[ovirt-users] external users problem

Baptiste Agasse baptiste.agasse at lyra-network.com
Mon Oct 24 12:02:30 UTC 2016


----- Le 24 Oct 16, à 11:25, Martin Perina <mperina at redhat.com> a écrit : 

> On Mon, Oct 24, 2016 at 11:18 AM, Baptiste Agasse <
> baptiste.agasse at lyra-network.com > wrote:

>> Hi Ondra,

>> ----- Le 24 Oct 16, à 10:36, Ondra Machacek omachace at redhat.com a écrit :

>> > On 10/21/2016 12:00 PM, Baptiste Agasse wrote:
>> >> Hi all,

>> >> We use ovirt 4.0.4 with FreeIPA as external provider. The external provider was
>> >> configured via the 'ovirt-engine-extension-aaa-ldap-setup' command. The
>> >> authentication works fine, but in the webui, when you go on the 'Active User
>> >> Sessions', all users uuid is showed as '00000000-0000-0000-0000-000000000000'.
>> >> Other problem, maybe related, when a user create a VM, by default a permission
>> >> is created with the role of 'UserVmManager'. On the 'Permissions' pane, we see
>> >> a line with no value for User, Authorization provider, Namespace. The only
>> >> value set on this line is the role (UserVmManager in that case). When we try to
>> >> remove this line, an exception occurs in the webui that prevent deletion of
>> >> this line.

>> > I've never see such issue with FreeIPA. Can you please share what's
>> > your IPA version?

>> > Can you also please share the log of error which occurs, when you try
>> > to remove the permission?

>> We have multiple ovirt envs, all ovirt version are the same as described, but
>> FreeIPA servers are in different versions on these envs. We have one env with
>> FreeIPA on CentOS 6 (ipa-server-3.0.0-42.el6.centos.x86_64) and the other on
>> FreeIPA on CentOS 7 (ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64). The both
>> envs have the same problem. On our envs, the role mapping in oVirt is done on
>> user groups and not on individual users.

>> For the permission problem, the problem only occurs when the VM is created via
>> the user webui. Creating VM with API or admin webui is OK. When we try to
>> remove the permission, an UI exception occurs and no logs on the engine.log
>> side. I've attached screenshots and ui.log.

> ​Unfortunately by default UI code is obfuscated, so we cannot find exact issue.
> Could you please perform following steps and send us new ui.log?

> 1. Install UI debug packages
> yum install ovirt-engine-webadmin-portal-debuginfo
> ovirt-engine-userportal-debuginfo​

> ​2. Restart ovirt-engine
> systemctl restart ovirt-engine

> 3. Reproduce the error and share up-to-date ui.log with use

> If needed more info about UI logs can be found at
> http://www.ovirt.org/develop/developer-guide/engine/engine-debug-obfuscated-ui/

I've reproduced the error, see attached engine.log at VM creation time and the ui.log when trying to remove inconsistent permission. 


> Thanks

> Martin Perina

>> >> This behavior is verified on all our oVirt environments (oVirt 4.0.4 + FreeIPA)

>> >> Someone hit the same problem ?

>> >> Have a nice day.

>> >> Regards.

>> Regards.

>> --
>> Baptiste AGASSE

>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users

Baptiste AGASSE 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161024/f45b38be/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: engine.log
Type: text/x-log
Size: 16063 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161024/f45b38be/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ui.log
Type: text/x-log
Size: 5540 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161024/f45b38be/attachment-0003.bin>

More information about the Users mailing list