[ovirt-users] Re: Unable to login after upgrade

2018-05-31 Thread Michael Watters 

On 05/31/2018 06:43 AM, Ondra Machacek wrote:
> That's very strange, can you please share the upgrade log if you still
> have it?
>
Here's a copy of the upgrade log.  The file is pretty large.

https://paste.fedoraproject.org/paste/I3WapJfAnzk81gEgKeeIDg/

> Also can you please share the output of:
>
> $ select * from users;

Users table looks like this.

https://paste.fedoraproject.org/paste/1634vd5v75YOOOL7X96tzg/

Despite having two different "admin" accounts I can log in now.

>
> and
>
> $ select * from permissions;

https://paste.fedoraproject.org/paste/p9Bl2elvFDOn~Qgzm5J3eA

>
> and also please share content of:
>
>  /etc/ovirt-engine/extensions.d/internal-authn.properties
https://paste.fedoraproject.org/paste/hePCFb1ufc0NMlelTLyX-g/

>  /etc/ovirt-engine/extensions.d/internal-auth.properties
>  /etc/ovirt-engine/aaa/internal.properties

These files do not exist.  There is an internal-authz.properties file
which looks like this.

https://paste.fedoraproject.org/paste/gyhOj0FQvO~R5lFd4-5Z0Q/

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/DUR4UQSJYMIO6MOPRJ4IXWUZZFNTXPF5/

[ovirt-users] Re: Unable to login after upgrade

2018-05-31 Thread Ondra Machacek 
That's very strange, can you please share the upgrade log if you still 
have it?


Also can you please share the output of:

$ select * from users;

and

$ select * from permissions;

and also please share content of:

 /etc/ovirt-engine/extensions.d/internal-authn.properties
 /etc/ovirt-engine/extensions.d/internal-auth.properties
 /etc/ovirt-engine/aaa/internal.properties

On 05/30/2018 06:12 PM, Michael Watters wrote:
It looks like the issue was caused by a new admin account being created 
in the internal-authz domain.  Here is what the engine logs show.


2018-05-30 11:15:21,893-04 INFO 
[org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-9) 
[] User admin@internal successfully logged in with scopes: 
ovirt-app-admin ovirt-app-api ovirt-app-portal 
ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all 
ovirt-ext=token-info:authz-search 
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate 
ovirt-ext=token:password-access


2018-05-30 11:15:22,175-04 INFO 
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default 
task-11) [77362b19] Running command: CreateUserSessionCommand internal: 
false.


2018-05-30 11:15:22,252-04 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] 
(default task-11) [77362b19] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User 
admin@internal-authz connecting from '10.209.44.27' failed to log 
in.


2018-05-30 11:15:22,253-04 ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default 
task-11) [] The user admin@internal is not authorized to perform login


I was able to login after updating the permissions table to use the new 
user ID as follows.


update permissions set ad_element_id = (select user_id from users where 
domain = 'internal-authz' and username = 'admin') where ad_element_id = 
(select user_id from users where domain = 'internal' and username = 
'admin') ;


Despite this the ovirt-aaa-jdbc-tool still shows the wrong user ID when 
querying the admin account.  For example:


[root@mdct-ovirt-engine-dev ~]# ovirt-aaa-jdbc-tool user show admin
-- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
Namespace: *
Name: admin
ID: fdfc627c-d875-11e0-90f0-83df133b58cc
Display Name:
Email:
First Name: admin
Last Name:
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2016-11-16 15:27:01Z
Account Valid To: 2216-11-16 15:27:01Z
Account Without Password: false
Last successful Login At: 2018-05-30 16:02:46Z
Last unsuccessful Login At: 2018-05-29 19:25:28Z
Password Valid To: 2216-09-29 15:27:01Z

Is there a way to resolve this conflict?  Where does the 
admin@internal-authz account come from?  I tried renaming the account 
but it is recreated every time that the engine is restarted.



On 05/29/2018 04:31 PM, Alex K wrote:
Are you using engine IP to login? Perhaps the sso default file was 
overwritten?


Alex

On Tue, May 29, 2018, 20:32 Michael Watters > wrote:


I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3
release and the admin account is no longer able to login. After
entering the user name and password I receive a message that
states "The
user admin@internal is not authorized to perform login".

Is there a way to resolve this?  Resetting the password did not work.
___
Users mailing list -- users@ovirt.org 
To unsubscribe send an email to users-le...@ovirt.org

Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:

https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMNDQEIWCVPMYSYSLVZSGJOM/





___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/DT7ERVLLGIYEE2WM6UTPR37CMSZRCCYY/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IGJ4WW434U7BVIMRPCK3DEMF34RMISEN/

[ovirt-users] Re: Unable to login after upgrade

2018-05-30 Thread Michael Watters 
It looks like the issue was caused by a new admin account being created
in the internal-authz domain.  Here is what the engine logs show.

2018-05-30 11:15:21,893-04 INFO 
[org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-9)
[] User admin@internal successfully logged in with scopes:
ovirt-app-admin ovirt-app-api ovirt-app-portal
ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all
ovirt-ext=token-info:authz-search
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate
ovirt-ext=token:password-access

2018-05-30 11:15:22,175-04 INFO 
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default
task-11) [77362b19] Running command: CreateUserSessionCommand internal:
false.

2018-05-30 11:15:22,252-04 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-11) [77362b19] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User
admin@internal-authz connecting from '10.209.44.27' failed to log
in.

2018-05-30 11:15:22,253-04 ERROR
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default
task-11) [] The user admin@internal is not authorized to perform login

I was able to login after updating the permissions table to use the new
user ID as follows.

update permissions set ad_element_id = (select user_id from users where
domain = 'internal-authz' and username = 'admin') where ad_element_id =
(select user_id from users where domain = 'internal' and username =
'admin') ;

Despite this the ovirt-aaa-jdbc-tool still shows the wrong user ID when
querying the admin account.  For example:

[root@mdct-ovirt-engine-dev ~]# ovirt-aaa-jdbc-tool user show admin
-- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
Namespace: *
Name: admin
ID: fdfc627c-d875-11e0-90f0-83df133b58cc
Display Name:
Email:
First Name: admin
Last Name:
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2016-11-16 15:27:01Z
Account Valid To: 2216-11-16 15:27:01Z
Account Without Password: false
Last successful Login At: 2018-05-30 16:02:46Z
Last unsuccessful Login At: 2018-05-29 19:25:28Z
Password Valid To: 2216-09-29 15:27:01Z

Is there a way to resolve this conflict?  Where does the
admin@internal-authz account come from?  I tried renaming the account
but it is recreated every time that the engine is restarted.


On 05/29/2018 04:31 PM, Alex K wrote:
> Are you using engine IP to login? Perhaps the sso default file was
> overwritten?
>
> Alex
>
> On Tue, May 29, 2018, 20:32 Michael Watters  > wrote:
>
> I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3
> release and the admin account is no longer able to login.  After
> entering the user name and password I receive a message that
> states "The
> user admin@internal is not authorized to perform login".
>
> Is there a way to resolve this?  Resetting the password did not work.
> ___
> Users mailing list -- users@ovirt.org 
> To unsubscribe send an email to users-le...@ovirt.org
> 
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMNDQEIWCVPMYSYSLVZSGJOM/
>

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/DT7ERVLLGIYEE2WM6UTPR37CMSZRCCYY/

[ovirt-users] Re: Unable to login after upgrade

2018-05-30 Thread Michael Watters 
I'm accessing the server using the host name which I've placed into
/etc/hosts on both my workstation and the engine itself.  The VM was
built using a backup copy of our production engine data which means the
host name matches what is used on the live server.  Permissions also
apppear to be correct, I've checked the permissions table in postgresql
and everything is fine there.  The admin user does have access to the
SuperUser role.


On 05/29/2018 04:31 PM, Alex K wrote:
> Are you using engine IP to login? Perhaps the sso default file was
> overwritten?
>
> Alex
>
> On Tue, May 29, 2018, 20:32 Michael Watters  > wrote:
>
> I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3
> release and the admin account is no longer able to login.  After
> entering the user name and password I receive a message that
> states "The
> user admin@internal is not authorized to perform login".
>
> Is there a way to resolve this?  Resetting the password did not work.
> ___
> Users mailing list -- users@ovirt.org 
> To unsubscribe send an email to users-le...@ovirt.org
> 
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMNDQEIWCVPMYSYSLVZSGJOM/
>

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/LLJPLHC5HHWVVTKPZCCLUH7ENIMLI4PS/

[ovirt-users] Re: Unable to login after upgrade

2018-05-29 Thread Alex K 
Are you using engine IP to login? Perhaps the sso default file was
overwritten?

Alex

On Tue, May 29, 2018, 20:32 Michael Watters  wrote:

> I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3
> release and the admin account is no longer able to login.  After
> entering the user name and password I receive a message that states "The
> user admin@internal is not authorized to perform login".
>
> Is there a way to resolve this?  Resetting the password did not work.
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMNDQEIWCVPMYSYSLVZSGJOM/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/D3MB52UQ2RW56BIWTHSWZUQEGVNVKTB7/