[ovirt-users] admin account constantly gets locked

Dominik Holler dholler at redhat.com
Tue Apr 17 13:24:04 UTC 2018


I created https://bugzilla.redhat.com/1568413 to track the issue.

On Thu, 12 Apr 2018 13:57:45 +0200
Martin Perina <mperina at redhat.com> wrote:

> On Thu, Apr 12, 2018 at 1:04 PM, Martin Perina <mperina at redhat.com>
> wrote:
> 
> >
> >
> > On Thu, Apr 12, 2018 at 12:44 PM, Eitan Raviv <eraviv at redhat.com>
> > wrote: 
> >> The recurring denied access for every SyncNetworkProvider might be
> >> because you changed the admin password on the engine but not on the
> >> provider.
> >>
> >> Dominik, will updating to the same password on the provider solve
> >> the denied access?
> >> Martin, does the engine lock out the admin user for failed retries?
> >>  
> >
> > ​Of course, after 5 incorrect logins the account is locked. But I
> > looked at logs and I can't see any login errors, so currently
> > trying to reproduce to find out what's going on ...
> >  
> 
> ​OK, so confirmed. If you change password for admin at internal using
> aaa-jdbc-tool and you don't change immediately for OVN provider, then
> admin at interal account is locked.
> 
> We should probably change logic in OVN provider to shutdown the OVN
> provider service if authentication failure to engine is raised. Using
> this we will break OVN provider, but
> it seems to me much less severe than locking admin at internal account.
> Dominik, what do you think?
>> 
> 
> > ​
> >
> >  
> >>
> >>
> >> HTH
> >>
> >>
> >> On Thu, Apr 12, 2018 at 12:29 PM, Käfer Marcel <  
> >> marcel.kaefer at putzbrunn.de> wrote:  
> >>  
> >>> Here are the logfiles…
> >>>
> >>>
> >>>
> >>> Thanks
> >>>
> >>>
> >>>
> >>> *Von:* Eitan Raviv [mailto:eraviv at redhat.com]
> >>> *Gesendet:* Donnerstag, 12. April 2018 11:12
> >>> *An:* Käfer Marcel
> >>> *Cc:* users at ovirt.org; Martin Perina
> >>> *Betreff:* Re: [ovirt-users] admin account constantly gets locked
> >>>
> >>>
> >>>
> >>> The sync network command is probably unrelated.
> >>>
> >>> Can you attach the full engine and the setup logs?
> >>>
> >>> Martin, this looks a bit like [1]. Any idea?
> >>>
> >>> Thanks
> >>>
> >>>
> >>>
> >>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1410955
> >>>
> >>>
> >>>
> >>> On Thu, Apr 12, 2018 at 10:22 AM, Käfer Marcel <  
> >>> marcel.kaefer at putzbrunn.de> wrote:  
> >>>
> >>> Hello,
> >>>
> >>> a few days ago I installed an ovirt-engine 4.2.2.6 following the
> >>> steps of the documentation. After the installation I logged in to
> >>> the admin page, configured a datadomain and changed the admin
> >>> password. After a few hours I tried to login again, using the new
> >>> password and got "Unable to log in because the user account is
> >>> disabled or locked. Contact the system administrator." So I
> >>> unlocked the admin account from the shell using
> >>> "ovirt-aaa-jdbc-tool user unlock admin" which worked fine and I
> >>> was able to continue working till the next login.
> >>>
> >>> I traced the /var/log/ovirt-engine/engine.log and found this after
> >>> unlocking the admin account again.
> >>>
> >>> 2018-04-12 09:06:19,984+02 INFO  [org.ovirt.engine.core.bll.pro
> >>> vider.network.SyncNetworkProviderCommand]
> >>> (EE-ManagedThreadFactory-engineScheduled-Thread-87) [2ed5aa42]
> >>> Lock Acquired to object
> >>> 'EngineLock:{exclusiveLocks='[ e37c0b9e-09bc-4893-9b0c-c70f56d6ecfc=PROVIDER]',
> >>> sharedLocks=''}' 2018-04-12 09:06:19,991+02 INFO
> >>> [org.ovirt.engine.core.bll.pro
> >>> vider.network.SyncNetworkProviderCommand]
> >>> (EE-ManagedThreadFactory-engineScheduled-Thread-87) [2ed5aa42]
> >>> Running command: SyncNetworkProviderCommand internal: true.
> >>> 2018-04-12 09:06:20,102+02 INFO
> >>> [org.ovirt.engine.extension.aaa.jdbc.core.Authentication]
> >>> (default task-239) [] locking user: admin due to interval
> >>> failures 2018-04-12 09:06:25,046+02 ERROR
> >>> [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-239) []
> >>> OAuthException access_denied: Cannot authenticate user
> >>> 'admin at internal': The username or password is incorrect..
> >>> 2018-04-12 09:06:25,049+02 ERROR [org.ovirt.engine.core.bll.pro
> >>> vider.network.SyncNetworkProviderCommand]
> >>> (EE-ManagedThreadFactory-engineScheduled-Thread-87) [2ed5aa42]
> >>> Command 'org.ovirt.engine.core.bll.pro
> >>> vider.network.SyncNetworkProviderCommand' failed:
> >>> EngineException: (Failed with error Unauthorized and code 5050)
> >>> 2018-04-12 09:06:25,050+02 INFO  [org.ovirt.engine.core.bll.pro
> >>> vider.network.SyncNetworkProviderCommand]
> >>> (EE-ManagedThreadFactory-engineScheduled-Thread-87) [2ed5aa42]
> >>> Lock freed to object
> >>> 'EngineLock:{exclusiveLocks='[ e37c0b9e-09bc-4893-9b0c-c70f56d6ecfc=PROVIDER]',
> >>> sharedLocks=''}'
> >>>
> >>> It seems like the SyncNetworkProviderCommand is somehow locking
> >>> the admin account. I already restarted the whole machine but it
> >>> didn't help.
> >>>
> >>> Can someone please point me in the right direction, where to find
> >>> the error?
> >>>
> >>> Thanks in advance
> >>>
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at ovirt.org
> >>> http://lists.ovirt.org/mailman/listinfo/users
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>> Eitan Raviv
> >>> IRC: erav (#ovirt #vdsm #devel #rhev-dev)
> >>>  
> >>
> >>
> >>
> >> --
> >> Eitan Raviv
> >> IRC: erav (#ovirt #vdsm #devel #rhev-dev)
> >>  
> >
> >
> >
> > --
> > Martin Perina
> > Associate Manager, Software Engineering
> > Red Hat Czech s.r.o.
> >  
> 
> 
> 



More information about the Users mailing list