number 3 Host... etc

>
> ¿?
>
> Thanks again
>
>
> 2016-06-22 5:22 GMT-05:00 Ondra Machacek <omachace at redhat.com
> <mailto:omachace at redhat.com>>:
>
>     On 06/21/2016 09:18 PM, Julián Tete wrote:
>
>         Roger Ondra!
>
>         1) su - postgres -c "psql -t engine -c \"delete from users where
>         user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""
>
>         Output:
>
>         DELETE 1
>
>         2) su - postgres -c "psql -t engine -c \"UPDATE users set
>         domain='internal-authz'  where
>         user_id='fdfc627c-d875-11e0-90f0-83df133b58cc';\""
>
>         Output:
>
>         ERROR:  duplicate key value violates unique constraint
>         "users_domain_external_id_unique"
>         DETAIL:  Key (domain, external_id)=(internal-authz,
>         fdfc627c-d875-11e0-90f0-83df133b58cc) already exists.
>
>
>     OK, this is really strange, because this shouldn't be printed as you
>     removed all contraints in step 1).
>
>     So, can you please first stop ovirt-engine, before running steps
>     above? So the steps now
>     would be:
>
>      1) service ovirt-engine stop
>
>      2) remove admin at internal-authz
>     (c9dcda67-9b3e-4255-aa9f-d69043a02b2b) (note id
>     changed, from last time) If there is more admin users with domain
>     internal-authz, please
>     remove them all.
>           $ su - postgres -c "psql -t engine -c \"delete from users
>     where user_id='c9dcda67-9b3e-4255-aa9f-d69043a02b2b';\""
>
>      3) rename admin at internal to admin at internal-authz
>           $ su - postgres -c "psql -t engine -c \"UPDATE users set
>     domain='internal-authz'  where
>     user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""
>
>       4) service ovirt-engine start
>
>
>         3) systemctl restart ovirt-engine.service
>
>         No login yet :(
>
>         Look at this:
>
>         ovirt-aaa-jdbc-tool user show admin
>
>         Output:
>         -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
>         Namespace: *
>         Name: admin
>         ID: fdfc627c-d875-11e0-90f0-83df133b58cc
>         Display Name:
>         Email:
>         First Name: admin
>         Last Name:
>         Department:
>         Title:
>         Description:
>         Account Disabled: false
>         Account Unlocked At: 1970-01-01 00:00:00Z
>         Account Valid From: 2015-10-01 00:00:00Z
>         Account Valid To: 2100-01-01 00:00:00Z
>         Account Without Password: false
>         Last successful Login At: 2016-06-21 19:15:59Z
>         Last unsuccessful Login At: 2016-06-20 17:33:24Z
>         Password Valid To: 2100-01-01 00:00:00Z
>
>         su - postgres -c "psql -t engine -c \"select * from users;\""
>
>         Output:
>
>          fdfc627c-d875-11e0-90f0-83df133b58cc | admin  |               |
>         internal             | admin    |            |
>         |      | t                       |
>         fdfc627c-d875-11e0-90f0-83df133b58cc
>         | 2015-09-19 21:38:44.838161-
>         05 | 2016-06-18 20:42:18.883738-05 | *
>          16f666bb-b4c8-44c9-8264-30c3aff63a6e |        | Administrator |
>         udistritaloas.edu.co <http://udistritaloas.edu.co>
>         <http://udistritaloas.edu.co> | admin
>         |            |                         |      | f
>         | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19 11:53:39.249812-
>         05 | 2016-06-19 12:24:41.590162-05 <tel:41.590162-05> | *
>          c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete          |
>         internal-authz       | julian   |            |
>         danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>
>         <mailto:danteconrad14 at gmail.com
>         <mailto:danteconrad14 at gmail.com>> |      | f                       |
>         1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20 11:22:56.483292-
>         05 | 2016-06-20 11:23:19.261686-05 | *
>          c9dcda67-9b3e-4255-aa9f-d69043a02b2b | admin  |               |
>         internal-authz       | admin    |            |
>         |      | f                       |
>         fdfc627c-d875-11e0-90f0-83df133b58cc
>         | 2016-06-21 13:54:07.765767-
>         05 | 2016-06-21 14:15:59.352697-05 | *
>
>
>         su - postgres -c "psql -t engine -c \"select * from permissions;\""
>
>         Output:
>
>          00000004-0004-0004-0004-00000000025e |
>         def00009-0000-0000-0000-def000000009 |
>         eee00000-0000-0000-0000-123456789eee |
>         00000000-0000-0000-0000-000000000000 |              4 |
>         1447535033
>          0000000f-000f-000f-000f-000000000293 |
>         def0000a-0000-0000-0000-def000000010 |
>         eee00000-0000-0000-0000-123456789eee |
>         0000000e-000e-000e-000e-0000000002d6 |             27 |
>         1447535033
>          00000003-0003-0003-0003-00000000009c |
>         00000000-0000-0000-0000-000000000001 |
>         fdfc627c-d875-11e0-90f0-83df133b58cc |
>         aaa00000-0000-0000-0000-123456789aaa |              1 |
>         1447535033
>          00000006-0006-0006-0006-0000000000e3 |
>         00000000-0000-0000-0001-000000000002 |
>         fdfc627c-d875-11e0-90f0-83df133b58cc |
>         aaa00000-0000-0000-0000-123456789aaa |              1 |
>         1447535033
>          00000011-0011-0011-0011-0000000002a9 |
>         def00009-0000-0000-0000-def000000009 |
>         eee00000-0000-0000-0000-123456789eee |
>         00000010-0010-0010-0010-0000000001d1 |              4 |
>         1447535033
>          00000013-0013-0013-0013-00000000031e |
>         def00009-0000-0000-0000-def000000009 |
>         eee00000-0000-0000-0000-123456789eee |
>         00000012-0012-0012-0012-0000000001c6 |              4 |
>         1447535033
>          00000015-0015-0015-0015-0000000003b8 |
>         def00009-0000-0000-0000-def000000009 |
>         eee00000-0000-0000-0000-123456789eee |
>         00000014-0014-0014-0014-0000000002fd |              4 |
>         1447535033
>          00000017-0017-0017-0017-000000000388 |
>         def00009-0000-0000-0000-def000000009 |
>         eee00000-0000-0000-0000-123456789eee |
>         00000016-0016-0016-0016-0000000002b0 |              4 |
>         1447535033
>          00000019-0019-0019-0019-0000000003d5 |
>         def00009-0000-0000-0000-def000000009 |
>         eee00000-0000-0000-0000-123456789eee |
>         00000018-0018-0018-0018-000000000314 |              4 |
>         1447535033
>          00000027-0027-0027-0027-00000000027e |
>         def00021-0000-0000-0000-def000000015 |
>         eee00000-0000-0000-0000-123456789eee |
>         aaa00000-0000-0000-0000-123456789aaa |              1 |
>         1447535037
>          7a3917ea-b2df-444f-938c-f768feeaee04 |
>         def00009-0000-0000-0000-def000000009 |
>         eee00000-0000-0000-0000-123456789eee |
>         8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
>         1457665842
>          e8abc833-b860-451c-b580-780c7d1049d4 |
>         def0000a-0000-0000-0000-def00000000f |
>         fdfc627c-d875-11e0-90f0-83df133b58cc |
>         8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
>         1457665842
>          c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
>         def0000a-0000-0000-0000-def00000000b |
>         fdfc627c-d875-11e0-90f0-83df133b58cc |
>         9881e686-90d0-4da3-85b4-b8a1b3638396 |             19 |
>         1463161875
>
>
>
>
>         2016-06-21 13:30 GMT-05:00 Ondra Machacek <omachace at redhat.com
>         <mailto:omachace at redhat.com>
>         <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>:
>
>
>             On 06/21/2016 04:54 PM, Julián Tete wrote:
>
>                 That's right I remove internal properties :/
>
>                 This is the output of the commands:
>
>                 */usr/share/ovirt-engine/bin/o**virt-engine-role.sh
>         --command=add
>                 --user-name=admin --authz-name=internal-authz
>         --role=SuperUser
>
>                 *
>                 *Output:
>                 *
>
>                 FATAL: Please specify provider namespace
>
>
>             You don't have to run it, I've just send it for a future
>         reference :)
>             But if you for example want to add SuperUser permissions to user
>             'julian', you can run:
>
>               /usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add
>             --principal-id='c01c263a-78c5-4524-a94e-c9aa38141ea9'
>             --role=SuperUser --user-name=julian --authz-name=internal-authz
>             --principal-namespace=*
>
>             And you don't need admin at internal-authz user.
>
>
>                 *su - postgres -c "psql -t engine -c \"select * from
>         users;\""
>
>                 *
>                 *Output:*
>
>                 fdfc627c-d875-11e0-90f0-83df133b58cc | admin  |
>              |
>                 internal             | admin    |            |
>                 |      | t                       |
>                 fdfc627c-d875-11e0-90f0-83df133b58cc
>                 | 2015-09-19 21:38:44.838161-
>                 05 | 2016-06-18 20:42:18.883738-05 | *
>                  16f666bb-b4c8-44c9-8264-30c3aff63a6e |        |
>         Administrator |
>                 udistritaloas.edu.co <http://udistritaloas.edu.co>
>         <http://udistritaloas.edu.co>
>                 <http://udistritaloas.edu.co> | admin
>                 |            |                         |      | f
>                 | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19
>         11:53:39.249812-
>                 05 | 2016-06-19 12:24:41.590162-05 <tel:41.590162-05>
>         <tel:41.590162-05 <tel:41.590162-05>> | *
>                  c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete
>               |
>                 internal-authz       | julian   |            |
>                 danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>
>         <mailto:danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>>
>                 <mailto:danteconrad14 at gmail.com
>         <mailto:danteconrad14 at gmail.com>
>
>                 <mailto:danteconrad14 at gmail.com
>         <mailto:danteconrad14 at gmail.com>>> |      | f
>            |
>                 1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20
>         11:22:56.483292-
>                 05 | 2016-06-20 11:23:19.261686-05 | *
>                  7f300f43-9972-4c0e-bfa9-e86df6f1659f | admin  |
>                |
>                 internal-authz       | admin    |            |
>                 |      | f                       |
>                 fdfc627c-d875-11e0-90f0-83df133b58cc
>                 | 2016-06-19 11:43:51.644981-
>                 05 | 2016-06-20 16:06:49.138862-05 | *
>                 *
>                 su - postgres -c "psql -t engine -c \"select * from
>         permissions;\""
>
>
>             Ok, according to current status I would suggest you to:
>
>              1) remove admin at internal-authz
>         (7f300f43-9972-4c0e-bfa9-e86df6f1659f)
>                   $ su - postgres -c "psql -t engine -c \"delete from users
>             where user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""
>
>               2) rename admin at internal to admin at internal-authz
>                   $ su - postgres -c "psql -t engine -c \"UPDATE users set
>             domain='internal-authz'  where
>             user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""
>
>             Then restart ovirt-engine and try to login.
>
>             The problem here is that it tries to login with admin user which
>             don't have any permissions, and
>             you have two admin users, because you have removed
>             internal-*properties files, so it added
>             another one.
>
>
>                 *
>                 *Otput:
>                 *
>
>
>                  00000004-0004-0004-0004-00000000025e |
>                 def00009-0000-0000-0000-def000000009 |
>                 eee00000-0000-0000-0000-123456789eee |
>                 00000000-0000-0000-0000-000000000000 |              4 |
>                 1447535033
>                  0000000f-000f-000f-000f-000000000293 |
>                 def0000a-0000-0000-0000-def000000010 |
>                 eee00000-0000-0000-0000-123456789eee |
>                 0000000e-000e-000e-000e-0000000002d6 |             27 |
>                 1447535033
>                  00000003-0003-0003-0003-00000000009c |
>                 00000000-0000-0000-0000-000000000001 |
>                 fdfc627c-d875-11e0-90f0-83df133b58cc |
>                 aaa00000-0000-0000-0000-123456789aaa |              1 |
>                 1447535033
>                  00000006-0006-0006-0006-0000000000e3 |
>                 00000000-0000-0000-0001-000000000002 |
>                 fdfc627c-d875-11e0-90f0-83df133b58cc |
>                 aaa00000-0000-0000-0000-123456789aaa |              1 |
>                 1447535033
>                  00000011-0011-0011-0011-0000000002a9 |
>                 def00009-0000-0000-0000-def000000009 |
>                 eee00000-0000-0000-0000-123456789eee |
>                 00000010-0010-0010-0010-0000000001d1 |              4 |
>                 1447535033
>                  00000013-0013-0013-0013-00000000031e |
>                 def00009-0000-0000-0000-def000000009 |
>                 eee00000-0000-0000-0000-123456789eee |
>                 00000012-0012-0012-0012-0000000001c6 |              4 |
>                 1447535033
>                  00000015-0015-0015-0015-0000000003b8 |
>                 def00009-0000-0000-0000-def000000009 |
>                 eee00000-0000-0000-0000-123456789eee |
>                 00000014-0014-0014-0014-0000000002fd |              4 |
>                 1447535033
>                  00000017-0017-0017-0017-000000000388 |
>                 def00009-0000-0000-0000-def000000009 |
>                 eee00000-0000-0000-0000-123456789eee |
>                 00000016-0016-0016-0016-0000000002b0 |              4 |
>                 1447535033
>                  00000019-0019-0019-0019-0000000003d5 |
>                 def00009-0000-0000-0000-def000000009 |
>                 eee00000-0000-0000-0000-123456789eee |
>                 00000018-0018-0018-0018-000000000314 |              4 |
>                 1447535033
>                  00000027-0027-0027-0027-00000000027e |
>                 def00021-0000-0000-0000-def000000015 |
>                 eee00000-0000-0000-0000-123456789eee |
>                 aaa00000-0000-0000-0000-123456789aaa |              1 |
>                 1447535037
>                  7a3917ea-b2df-444f-938c-f768feeaee04 |
>                 def00009-0000-0000-0000-def000000009 |
>                 eee00000-0000-0000-0000-123456789eee |
>                 8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
>                 1457665842
>                  e8abc833-b860-451c-b580-780c7d1049d4 |
>                 def0000a-0000-0000-0000-def00000000f |
>                 fdfc627c-d875-11e0-90f0-83df133b58cc |
>                 8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
>                 1457665842
>                  c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
>                 def0000a-0000-0000-0000-def00000000b |
>                 fdfc627c-d875-11e0-90f0-83df133b58cc |
>                 9881e686-90d0-4da3-85b4-b8a1b3638396 |             19 |
>                 1463161875
>
>
>                 2016-06-21 9:18 GMT-05:00 Ondra Machacek
>         <omachace at redhat.com <mailto:omachace at redhat.com>
>                 <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>
>                 <mailto:omachace at redhat.com <mailto:omachace at redhat.com>
>         <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>>:
>
>
>                     On 06/20/2016 08:33 PM, Julián Tete wrote:
>
>                         Thanks Ondra :)
>
>                         With the command:
>
>                         su - postgres -c "psql -t engine -c \"insert into
>                 permissions values
>                         ('0000001b-001b-001b-001b-00000000029f',
>                         '00000000-0000-0000-0000-000000000001',
>                         'fdfc627c-d875-11e0-90f0-83df133b58cc',
>                         'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>
>
>                     I've just remembered, that there is bash script for it:
>
>                      /usr/share/ovirt-engine/bin/ovirt-engine-role.sh
>
>                     You can use it as follows:
>
>                      /usr/share/ovirt-engine/bin/ovirt-engine-role.sh
>         --command=add
>                     --user-name=admin --authz-name=internal-authz
>         --role=SuperUser
>
>                     But, as per your output above, obviously your
>         problem is not
>                 missing
>                     permissions.
>                     I think the problem is that you removed
>         internal*.properties
>                 files
>                     and then re-add it.
>                     Can you please send output of users table and
>         permissions
>                 table. Thanks.
>
>                      su - postgres -c "psql -t engine -c \"select * from
>         users;\""
>                      su - postgres -c "psql -t engine -c \"select * from
>                 permissions;\""
>
>                         I get:
>
>                         ERROR:  duplicate key value violates unique
>         constraint
>                         "idx_combined_ad_role_object"
>                         DETAIL:  Key (ad_element_id, role_id,
>                         object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
>                         00000000-0000-0000-0000-000000000001,
>                         aaa00000-0000-0000-0000-123456789aaa) already
>         exists.
>
>                         History
>
>                           261  yum install ovirt-engine-extension-aaa-ldap
>                           262  cp -r
>
>
>         /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
>                         /etc/ovirt-engine/
>                           263  cd /etc/ovirt-engine/
>                           264  ll
>                           265  vim profile1.properties
>                           266  ll
>                           267  cd cp
>
>
>         /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>                         /etc/ovirt-engine/extensions.d/
>                           268  cd cp
>                 /usr/share/ovirt-engine-extension-aaa-ldap/examples/
>                           269  cd
>
>
>         /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
>                           270  ll
>                           271  cp
>
>
>         /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>                         /etc/ovirt-engine/extensions.d/
>                           272  cd /etc/ovirt-engine/extensions.d/
>                           273  ll
>                           274  find / -type f -iname profile1.properties
>                           275  cp -r
>
>
>         /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
>                         /etc/ovirt-engine/aaa/
>                           276  find / -type f -iname profile1.properties
>                           277  vim /etc/ovirt-engine/aaa/profile1.properties
>                           278  chown ovirt:ovirt
>                 /etc/ovirt-engine/aaa/profile1.properties
>                           279  chmod 600
>         /etc/ovirt-engine/aaa/profile1.properties
>                           280  systemctl restart ovirt-engine
>                           281  vim
>                 /etc/ovirt-engine/extensions.d/profile1-authn.properties
>                           282  cd /usr/share/
>                           283  ls
>                           284  cd ovirt-engine-aaa-ldap
>                           285  ls
>                           286  cd ovirt-engine-extension-aaa-ldap/
>                           287  ls
>                           288  cd examples/
>                           289  ls
>                           290  cd ad
>                           291  ls
>                           292  cd extensions.d/
>                           293  ls
>                           294  vim profile1-authn.properties
>                           295  pwd
>                           296  cd ..
>                           297  pwd
>                           298  cd ..
>                           299  ls
>                           300  cd simple
>                           301  ls
>                           302  cd aaa/
>                           303  ls
>                           304  vim profile1.properties
>                           305  pwd
>                           306  rm -rf
>         /etc/ovirt-engine/aaa/profile1.properties
>                           307  cp -r
>
>
>         /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
>                         /etc/ovirt-engine/aaa/
>                           308  vim /etc/ovirt-engine/aaa/profile1.properties
>                           309  history
>                           310  chown ovirt:ovirt
>                 /etc/ovirt-engine/aaa/profile1.properties
>                           311  chmod 600
>         /etc/ovirt-engine/aaa/profile1.properties
>                           312  systemctl restart ovirt-engine
>                           313  updatedb
>                           314  locate domain1-authn.properties
>                           315  history
>                           316  cd
>
>
>         /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
>                           317  ll
>                           318  cd
>
>         /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
>                           319  ls
>                           320  cd extensions.d/
>                           321  ls
>                           322  pwd
>                           323  cd /etc/ovirt-engine/extensions.d/
>                           324  ls
>                           325  cp -r
>
>
>         /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
>                         /etc/ovirt-engine/extensions.d/
>                           326   cp -r
>
>
>         /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>                         /etc/ovirt-engine/extensions.d/
>                           327  rm -rf
>
>         /etc/ovirt-engine/extensions.d/profile1-authn.properties
>                           328  rm -rf
>
>         /etc/ovirt-engine/extensions.d/profile1-authz.properties
>                           329   cp -r
>
>
>         /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>                         /etc/ovirt-engine/extensions.d/
>                           330  ll
>                           331  history
>                           332  chown ovirt:ovirt
>         /etc/ovirt-engine/extensions.d/*
>                           333  chmod 600 /etc/ovirt-engine/extensions.d/*
>                           334  ll
>                           335  cd extensions.d/
>                           336  ll
>                           337  cd
>                           338  engine-config -s SASL_QOP=auth
>                           339  systemctl restart ovirt-engine
>                           340  engine-manage-domains add
>                 --domain=udistritaloas.edu.co
>         <http://udistritaloas.edu.co> <http://udistritaloas.edu.co>
>                         <http://udistritaloas.edu.co>
>                         <http://udistritaloas.edu.co> --provider=ipa
>         --user=admin
>                         --ldap-servers=freeipa.udistritaloas.edu.co
>         <http://freeipa.udistritaloas.edu.co>
>                 <http://freeipa.udistritaloas.edu.co>
>                         <http://freeipa.udistritaloas.edu.co>
>                         <http://freeipa.udistritaloas.edu.co>
>                           341  systemctl restart ovirt-engine
>                           342  engine-manage-domains list
>                           343  history
>                           344  cd /etc/ovirt-engine/extensions.d/
>                           345  ll
>                           346  rm -rf internal-authn.properties
>                           347  rm -rf internal-authz.properties
>                           348  rm -rf profile1-authn.properties
>                           349  rm -rf profile1-authz.properties
>                           350  history
>                           351  cd /etc/ovirt-engine/aaa/
>                           352  ll
>                           353  rm -rf profile1.properties
>                           354  vim internal.properties
>                           355  systemctl restart ovirt-engine
>                           356  ovirt-aaa-jdbc-tool user edit admin
>                         --account-valid-to="2100-01-01 00:00:00Z"
>                           357  ovirt-aaa-jdbc-tool user password-reset admin
>                         --password-valid-to="2100-01-01 00:00:00Z"
>                           358  engine-config -s AdminPassword=interactive
>                           359  ovirt-aaa-jdbc-tool user password-reset admin
>                         --password-valid-to="2100-01-01 00:00:00Z"
>                           360  systemctl restart ovirt-engine
>                           361  exit
>                           362  cd /etc/ovirt-engine/aaa/
>                           363  ll
>                           364  vim internal.properties
>                           365  /etc/ovirt-engine/extensions.d/
>                           366  cd /etc/ovirt-engine/extensions.d/
>                           367  ll
>                           368  cd extensions.d/
>                           369  ll
>                           370  pwd
>                           371  ll
>                           372  cd ..
>                           373  ll
>                           374  cd ..
>                           375  ll
>                           376  cd /etc/ovirt-engine/extensions.d/
>                           377  ll
>                           378  cd extensions.d/
>                           379  ll
>                           380  pwd
>                           381  ll
>                           382  cd ..
>                           383  ll
>                           384  systemctl restart ovirt-engine.service
>                           385  ovirt-aaa-jdbc-tool user edit admin
>                         --account-valid-to="2100-01-01 00:00:00Z"
>                           386  ovirt-aaa-jdbc-tool user password-reset admin
>                         --password-valid-to="2100-01-01 00:00:00Z"
>                           387  systemctl restart ovirt-engine.service
>                           388  ovirt-aaa-jdbc-tool user password-reset
>                 admin at internal
>                         --password-valid-to="2100-01-01 00:00:00Z"
>                           389  yum install -y
>         ovirt-engine-extension-aaa-jdbc
>                           390  engine-setup
>                           391  ovirt-aaa-jdbc-tool user show admin
>                           392  ovirt-aaa-jdbc-tool settings show
>                           393  cd /var/log
>                           394  ll
>                           395  cd ovirt-engine
>                           396  ll
>                           397  tail -f n 100 ui.log
>                           398  ll
>                           399  tail -f -n engine.log
>                           400  tail -f -n 1000 engine.log
>                           401  tail -n 5000 engine.log | grep admin at internal
>                           402  ovirt-aaa-jdbc-tool user show admin
>                           403  ovirt-aaa-jdbc-tool user show admin at internal
>                           404  ovirt-aaa-jdbc-tool query --what=user
>                           405  engine-config -s AdminPassword=interactive
>                           406  vim
>                 /etc/ovirt-engine/extension.d/internal-authn.properties
>                           407  vim
>                 /etc/ovirt-engine/extensions.d/internal-authn.properties
>                           408  cd /etc/ovirt-engine/extensions.d/
>                           409  ll
>                           410  vim /etc/ovirt-engine/aaa/internal.properties
>                           411  cd /etc/ovirt-engine/aaa/
>                           412  ll
>                           413  vim internal.properties
>                           414  pwd
>                           415  ovirt-aaa-jdbc-tool user add julian
>                         --attribute=firstName=Julian
>          --attribute=lastName=Tete
>                         --attribute=email=danteconrad14 at gmail.com
>         <mailto:danteconrad14 at gmail.com>
>                 <mailto:danteconrad14 at gmail.com
>         <mailto:danteconrad14 at gmail.com>>
>                         <mailto:danteconrad14 at gmail.com
>         <mailto:danteconrad14 at gmail.com>
>                 <mailto:danteconrad14 at gmail.com
>         <mailto:danteconrad14 at gmail.com>>>
>                 <mailto:danteconrad14 at gmail.com
>         <mailto:danteconrad14 at gmail.com> <mailto:danteconrad14 at gmail.com
>         <mailto:danteconrad14 at gmail.com>>
>                         <mailto:danteconrad14 at gmail.com
>         <mailto:danteconrad14 at gmail.com>
>                 <mailto:danteconrad14 at gmail.com
>         <mailto:danteconrad14 at gmail.com>>>>
>                           416  ovirt-aaa-jdbc-tool user password-reset
>         julian
>                         --password-valid-to="2025-08-15 10:30:00Z"
>                           417  history
>                           418  tail -n 5000 engine.log | grep admin at internal
>                           419  tail -n 5000
>         /var/log/ovirt-engine/engine.log | grep
>                         admin at internal
>                           420  ovirt-aaa-jdbc-tool user edit admin
>                         --account-valid-from="2015-10-01 00:00:00Z"
>                           421  ovirt-aaa-jdbc-tool user password-reset
>         admin --force
>                         --password-valid-to="2100-01-01 00:00:00Z"
>                           422  systemctl restart ovirt-engine.service
>                           423  history
>                           424  ovirt-aaa-jdbc-tool query --what=user
>                           425  updatedb
>                           426  locate internal
>                           427  yum install -y ovirt-engine-cli
>                           428  cd /opt
>                           429  cd /opt/
>
>
>
>                         2016-06-20 13:24 GMT-05:00 Ondra Machacek
>                 <omachace at redhat.com <mailto:omachace at redhat.com>
>         <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>
>                         <mailto:omachace at redhat.com
>         <mailto:omachace at redhat.com> <mailto:omachace at redhat.com
>         <mailto:omachace at redhat.com>>>
>                         <mailto:omachace at redhat.com
>         <mailto:omachace at redhat.com> <mailto:omachace at redhat.com
>         <mailto:omachace at redhat.com>>
>                 <mailto:omachace at redhat.com <mailto:omachace at redhat.com>
>         <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>>>:
>
>
>
>                             On 06/20/2016 06:36 PM, Julián Tete wrote:
>
>                                 oVirt: 3.6.2
>
>                                 Trying to use:
>
>
>
>
>         https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>
>                                 First use:
>
>                                 engine-manage-domains add
>                 --domain=udistritaloas.edu.co
>         <http://udistritaloas.edu.co> <http://udistritaloas.edu.co>
>                         <http://udistritaloas.edu.co>
>                                 <http://udistritaloas.edu.co>
>                                 <http://udistritaloas.edu.co> --provider=ipa
>                 --user=admin
>
>         --ldap-servers=freeipa.udistritaloas.edu.co
>         <http://freeipa.udistritaloas.edu.co>
>                 <http://freeipa.udistritaloas.edu.co>
>                         <http://freeipa.udistritaloas.edu.co>
>                                 <http://freeipa.udistritaloas.edu.co>
>                                 <http://freeipa.udistritaloas.edu.co>
>
>
>                                 The domain was added, but a I can't
>         access to the
>                         webadmin portal :/
>
>                                 I get the message:
>
>                                 "User is not authorized to perform this
>         action."
>
>                                 In ovirt-cli
>
>                                 [401] - Unauthorized
>
>                                 tail -n 5000
>         /var/log/ovirt-engine/engine.log | grep
>                         admin at internal
>
>                                 2016-06-20 10:52:22,835 ERROR
>
>
>
>         [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>                                 (default task-32) [] Correlation ID:
>         null, Call
>                 Stack:
>                         null, Custom
>                                 Event ID: -1, Message: User admin at internal
>                 failed to log in.
>                                 2016-06-20 10:52:22,836 WARN
>
>                 [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
>                         (default
>                                 task-32)
>                                 [] CanDoAction of action
>         'LoginAdminUser' failed
>                 for user
>                                 admin at internal. Reasons:
>                         USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>                                 2016-06-20 11:00:37,679 ERROR
>
>
>
>         [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>                                 (default task-3) [] Correlation ID:
>         null, Call
>                 Stack: null,
>                                 Custom Event
>                                 ID: -1, Message: User admin at internal
>         failed to
>                 log in.
>                                 2016-06-20 11:00:37,679 WARN
>
>         [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
>                         (default task-3) []
>                                 CanDoAction of action 'LoginUser' failed
>         for user
>                         admin at internal.
>                                 Reasons:
>         USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>                                 2016-06-20 11:01:04,016 ERROR
>
>
>
>         [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>                                 (default task-4) [] Correlation ID:
>         null, Call
>                 Stack: null,
>                                 Custom Event
>                                 ID: -1, Message: User admin at internal
>         failed to
>                 log in.
>                                 2016-06-20 11:01:04,016 WARN
>
>         [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
>                         (default task-4) []
>                                 CanDoAction of action 'LoginUser' failed
>         for user
>                         admin at internal.
>                                 Reasons:
>         USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>
>
>                             I am little bit lost, what was your steps,
>         to get
>                 into this
>                         state,
>                             but it looks that your admin at internal user was
>                 removed SuperUser
>                             permissions, I am really not sure how could
>         you achieve
>                         that, but to
>                             fix it please run following command:
>
>                              $ su - postgres -c "psql -t engine -c
>         \"insert into
>                 permissions
>                             values ('0000001b-001b-001b-001b-00000000029f',
>                             '00000000-0000-0000-0000-000000000001',
>                             'fdfc627c-d875-11e0-90f0-83df133b58cc',
>                             'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>
>                             This command will add your admin at internal
>         SuperUser
>                         permissions on
>                             system.
>
>                             Can you please describe what have you done a bit
>                 more, so we can
>                             understand the problem?
>
>                             Thanks.
>
>
>                                 Properties of Internal domain:
>
>                                 cat
>         /etc/ovirt-engine/aaa/internal.properties
>
>                                 ovirt.engine.extension.name
>         <http://ovirt.engine.extension.name>
>                 <http://ovirt.engine.extension.name>
>                         <http://ovirt.engine.extension.name>
>                         <http://ovirt.engine.extension.name>
>                                 <http://ovirt.engine.extension.name> =
>                                 internal-authn
>                                 ovirt.engine.extension.bindings.method =
>         jbossmodule
>
>         ovirt.engine.extension.binding.jbossmodule.module =
>                                 org.ovirt.engine.extension.aaa.jdbc
>
>         ovirt.engine.extension.binding.jbossmodule.class =
>
>
>
>         org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>                                 ovirt.engine.extension.provides =
>                                 org.ovirt.engine.api.extensions.aaa.Authn
>                                 ovirt.engine.aaa.authn.profile.name
>         <http://ovirt.engine.aaa.authn.profile.name>
>                 <http://ovirt.engine.aaa.authn.profile.name>
>                         <http://ovirt.engine.aaa.authn.profile.name>
>                                 <http://ovirt.engine.aaa.authn.profile.name>
>
>         <http://ovirt.engine.aaa.authn.profile.name> =
>                 internal
>                                 ovirt.engine.aaa.authn.authz.plugin =
>         internal-authz
>                                 config.datasource.file =
>                         /etc/ovirt-engine/aaa/internal.properties
>
>                                 cat
>                 /etc/ovirt-engine/extensions.d/internal-authn.properties
>
>                                 ovirt.engine.extension.name
>         <http://ovirt.engine.extension.name>
>                 <http://ovirt.engine.extension.name>
>                         <http://ovirt.engine.extension.name>
>                         <http://ovirt.engine.extension.name>
>                                 <http://ovirt.engine.extension.name> =
>                                 internal-authn
>                                 ovirt.engine.extension.bindings.method =
>         jbossmodule
>
>         ovirt.engine.extension.binding.jbossmodule.module =
>                                 org.ovirt.engine.extension.aaa.jdbc
>
>         ovirt.engine.extension.binding.jbossmodule.class =
>
>
>
>         org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>                                 ovirt.engine.extension.provides =
>                                 org.ovirt.engine.api.extensions.aaa.Authn
>                                 ovirt.engine.aaa.authn.profile.name
>         <http://ovirt.engine.aaa.authn.profile.name>
>                 <http://ovirt.engine.aaa.authn.profile.name>
>                         <http://ovirt.engine.aaa.authn.profile.name>
>                                 <http://ovirt.engine.aaa.authn.profile.name>
>
>         <http://ovirt.engine.aaa.authn.profile.name> =
>                 internal
>                                 ovirt.engine.aaa.authn.authz.plugin =
>         internal-authz
>                                 config.datasource.file =
>                         /etc/ovirt-engine/aaa/internal.properties
>
>                                 cat
>                 /etc/ovirt-engine/extensions.d/internal-authz.properties
>
>                                 ovirt.engine.extension.name
>         <http://ovirt.engine.extension.name>
>                 <http://ovirt.engine.extension.name>
>                         <http://ovirt.engine.extension.name>
>                         <http://ovirt.engine.extension.name>
>                                 <http://ovirt.engine.extension.name> =
>
>                                 internal-authz
>                                 ovirt.engine.extension.bindings.method =
>         jbossmodule
>
>         ovirt.engine.extension.binding.jbossmodule.module =
>                                 org.ovirt.engine.extension.aaa.jdbc
>
>         ovirt.engine.extension.binding.jbossmodule.class =
>
>
>
>         org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
>                                 ovirt.engine.extension.provides =
>                                 org.ovirt.engine.api.extensions.aaa.Authz
>                                 config.datasource.file =
>                         /etc/ovirt-engine/aaa/internal.properties
>
>                                 Properties of admin at internal user:
>
>                                 ovirt-aaa-jdbc-tool user show admin
>
>                                 -- User
>                 admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
>                                 Namespace: *
>                                 Name: admin
>                                 ID: fdfc627c-d875-11e0-90f0-83df133b58cc
>                                 Display Name:
>                                 Email:
>                                 First Name: admin
>                                 Last Name:
>                                 Department:
>                                 Title:
>                                 Description:
>                                 Account Disabled: false
>                                 Account Unlocked At: 1970-01-01 00:00:00Z
>                                 Account Valid From: 2015-10-01 00:00:00Z
>                                 Account Valid To: 2100-01-01 00:00:00Z
>                                 Account Without Password: false
>                                 Last successful Login At: 2016-06-20
>         16:01:03Z
>                                 Last unsuccessful Login At: 2016-06-19
>         16:53:07Z
>                                 Password Valid To: 2100-01-01 00:00:00Z
>
>                                 ¿ Can I assign privilegies to the user ?
>         ¿ Any
>                 idea ?
>
>
>
>         _______________________________________________
>                                 Users mailing list
>                                 Users at ovirt.org <mailto:Users at ovirt.org>
>         <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>                 <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>         <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>                         <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>         <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>                 <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>         <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>>
>
>         http://lists.ovirt.org/mailman/listinfo/users
>
>
>
>
>



More information about the Users mailing list