[ovirt-users] User admin at internal can't login in oVirt 3.6

Julián Tete danteconrad14 at gmail.com
Wed Jun 22 16:37:36 UTC 2016


Thanks again :)

2016-06-22 11:14 GMT-05:00 Ondra Machacek <omachace at redhat.com>:

> On 06/22/2016 05:21 PM, Julián Tete wrote:
>
>> S-O-L-V-E-D!!!
>>
>> You are a Wizard Ondra Machacek!!!
>>
>> Thank you very much !!! How Apache says: "It works"
>>
>
> Great! You are welcome
>
>
>> A have a question for you
>>
>> In the command
>>
>> su - postgres -c "psql -t engine -c \"insert into permissions values
>> ('0000001b-001b-001b-001b-00000000029f',
>> '00000000-0000-0000-0000-000000000001',
>> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
>> 'aaa00000-0000-0000-0000-123456789aaa', 1);\"
>>
>> What's the meaning of:
>>
>> 0000001b-001b-001b-001b-00000000029f
>>
>
> This one is id of permission. It's auto generated.
>
>
>> 00000000-0000-0000-0000-000000000001
>>
>
> This one is id of role. This is id of SuperUser as you can see by running:
>
>  select * from roles;
>
>
>> aaa00000-0000-0000-0000-123456789aaa
>>
>
> This one is object id, in this case it's id of system.
>
>
>> 1
>>
>
> This one represent object type, it is number that represent some object
> for example 1 represent
> system object, number 2 represent Vm, number 3 Host... etc
>
>
>> ¿?
>>
>> Thanks again
>>
>>
>> 2016-06-22 5:22 GMT-05:00 Ondra Machacek <omachace at redhat.com
>> <mailto:omachace at redhat.com>>:
>>
>>     On 06/21/2016 09:18 PM, Julián Tete wrote:
>>
>>         Roger Ondra!
>>
>>         1) su - postgres -c "psql -t engine -c \"delete from users where
>>         user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""
>>
>>         Output:
>>
>>         DELETE 1
>>
>>         2) su - postgres -c "psql -t engine -c \"UPDATE users set
>>         domain='internal-authz'  where
>>         user_id='fdfc627c-d875-11e0-90f0-83df133b58cc';\""
>>
>>         Output:
>>
>>         ERROR:  duplicate key value violates unique constraint
>>         "users_domain_external_id_unique"
>>         DETAIL:  Key (domain, external_id)=(internal-authz,
>>         fdfc627c-d875-11e0-90f0-83df133b58cc) already exists.
>>
>>
>>     OK, this is really strange, because this shouldn't be printed as you
>>     removed all contraints in step 1).
>>
>>     So, can you please first stop ovirt-engine, before running steps
>>     above? So the steps now
>>     would be:
>>
>>      1) service ovirt-engine stop
>>
>>      2) remove admin at internal-authz
>>     (c9dcda67-9b3e-4255-aa9f-d69043a02b2b) (note id
>>     changed, from last time) If there is more admin users with domain
>>     internal-authz, please
>>     remove them all.
>>           $ su - postgres -c "psql -t engine -c \"delete from users
>>     where user_id='c9dcda67-9b3e-4255-aa9f-d69043a02b2b';\""
>>
>>      3) rename admin at internal to admin at internal-authz
>>           $ su - postgres -c "psql -t engine -c \"UPDATE users set
>>     domain='internal-authz'  where
>>     user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""
>>
>>       4) service ovirt-engine start
>>
>>
>>         3) systemctl restart ovirt-engine.service
>>
>>         No login yet :(
>>
>>         Look at this:
>>
>>         ovirt-aaa-jdbc-tool user show admin
>>
>>         Output:
>>         -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
>>         Namespace: *
>>         Name: admin
>>         ID: fdfc627c-d875-11e0-90f0-83df133b58cc
>>         Display Name:
>>         Email:
>>         First Name: admin
>>         Last Name:
>>         Department:
>>         Title:
>>         Description:
>>         Account Disabled: false
>>         Account Unlocked At: 1970-01-01 00:00:00Z
>>         Account Valid From: 2015-10-01 00:00:00Z
>>         Account Valid To: 2100-01-01 00:00:00Z
>>         Account Without Password: false
>>         Last successful Login At: 2016-06-21 19:15:59Z
>>         Last unsuccessful Login At: 2016-06-20 17:33:24Z
>>         Password Valid To: 2100-01-01 00:00:00Z
>>
>>         su - postgres -c "psql -t engine -c \"select * from users;\""
>>
>>         Output:
>>
>>          fdfc627c-d875-11e0-90f0-83df133b58cc | admin  |               |
>>         internal             | admin    |            |
>>         |      | t                       |
>>         fdfc627c-d875-11e0-90f0-83df133b58cc
>>         | 2015-09-19 21:38:44.838161-
>>         05 | 2016-06-18 20:42:18.883738-05 | *
>>          16f666bb-b4c8-44c9-8264-30c3aff63a6e |        | Administrator |
>>         udistritaloas.edu.co <http://udistritaloas.edu.co>
>>         <http://udistritaloas.edu.co> | admin
>>         |            |                         |      | f
>>         | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19
>> 11:53:39.249812-
>>         05 | 2016-06-19 12:24:41.590162-05 <tel:41.590162-05> | *
>>          c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete          |
>>         internal-authz       | julian   |            |
>>         danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>
>>         <mailto:danteconrad14 at gmail.com
>>         <mailto:danteconrad14 at gmail.com>> |      | f
>>    |
>>         1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20 11:22:56.483292-
>>         05 | 2016-06-20 11:23:19.261686-05 | *
>>          c9dcda67-9b3e-4255-aa9f-d69043a02b2b | admin  |               |
>>         internal-authz       | admin    |            |
>>         |      | f                       |
>>         fdfc627c-d875-11e0-90f0-83df133b58cc
>>         | 2016-06-21 13:54:07.765767-
>>         05 | 2016-06-21 14:15:59.352697-05 | *
>>
>>
>>         su - postgres -c "psql -t engine -c \"select * from
>> permissions;\""
>>
>>         Output:
>>
>>          00000004-0004-0004-0004-00000000025e |
>>         def00009-0000-0000-0000-def000000009 |
>>         eee00000-0000-0000-0000-123456789eee |
>>         00000000-0000-0000-0000-000000000000 |              4 |
>>         1447535033
>>          0000000f-000f-000f-000f-000000000293 |
>>         def0000a-0000-0000-0000-def000000010 |
>>         eee00000-0000-0000-0000-123456789eee |
>>         0000000e-000e-000e-000e-0000000002d6 |             27 |
>>         1447535033
>>          00000003-0003-0003-0003-00000000009c |
>>         00000000-0000-0000-0000-000000000001 |
>>         fdfc627c-d875-11e0-90f0-83df133b58cc |
>>         aaa00000-0000-0000-0000-123456789aaa |              1 |
>>         1447535033
>>          00000006-0006-0006-0006-0000000000e3 |
>>         00000000-0000-0000-0001-000000000002 |
>>         fdfc627c-d875-11e0-90f0-83df133b58cc |
>>         aaa00000-0000-0000-0000-123456789aaa |              1 |
>>         1447535033
>>          00000011-0011-0011-0011-0000000002a9 |
>>         def00009-0000-0000-0000-def000000009 |
>>         eee00000-0000-0000-0000-123456789eee |
>>         00000010-0010-0010-0010-0000000001d1 |              4 |
>>         1447535033
>>          00000013-0013-0013-0013-00000000031e |
>>         def00009-0000-0000-0000-def000000009 |
>>         eee00000-0000-0000-0000-123456789eee |
>>         00000012-0012-0012-0012-0000000001c6 |              4 |
>>         1447535033
>>          00000015-0015-0015-0015-0000000003b8 |
>>         def00009-0000-0000-0000-def000000009 |
>>         eee00000-0000-0000-0000-123456789eee |
>>         00000014-0014-0014-0014-0000000002fd |              4 |
>>         1447535033
>>          00000017-0017-0017-0017-000000000388 |
>>         def00009-0000-0000-0000-def000000009 |
>>         eee00000-0000-0000-0000-123456789eee |
>>         00000016-0016-0016-0016-0000000002b0 |              4 |
>>         1447535033
>>          00000019-0019-0019-0019-0000000003d5 |
>>         def00009-0000-0000-0000-def000000009 |
>>         eee00000-0000-0000-0000-123456789eee |
>>         00000018-0018-0018-0018-000000000314 |              4 |
>>         1447535033
>>          00000027-0027-0027-0027-00000000027e |
>>         def00021-0000-0000-0000-def000000015 |
>>         eee00000-0000-0000-0000-123456789eee |
>>         aaa00000-0000-0000-0000-123456789aaa |              1 |
>>         1447535037
>>          7a3917ea-b2df-444f-938c-f768feeaee04 |
>>         def00009-0000-0000-0000-def000000009 |
>>         eee00000-0000-0000-0000-123456789eee |
>>         8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
>>         1457665842
>>          e8abc833-b860-451c-b580-780c7d1049d4 |
>>         def0000a-0000-0000-0000-def00000000f |
>>         fdfc627c-d875-11e0-90f0-83df133b58cc |
>>         8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
>>         1457665842
>>          c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
>>         def0000a-0000-0000-0000-def00000000b |
>>         fdfc627c-d875-11e0-90f0-83df133b58cc |
>>         9881e686-90d0-4da3-85b4-b8a1b3638396 |             19 |
>>         1463161875
>>
>>
>>
>>
>>         2016-06-21 13:30 GMT-05:00 Ondra Machacek <omachace at redhat.com
>>         <mailto:omachace at redhat.com>
>>         <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>:
>>
>>
>>             On 06/21/2016 04:54 PM, Julián Tete wrote:
>>
>>                 That's right I remove internal properties :/
>>
>>                 This is the output of the commands:
>>
>>                 */usr/share/ovirt-engine/bin/o**virt-engine-role.sh
>>         --command=add
>>                 --user-name=admin --authz-name=internal-authz
>>         --role=SuperUser
>>
>>                 *
>>                 *Output:
>>                 *
>>
>>                 FATAL: Please specify provider namespace
>>
>>
>>             You don't have to run it, I've just send it for a future
>>         reference :)
>>             But if you for example want to add SuperUser permissions to
>> user
>>             'julian', you can run:
>>
>>               /usr/share/ovirt-engine/bin/ovirt-engine-role.sh
>> --command=add
>>             --principal-id='c01c263a-78c5-4524-a94e-c9aa38141ea9'
>>             --role=SuperUser --user-name=julian
>> --authz-name=internal-authz
>>             --principal-namespace=*
>>
>>             And you don't need admin at internal-authz user.
>>
>>
>>                 *su - postgres -c "psql -t engine -c \"select * from
>>         users;\""
>>
>>                 *
>>                 *Output:*
>>
>>                 fdfc627c-d875-11e0-90f0-83df133b58cc | admin  |
>>              |
>>                 internal             | admin    |            |
>>                 |      | t                       |
>>                 fdfc627c-d875-11e0-90f0-83df133b58cc
>>                 | 2015-09-19 21:38:44.838161-
>>                 05 | 2016-06-18 20:42:18.883738-05 | *
>>                  16f666bb-b4c8-44c9-8264-30c3aff63a6e |        |
>>         Administrator |
>>                 udistritaloas.edu.co <http://udistritaloas.edu.co>
>>         <http://udistritaloas.edu.co>
>>                 <http://udistritaloas.edu.co> | admin
>>                 |            |                         |      | f
>>                 | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19
>>         11:53:39.249812-
>>                 05 | 2016-06-19 12:24:41.590162-05 <tel:41.590162-05>
>>         <tel:41.590162-05 <tel:41.590162-05>> | *
>>                  c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete
>>               |
>>                 internal-authz       | julian   |            |
>>                 danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>
>>         <mailto:danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>>
>>                 <mailto:danteconrad14 at gmail.com
>>         <mailto:danteconrad14 at gmail.com>
>>
>>                 <mailto:danteconrad14 at gmail.com
>>         <mailto:danteconrad14 at gmail.com>>> |      | f
>>            |
>>                 1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20
>>         11:22:56.483292-
>>                 05 | 2016-06-20 11:23:19.261686-05 | *
>>                  7f300f43-9972-4c0e-bfa9-e86df6f1659f | admin  |
>>                |
>>                 internal-authz       | admin    |            |
>>                 |      | f                       |
>>                 fdfc627c-d875-11e0-90f0-83df133b58cc
>>                 | 2016-06-19 11:43:51.644981-
>>                 05 | 2016-06-20 16:06:49.138862-05 | *
>>                 *
>>                 su - postgres -c "psql -t engine -c \"select * from
>>         permissions;\""
>>
>>
>>             Ok, according to current status I would suggest you to:
>>
>>              1) remove admin at internal-authz
>>         (7f300f43-9972-4c0e-bfa9-e86df6f1659f)
>>                   $ su - postgres -c "psql -t engine -c \"delete from
>> users
>>             where user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""
>>
>>               2) rename admin at internal to admin at internal-authz
>>                   $ su - postgres -c "psql -t engine -c \"UPDATE users set
>>             domain='internal-authz'  where
>>             user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""
>>
>>             Then restart ovirt-engine and try to login.
>>
>>             The problem here is that it tries to login with admin user
>> which
>>             don't have any permissions, and
>>             you have two admin users, because you have removed
>>             internal-*properties files, so it added
>>             another one.
>>
>>
>>                 *
>>                 *Otput:
>>                 *
>>
>>
>>                  00000004-0004-0004-0004-00000000025e |
>>                 def00009-0000-0000-0000-def000000009 |
>>                 eee00000-0000-0000-0000-123456789eee |
>>                 00000000-0000-0000-0000-000000000000 |              4 |
>>                 1447535033
>>                  0000000f-000f-000f-000f-000000000293 |
>>                 def0000a-0000-0000-0000-def000000010 |
>>                 eee00000-0000-0000-0000-123456789eee |
>>                 0000000e-000e-000e-000e-0000000002d6 |             27 |
>>                 1447535033
>>                  00000003-0003-0003-0003-00000000009c |
>>                 00000000-0000-0000-0000-000000000001 |
>>                 fdfc627c-d875-11e0-90f0-83df133b58cc |
>>                 aaa00000-0000-0000-0000-123456789aaa |              1 |
>>                 1447535033
>>                  00000006-0006-0006-0006-0000000000e3 |
>>                 00000000-0000-0000-0001-000000000002 |
>>                 fdfc627c-d875-11e0-90f0-83df133b58cc |
>>                 aaa00000-0000-0000-0000-123456789aaa |              1 |
>>                 1447535033
>>                  00000011-0011-0011-0011-0000000002a9 |
>>                 def00009-0000-0000-0000-def000000009 |
>>                 eee00000-0000-0000-0000-123456789eee |
>>                 00000010-0010-0010-0010-0000000001d1 |              4 |
>>                 1447535033
>>                  00000013-0013-0013-0013-00000000031e |
>>                 def00009-0000-0000-0000-def000000009 |
>>                 eee00000-0000-0000-0000-123456789eee |
>>                 00000012-0012-0012-0012-0000000001c6 |              4 |
>>                 1447535033
>>                  00000015-0015-0015-0015-0000000003b8 |
>>                 def00009-0000-0000-0000-def000000009 |
>>                 eee00000-0000-0000-0000-123456789eee |
>>                 00000014-0014-0014-0014-0000000002fd |              4 |
>>                 1447535033
>>                  00000017-0017-0017-0017-000000000388 |
>>                 def00009-0000-0000-0000-def000000009 |
>>                 eee00000-0000-0000-0000-123456789eee |
>>                 00000016-0016-0016-0016-0000000002b0 |              4 |
>>                 1447535033
>>                  00000019-0019-0019-0019-0000000003d5 |
>>                 def00009-0000-0000-0000-def000000009 |
>>                 eee00000-0000-0000-0000-123456789eee |
>>                 00000018-0018-0018-0018-000000000314 |              4 |
>>                 1447535033
>>                  00000027-0027-0027-0027-00000000027e |
>>                 def00021-0000-0000-0000-def000000015 |
>>                 eee00000-0000-0000-0000-123456789eee |
>>                 aaa00000-0000-0000-0000-123456789aaa |              1 |
>>                 1447535037
>>                  7a3917ea-b2df-444f-938c-f768feeaee04 |
>>                 def00009-0000-0000-0000-def000000009 |
>>                 eee00000-0000-0000-0000-123456789eee |
>>                 8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
>>                 1457665842
>>                  e8abc833-b860-451c-b580-780c7d1049d4 |
>>                 def0000a-0000-0000-0000-def00000000f |
>>                 fdfc627c-d875-11e0-90f0-83df133b58cc |
>>                 8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
>>                 1457665842
>>                  c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
>>                 def0000a-0000-0000-0000-def00000000b |
>>                 fdfc627c-d875-11e0-90f0-83df133b58cc |
>>                 9881e686-90d0-4da3-85b4-b8a1b3638396 |             19 |
>>                 1463161875
>>
>>
>>                 2016-06-21 9:18 GMT-05:00 Ondra Machacek
>>         <omachace at redhat.com <mailto:omachace at redhat.com>
>>                 <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>
>>                 <mailto:omachace at redhat.com <mailto:omachace at redhat.com>
>>         <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>>:
>>
>>
>>                     On 06/20/2016 08:33 PM, Julián Tete wrote:
>>
>>                         Thanks Ondra :)
>>
>>                         With the command:
>>
>>                         su - postgres -c "psql -t engine -c \"insert into
>>                 permissions values
>>                         ('0000001b-001b-001b-001b-00000000029f',
>>                         '00000000-0000-0000-0000-000000000001',
>>                         'fdfc627c-d875-11e0-90f0-83df133b58cc',
>>                         'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>>
>>
>>                     I've just remembered, that there is bash script for
>> it:
>>
>>                      /usr/share/ovirt-engine/bin/ovirt-engine-role.sh
>>
>>                     You can use it as follows:
>>
>>                      /usr/share/ovirt-engine/bin/ovirt-engine-role.sh
>>         --command=add
>>                     --user-name=admin --authz-name=internal-authz
>>         --role=SuperUser
>>
>>                     But, as per your output above, obviously your
>>         problem is not
>>                 missing
>>                     permissions.
>>                     I think the problem is that you removed
>>         internal*.properties
>>                 files
>>                     and then re-add it.
>>                     Can you please send output of users table and
>>         permissions
>>                 table. Thanks.
>>
>>                      su - postgres -c "psql -t engine -c \"select * from
>>         users;\""
>>                      su - postgres -c "psql -t engine -c \"select * from
>>                 permissions;\""
>>
>>                         I get:
>>
>>                         ERROR:  duplicate key value violates unique
>>         constraint
>>                         "idx_combined_ad_role_object"
>>                         DETAIL:  Key (ad_element_id, role_id,
>>                         object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
>>                         00000000-0000-0000-0000-000000000001,
>>                         aaa00000-0000-0000-0000-123456789aaa) already
>>         exists.
>>
>>                         History
>>
>>                           261  yum install ovirt-engine-extension-aaa-ldap
>>                           262  cp -r
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
>>                         /etc/ovirt-engine/
>>                           263  cd /etc/ovirt-engine/
>>                           264  ll
>>                           265  vim profile1.properties
>>                           266  ll
>>                           267  cd cp
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>>                         /etc/ovirt-engine/extensions.d/
>>                           268  cd cp
>>                 /usr/share/ovirt-engine-extension-aaa-ldap/examples/
>>                           269  cd
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
>>                           270  ll
>>                           271  cp
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>>                         /etc/ovirt-engine/extensions.d/
>>                           272  cd /etc/ovirt-engine/extensions.d/
>>                           273  ll
>>                           274  find / -type f -iname profile1.properties
>>                           275  cp -r
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
>>                         /etc/ovirt-engine/aaa/
>>                           276  find / -type f -iname profile1.properties
>>                           277  vim
>> /etc/ovirt-engine/aaa/profile1.properties
>>                           278  chown ovirt:ovirt
>>                 /etc/ovirt-engine/aaa/profile1.properties
>>                           279  chmod 600
>>         /etc/ovirt-engine/aaa/profile1.properties
>>                           280  systemctl restart ovirt-engine
>>                           281  vim
>>                 /etc/ovirt-engine/extensions.d/profile1-authn.properties
>>                           282  cd /usr/share/
>>                           283  ls
>>                           284  cd ovirt-engine-aaa-ldap
>>                           285  ls
>>                           286  cd ovirt-engine-extension-aaa-ldap/
>>                           287  ls
>>                           288  cd examples/
>>                           289  ls
>>                           290  cd ad
>>                           291  ls
>>                           292  cd extensions.d/
>>                           293  ls
>>                           294  vim profile1-authn.properties
>>                           295  pwd
>>                           296  cd ..
>>                           297  pwd
>>                           298  cd ..
>>                           299  ls
>>                           300  cd simple
>>                           301  ls
>>                           302  cd aaa/
>>                           303  ls
>>                           304  vim profile1.properties
>>                           305  pwd
>>                           306  rm -rf
>>         /etc/ovirt-engine/aaa/profile1.properties
>>                           307  cp -r
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
>>                         /etc/ovirt-engine/aaa/
>>                           308  vim
>> /etc/ovirt-engine/aaa/profile1.properties
>>                           309  history
>>                           310  chown ovirt:ovirt
>>                 /etc/ovirt-engine/aaa/profile1.properties
>>                           311  chmod 600
>>         /etc/ovirt-engine/aaa/profile1.properties
>>                           312  systemctl restart ovirt-engine
>>                           313  updatedb
>>                           314  locate domain1-authn.properties
>>                           315  history
>>                           316  cd
>>
>>
>>         /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
>>                           317  ll
>>                           318  cd
>>
>>         /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
>>                           319  ls
>>                           320  cd extensions.d/
>>                           321  ls
>>                           322  pwd
>>                           323  cd /etc/ovirt-engine/extensions.d/
>>                           324  ls
>>                           325  cp -r
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
>>                         /etc/ovirt-engine/extensions.d/
>>                           326   cp -r
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>>                         /etc/ovirt-engine/extensions.d/
>>                           327  rm -rf
>>
>>         /etc/ovirt-engine/extensions.d/profile1-authn.properties
>>                           328  rm -rf
>>
>>         /etc/ovirt-engine/extensions.d/profile1-authz.properties
>>                           329   cp -r
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>>                         /etc/ovirt-engine/extensions.d/
>>                           330  ll
>>                           331  history
>>                           332  chown ovirt:ovirt
>>         /etc/ovirt-engine/extensions.d/*
>>                           333  chmod 600 /etc/ovirt-engine/extensions.d/*
>>                           334  ll
>>                           335  cd extensions.d/
>>                           336  ll
>>                           337  cd
>>                           338  engine-config -s SASL_QOP=auth
>>                           339  systemctl restart ovirt-engine
>>                           340  engine-manage-domains add
>>                 --domain=udistritaloas.edu.co
>>         <http://udistritaloas.edu.co> <http://udistritaloas.edu.co>
>>                         <http://udistritaloas.edu.co>
>>                         <http://udistritaloas.edu.co> --provider=ipa
>>         --user=admin
>>                         --ldap-servers=freeipa.udistritaloas.edu.co
>>         <http://freeipa.udistritaloas.edu.co>
>>                 <http://freeipa.udistritaloas.edu.co>
>>                         <http://freeipa.udistritaloas.edu.co>
>>                         <http://freeipa.udistritaloas.edu.co>
>>                           341  systemctl restart ovirt-engine
>>                           342  engine-manage-domains list
>>                           343  history
>>                           344  cd /etc/ovirt-engine/extensions.d/
>>                           345  ll
>>                           346  rm -rf internal-authn.properties
>>                           347  rm -rf internal-authz.properties
>>                           348  rm -rf profile1-authn.properties
>>                           349  rm -rf profile1-authz.properties
>>                           350  history
>>                           351  cd /etc/ovirt-engine/aaa/
>>                           352  ll
>>                           353  rm -rf profile1.properties
>>                           354  vim internal.properties
>>                           355  systemctl restart ovirt-engine
>>                           356  ovirt-aaa-jdbc-tool user edit admin
>>                         --account-valid-to="2100-01-01 00:00:00Z"
>>                           357  ovirt-aaa-jdbc-tool user password-reset
>> admin
>>                         --password-valid-to="2100-01-01 00:00:00Z"
>>                           358  engine-config -s AdminPassword=interactive
>>                           359  ovirt-aaa-jdbc-tool user password-reset
>> admin
>>                         --password-valid-to="2100-01-01 00:00:00Z"
>>                           360  systemctl restart ovirt-engine
>>                           361  exit
>>                           362  cd /etc/ovirt-engine/aaa/
>>                           363  ll
>>                           364  vim internal.properties
>>                           365  /etc/ovirt-engine/extensions.d/
>>                           366  cd /etc/ovirt-engine/extensions.d/
>>                           367  ll
>>                           368  cd extensions.d/
>>                           369  ll
>>                           370  pwd
>>                           371  ll
>>                           372  cd ..
>>                           373  ll
>>                           374  cd ..
>>                           375  ll
>>                           376  cd /etc/ovirt-engine/extensions.d/
>>                           377  ll
>>                           378  cd extensions.d/
>>                           379  ll
>>                           380  pwd
>>                           381  ll
>>                           382  cd ..
>>                           383  ll
>>                           384  systemctl restart ovirt-engine.service
>>                           385  ovirt-aaa-jdbc-tool user edit admin
>>                         --account-valid-to="2100-01-01 00:00:00Z"
>>                           386  ovirt-aaa-jdbc-tool user password-reset
>> admin
>>                         --password-valid-to="2100-01-01 00:00:00Z"
>>                           387  systemctl restart ovirt-engine.service
>>                           388  ovirt-aaa-jdbc-tool user password-reset
>>                 admin at internal
>>                         --password-valid-to="2100-01-01 00:00:00Z"
>>                           389  yum install -y
>>         ovirt-engine-extension-aaa-jdbc
>>                           390  engine-setup
>>                           391  ovirt-aaa-jdbc-tool user show admin
>>                           392  ovirt-aaa-jdbc-tool settings show
>>                           393  cd /var/log
>>                           394  ll
>>                           395  cd ovirt-engine
>>                           396  ll
>>                           397  tail -f n 100 ui.log
>>                           398  ll
>>                           399  tail -f -n engine.log
>>                           400  tail -f -n 1000 engine.log
>>                           401  tail -n 5000 engine.log | grep
>> admin at internal
>>                           402  ovirt-aaa-jdbc-tool user show admin
>>                           403  ovirt-aaa-jdbc-tool user show
>> admin at internal
>>                           404  ovirt-aaa-jdbc-tool query --what=user
>>                           405  engine-config -s AdminPassword=interactive
>>                           406  vim
>>                 /etc/ovirt-engine/extension.d/internal-authn.properties
>>                           407  vim
>>                 /etc/ovirt-engine/extensions.d/internal-authn.properties
>>                           408  cd /etc/ovirt-engine/extensions.d/
>>                           409  ll
>>                           410  vim
>> /etc/ovirt-engine/aaa/internal.properties
>>                           411  cd /etc/ovirt-engine/aaa/
>>                           412  ll
>>                           413  vim internal.properties
>>                           414  pwd
>>                           415  ovirt-aaa-jdbc-tool user add julian
>>                         --attribute=firstName=Julian
>>          --attribute=lastName=Tete
>>                         --attribute=email=danteconrad14 at gmail.com
>>         <mailto:danteconrad14 at gmail.com>
>>                 <mailto:danteconrad14 at gmail.com
>>         <mailto:danteconrad14 at gmail.com>>
>>                         <mailto:danteconrad14 at gmail.com
>>         <mailto:danteconrad14 at gmail.com>
>>                 <mailto:danteconrad14 at gmail.com
>>         <mailto:danteconrad14 at gmail.com>>>
>>                 <mailto:danteconrad14 at gmail.com
>>         <mailto:danteconrad14 at gmail.com> <mailto:danteconrad14 at gmail.com
>>         <mailto:danteconrad14 at gmail.com>>
>>                         <mailto:danteconrad14 at gmail.com
>>         <mailto:danteconrad14 at gmail.com>
>>                 <mailto:danteconrad14 at gmail.com
>>         <mailto:danteconrad14 at gmail.com>>>>
>>                           416  ovirt-aaa-jdbc-tool user password-reset
>>         julian
>>                         --password-valid-to="2025-08-15 10:30:00Z"
>>                           417  history
>>                           418  tail -n 5000 engine.log | grep
>> admin at internal
>>                           419  tail -n 5000
>>         /var/log/ovirt-engine/engine.log | grep
>>                         admin at internal
>>                           420  ovirt-aaa-jdbc-tool user edit admin
>>                         --account-valid-from="2015-10-01 00:00:00Z"
>>                           421  ovirt-aaa-jdbc-tool user password-reset
>>         admin --force
>>                         --password-valid-to="2100-01-01 00:00:00Z"
>>                           422  systemctl restart ovirt-engine.service
>>                           423  history
>>                           424  ovirt-aaa-jdbc-tool query --what=user
>>                           425  updatedb
>>                           426  locate internal
>>                           427  yum install -y ovirt-engine-cli
>>                           428  cd /opt
>>                           429  cd /opt/
>>
>>
>>
>>                         2016-06-20 13:24 GMT-05:00 Ondra Machacek
>>                 <omachace at redhat.com <mailto:omachace at redhat.com>
>>         <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>
>>                         <mailto:omachace at redhat.com
>>         <mailto:omachace at redhat.com> <mailto:omachace at redhat.com
>>         <mailto:omachace at redhat.com>>>
>>                         <mailto:omachace at redhat.com
>>         <mailto:omachace at redhat.com> <mailto:omachace at redhat.com
>>         <mailto:omachace at redhat.com>>
>>                 <mailto:omachace at redhat.com <mailto:omachace at redhat.com>
>>         <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>>>:
>>
>>
>>
>>                             On 06/20/2016 06:36 PM, Julián Tete wrote:
>>
>>                                 oVirt: 3.6.2
>>
>>                                 Trying to use:
>>
>>
>>
>>
>>         https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>>
>>                                 First use:
>>
>>                                 engine-manage-domains add
>>                 --domain=udistritaloas.edu.co
>>         <http://udistritaloas.edu.co> <http://udistritaloas.edu.co>
>>                         <http://udistritaloas.edu.co>
>>                                 <http://udistritaloas.edu.co>
>>                                 <http://udistritaloas.edu.co>
>> --provider=ipa
>>                 --user=admin
>>
>>         --ldap-servers=freeipa.udistritaloas.edu.co
>>         <http://freeipa.udistritaloas.edu.co>
>>                 <http://freeipa.udistritaloas.edu.co>
>>                         <http://freeipa.udistritaloas.edu.co>
>>                                 <http://freeipa.udistritaloas.edu.co>
>>                                 <http://freeipa.udistritaloas.edu.co>
>>
>>
>>                                 The domain was added, but a I can't
>>         access to the
>>                         webadmin portal :/
>>
>>                                 I get the message:
>>
>>                                 "User is not authorized to perform this
>>         action."
>>
>>                                 In ovirt-cli
>>
>>                                 [401] - Unauthorized
>>
>>                                 tail -n 5000
>>         /var/log/ovirt-engine/engine.log | grep
>>                         admin at internal
>>
>>                                 2016-06-20 10:52:22,835 ERROR
>>
>>
>>
>>
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>                                 (default task-32) [] Correlation ID:
>>         null, Call
>>                 Stack:
>>                         null, Custom
>>                                 Event ID: -1, Message: User admin at internal
>>                 failed to log in.
>>                                 2016-06-20 10:52:22,836 WARN
>>
>>                 [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
>>                         (default
>>                                 task-32)
>>                                 [] CanDoAction of action
>>         'LoginAdminUser' failed
>>                 for user
>>                                 admin at internal. Reasons:
>>                         USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>                                 2016-06-20 11:00:37,679 ERROR
>>
>>
>>
>>
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>                                 (default task-3) [] Correlation ID:
>>         null, Call
>>                 Stack: null,
>>                                 Custom Event
>>                                 ID: -1, Message: User admin at internal
>>         failed to
>>                 log in.
>>                                 2016-06-20 11:00:37,679 WARN
>>
>>         [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
>>                         (default task-3) []
>>                                 CanDoAction of action 'LoginUser' failed
>>         for user
>>                         admin at internal.
>>                                 Reasons:
>>         USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>                                 2016-06-20 11:01:04,016 ERROR
>>
>>
>>
>>
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>                                 (default task-4) [] Correlation ID:
>>         null, Call
>>                 Stack: null,
>>                                 Custom Event
>>                                 ID: -1, Message: User admin at internal
>>         failed to
>>                 log in.
>>                                 2016-06-20 11:01:04,016 WARN
>>
>>         [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
>>                         (default task-4) []
>>                                 CanDoAction of action 'LoginUser' failed
>>         for user
>>                         admin at internal.
>>                                 Reasons:
>>         USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>
>>
>>                             I am little bit lost, what was your steps,
>>         to get
>>                 into this
>>                         state,
>>                             but it looks that your admin at internal user
>> was
>>                 removed SuperUser
>>                             permissions, I am really not sure how could
>>         you achieve
>>                         that, but to
>>                             fix it please run following command:
>>
>>                              $ su - postgres -c "psql -t engine -c
>>         \"insert into
>>                 permissions
>>                             values
>> ('0000001b-001b-001b-001b-00000000029f',
>>                             '00000000-0000-0000-0000-000000000001',
>>                             'fdfc627c-d875-11e0-90f0-83df133b58cc',
>>                             'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>>
>>                             This command will add your admin at internal
>>         SuperUser
>>                         permissions on
>>                             system.
>>
>>                             Can you please describe what have you done a
>> bit
>>                 more, so we can
>>                             understand the problem?
>>
>>                             Thanks.
>>
>>
>>                                 Properties of Internal domain:
>>
>>                                 cat
>>         /etc/ovirt-engine/aaa/internal.properties
>>
>>                                 ovirt.engine.extension.name
>>         <http://ovirt.engine.extension.name>
>>                 <http://ovirt.engine.extension.name>
>>                         <http://ovirt.engine.extension.name>
>>                         <http://ovirt.engine.extension.name>
>>                                 <http://ovirt.engine.extension.name> =
>>                                 internal-authn
>>                                 ovirt.engine.extension.bindings.method =
>>         jbossmodule
>>
>>         ovirt.engine.extension.binding.jbossmodule.module =
>>                                 org.ovirt.engine.extension.aaa.jdbc
>>
>>         ovirt.engine.extension.binding.jbossmodule.class =
>>
>>
>>
>>         org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>>                                 ovirt.engine.extension.provides =
>>                                 org.ovirt.engine.api.extensions.aaa.Authn
>>                                 ovirt.engine.aaa.authn.profile.name
>>         <http://ovirt.engine.aaa.authn.profile.name>
>>                 <http://ovirt.engine.aaa.authn.profile.name>
>>                         <http://ovirt.engine.aaa.authn.profile.name>
>>                                 <
>> http://ovirt.engine.aaa.authn.profile.name>
>>
>>         <http://ovirt.engine.aaa.authn.profile.name> =
>>                 internal
>>                                 ovirt.engine.aaa.authn.authz.plugin =
>>         internal-authz
>>                                 config.datasource.file =
>>                         /etc/ovirt-engine/aaa/internal.properties
>>
>>                                 cat
>>                 /etc/ovirt-engine/extensions.d/internal-authn.properties
>>
>>                                 ovirt.engine.extension.name
>>         <http://ovirt.engine.extension.name>
>>                 <http://ovirt.engine.extension.name>
>>                         <http://ovirt.engine.extension.name>
>>                         <http://ovirt.engine.extension.name>
>>                                 <http://ovirt.engine.extension.name> =
>>                                 internal-authn
>>                                 ovirt.engine.extension.bindings.method =
>>         jbossmodule
>>
>>         ovirt.engine.extension.binding.jbossmodule.module =
>>                                 org.ovirt.engine.extension.aaa.jdbc
>>
>>         ovirt.engine.extension.binding.jbossmodule.class =
>>
>>
>>
>>         org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>>                                 ovirt.engine.extension.provides =
>>                                 org.ovirt.engine.api.extensions.aaa.Authn
>>                                 ovirt.engine.aaa.authn.profile.name
>>         <http://ovirt.engine.aaa.authn.profile.name>
>>                 <http://ovirt.engine.aaa.authn.profile.name>
>>                         <http://ovirt.engine.aaa.authn.profile.name>
>>                                 <
>> http://ovirt.engine.aaa.authn.profile.name>
>>
>>         <http://ovirt.engine.aaa.authn.profile.name> =
>>                 internal
>>                                 ovirt.engine.aaa.authn.authz.plugin =
>>         internal-authz
>>                                 config.datasource.file =
>>                         /etc/ovirt-engine/aaa/internal.properties
>>
>>                                 cat
>>                 /etc/ovirt-engine/extensions.d/internal-authz.properties
>>
>>                                 ovirt.engine.extension.name
>>         <http://ovirt.engine.extension.name>
>>                 <http://ovirt.engine.extension.name>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160622/d9307e0b/attachment-0001.html>


More information about the Users mailing list