[ovirt-users] external users problem

Fri Nov 4 17:22:29 UTC 2016

Sorry for the delay. Did anyone help out on this yet? If not, I can look
now.

Greg

On Mon, Oct 24, 2016 at 8:52 AM, Martin Perina <mperina at redhat.com> wrote:

> Alex/Greg, could you please take a look?
>
> Thanks
>
> Martin
>
>
> On Mon, Oct 24, 2016 at 2:02 PM, Baptiste Agasse <
> baptiste.agasse at lyra-network.com> wrote:
>
>> Hi,
>>
>> ----- Le 24 Oct 16, à 11:25, Martin Perina <mperina at redhat.com> a écrit :
>>
>>
>>
>> On Mon, Oct 24, 2016 at 11:18 AM, Baptiste Agasse <
>> baptiste.agasse at lyra-network.com> wrote:
>>
>>> Hi Ondra,
>>>
>>> ----- Le 24 Oct 16, à 10:36, Ondra Machacek omachace at redhat.com a écrit
>>> :
>>>
>>> > On 10/21/2016 12:00 PM, Baptiste Agasse wrote:
>>> >> Hi all,
>>> >>
>>> >> We use ovirt 4.0.4 with FreeIPA as external provider. The external
>>> provider was
>>> >> configured via the 'ovirt-engine-extension-aaa-ldap-setup' command.
>>> The
>>> >> authentication works fine, but in the webui, when you go on the
>>> 'Active User
>>> >> Sessions', all users uuid is showed as '00000000-0000-0000-0000-00000
>>> 0000000'.
>>> >> Other problem, maybe related, when a user create a VM, by default a
>>> permission
>>> >> is created with the role of 'UserVmManager'. On the 'Permissions'
>>> pane, we see
>>> >> a line with no value for User, Authorization provider, Namespace. The
>>> only
>>> >> value set on this line is the role (UserVmManager in that case). When
>>> we try to
>>> >> remove this line, an exception occurs in the webui that prevent
>>> deletion of
>>> >> this line.
>>> >
>>> > I've never see such issue with FreeIPA. Can you please share what's
>>> > your IPA version?
>>> >
>>> > Can you also please share the log of error which occurs, when you try
>>> > to remove the permission?
>>>
>>> We have multiple ovirt envs, all ovirt version are the same as
>>> described, but FreeIPA servers are in different versions on these envs. We
>>> have one env with FreeIPA on CentOS 6 (ipa-server-3.0.0-42.el6.centos.x86_64)
>>> and the other on FreeIPA on CentOS 7 (ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64).
>>> The both envs have the same problem. On our envs, the role mapping in oVirt
>>> is done on user groups and not on individual users.
>>>
>>> For the permission problem, the problem only occurs when the VM is
>>> created via the user webui. Creating VM with API or admin webui is OK. When
>>> we try to remove the permission, an UI exception occurs and no logs on the
>>> engine.log side. I've attached screenshots and ui.log.
>>>
>>
>> Unfortunately by default UI code is obfuscated, so we cannot find exact
>> issue. Could you please perform following steps and send us new ui.log?
>>
>> 1. Install UI debug packages
>>       yum install ovirt-engine-webadmin-portal-debuginfo
>> ovirt-engine-userportal-debuginfo
>>
>>
>> 2. Restart ovirt-engine
>>       systemctl restart ovirt-engine
>>
>> 3. Reproduce the error and share up-to-date ui.log with use
>>
>> If needed more info about UI logs can be found at
>> http://www.ovirt.org/develop/developer-guide/engine/engine-d
>> ebug-obfuscated-ui/
>>
>>
>> I've reproduced the error, see attached engine.log at VM creation time
>> and the ui.log when trying to remove inconsistent permission.
>>
>> Thanks.
>>
>>
>>
>> Thanks
>>
>> Martin Perina
>> 
>>
>>
>>> >
>>> >>
>>> >> This behavior is verified on all our oVirt environments (oVirt 4.0.4
>>> + FreeIPA)
>>> >>
>>> >> Someone hit the same problem ?
>>> >>
>>> >> Have a nice day.
>>> >>
>>> >> Regards.
>>>
>>> Regards.
>>>
>>> --
>>> Baptiste AGASSE
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>>
>> --
>> Baptiste AGASSE
>>
>
>

-- 
Greg Sheremeta, MBA
Red Hat, Inc.
Sr. Software Engineer
gshereme at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161104/7e24d77c/attachment-0001.html>