[ovirt-users] admin account constantly gets locked

Martin Perina mperina at redhat.com
Thu Apr 12 11:57:45 UTC 2018 

On Thu, Apr 12, 2018 at 1:04 PM, Martin Perina <mperina at redhat.com> wrote:

>
>
> On Thu, Apr 12, 2018 at 12:44 PM, Eitan Raviv <eraviv at redhat.com> wrote:
>
>> The recurring denied access for every SyncNetworkProvider might be
>> because you changed the admin password on the engine but not on the
>> provider.
>>
>> Dominik, will updating to the same password on the provider solve the
>> denied access?
>> Martin, does the engine lock out the admin user for failed retries?
>>
>
> ​Of course, after 5 incorrect logins the account is locked. But I looked
> at logs and I can't see any login errors, so currently trying to reproduce
> to find out what's going on ...
>

​OK, so confirmed. If you change password for admin at internal using
aaa-jdbc-tool and you don't change immediately for OVN provider, then
admin at interal account is locked.

We should probably change logic in OVN provider to shutdown the OVN
provider service if authentication failure to engine is raised. Using this
we will break OVN provider, but
it seems to me much less severe than locking admin at internal account.
Dominik, what do you think?
​


>>
>
>>
>>
>> HTH
>>
>>
>> On Thu, Apr 12, 2018 at 12:29 PM, Käfer Marcel <
>> marcel.kaefer at putzbrunn.de> wrote:
>>
>>> Here are the logfiles…
>>>
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>> *Von:* Eitan Raviv [mailto:eraviv at redhat.com]
>>> *Gesendet:* Donnerstag, 12. April 2018 11:12
>>> *An:* Käfer Marcel
>>> *Cc:* users at ovirt.org; Martin Perina
>>> *Betreff:* Re: [ovirt-users] admin account constantly gets locked
>>>
>>>
>>>
>>> The sync network command is probably unrelated.
>>>
>>> Can you attach the full engine and the setup logs?
>>>
>>> Martin, this looks a bit like [1]. Any idea?
>>>
>>> Thanks
>>>
>>>
>>>
>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1410955
>>>
>>>
>>>
>>> On Thu, Apr 12, 2018 at 10:22 AM, Käfer Marcel <
>>> marcel.kaefer at putzbrunn.de> wrote:
>>>
>>> Hello,
>>>
>>> a few days ago I installed an ovirt-engine 4.2.2.6 following the steps
>>> of the documentation. After the installation I logged in to the admin page,
>>> configured a datadomain and changed the admin password. After a few hours I
>>> tried to login again, using the new password and got "Unable to log in
>>> because the user account is disabled or locked. Contact the system
>>> administrator." So I unlocked the admin account from the shell using
>>> "ovirt-aaa-jdbc-tool user unlock admin" which worked fine and I was able to
>>> continue working till the next login.
>>>
>>> I traced the /var/log/ovirt-engine/engine.log and found this after
>>> unlocking the admin account again.
>>>
>>> 2018-04-12 09:06:19,984+02 INFO  [org.ovirt.engine.core.bll.pro
>>> vider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-87)
>>> [2ed5aa42] Lock Acquired to object 'EngineLock:{exclusiveLocks='[
>>> e37c0b9e-09bc-4893-9b0c-c70f56d6ecfc=PROVIDER]', sharedLocks=''}'
>>> 2018-04-12 09:06:19,991+02 INFO  [org.ovirt.engine.core.bll.pro
>>> vider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-87)
>>> [2ed5aa42] Running command: SyncNetworkProviderCommand internal: true.
>>> 2018-04-12 09:06:20,102+02 INFO  [org.ovirt.engine.extension.aaa.jdbc.core.Authentication]
>>> (default task-239) [] locking user: admin due to interval failures
>>> 2018-04-12 09:06:25,046+02 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils]
>>> (default task-239) [] OAuthException access_denied: Cannot authenticate
>>> user 'admin at internal': The username or password is incorrect..
>>> 2018-04-12 09:06:25,049+02 ERROR [org.ovirt.engine.core.bll.pro
>>> vider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-87)
>>> [2ed5aa42] Command 'org.ovirt.engine.core.bll.pro
>>> vider.network.SyncNetworkProviderCommand' failed: EngineException:
>>> (Failed with error Unauthorized and code 5050)
>>> 2018-04-12 09:06:25,050+02 INFO  [org.ovirt.engine.core.bll.pro
>>> vider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-87)
>>> [2ed5aa42] Lock freed to object 'EngineLock:{exclusiveLocks='[
>>> e37c0b9e-09bc-4893-9b0c-c70f56d6ecfc=PROVIDER]', sharedLocks=''}'
>>>
>>> It seems like the SyncNetworkProviderCommand is somehow locking the
>>> admin account. I already restarted the whole machine but it didn't help.
>>>
>>> Can someone please point me in the right direction, where to find the
>>> error?
>>>
>>> Thanks in advance
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Eitan Raviv
>>> IRC: erav (#ovirt #vdsm #devel #rhev-dev)
>>>
>>
>>
>>
>> --
>> Eitan Raviv
>> IRC: erav (#ovirt #vdsm #devel #rhev-dev)
>>
>
>
>
> --
> Martin Perina
> Associate Manager, Software Engineering
> Red Hat Czech s.r.o.
>



-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20180412/43863939/attachment.html>

More information about the Users mailing list