[ovirt-users] Re: oVirt 4.3.1 with AD creates new user at every login

2019-03-11 Thread Ravi Shankar Nori
On Mon, Mar 11, 2019 at 4:49 AM Martin Perina  wrote:

>
>
> On Sat, Mar 9, 2019 at 10:43 AM  wrote:
>
>> > I just did a clean install of oVirt 4.3.1 (engine and nodes).
>> >
>> > I setup AD authentication and gave an AD group permissions needed work
>> with
>> > VMs. I gave them PowerUserRole on the Cluster and Storage.
>> >
>> > Users in the AD group can login and create VMs but after they log out
>> and
>> > log back in they don't see any of the VMs created in the previous
>> session.
>> >
>> > I noticed that in Administration -> Users a new row is created for each
>> > user every time they login. All columns for each user are the same: same
>> > first and last name, same user name, authorization provider, and so on
>> but
>> > the behavior looks very much like they are being treated as new user
>> every
>> > time they login.
>>
>
> Ravi, is above the same issue as tracked in
> https://bugzilla.redhat.com/show_bug.cgi?id=1672860 ?
>
>>
>>
Yes it is the same issue and should be fixed by [1]

[1] https://gerrit.ovirt.org/#/c/98169/



>
>> I have observed the same behaviour with oVirt 4.3.XY
>>
>> Delving deeper, in the oVirt engine 'users' table,  external_id is *not*
>> being set for AD users as documented in (e.g.)
>> engines/packaging/dbscripts/common_sp.sql
>>
>> "The external identifier is the user identifier converted to an array of
>> bytes:"
>>
>> ovirt 4.3.0
>> user@domain | f3de0b27-c2a0-463b-a2ff-d480bd88c77f |
>> ece7b8c2-4983-4c1e-9a33-c28d58d40213
>>
>>
>> And under ovirt 4.2.8 for comparison:
>>
>> username   |   user_id|
>>  external_id
>> user@domain | 364d176e-8813-4e67-bdd0-dc10b823d23c |
>> af5bbg/eTkuktBPXW4Ak5g==
>>
>>
>> Further information on replicating the issue:
>>
>> 1) Configure LDAP authentication:
>>
>>
>> https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html#configuring-an-external-ldap-provider
>>
>>
>> 2) Add an LDAP group via the Administration Portal:
>>
>> Administration >> Users > 'Add' button, click 'Group'
>> radio-button, select the relevant LDAP authorization
>> select the relevant LDAP authorization provider in the
>> drop-down list under 'Search', enter the LDAP group
>> in the search text-box then click 'GO'.
>>
>> The found group should appear below.  Select the
>> toggle-button to the left of the group then click
>> 'Add and Close'.
>>
>>
>> 3) Add SuperUser system permission for the LDAP group.
>>
>> Back under Administration >> Users, click the 'Group'
>> button if groups are not already displayed.  Click on
>> the LDAP group added in the previous step then click
>> 'Permissions' -> 'Add System Permissions'
>>
>>
>> 4) Log into the Administration Portal as an LDAP group member.
>> Logout then log back into the Administration Portal as a
>> member of the LDAP group specified above.  Login should be
>> successful because that user will inherit the SuperUser
>> system permission but note the following issues below:
>>
>> - under Administration >> Users, note that a 'User' icon
>> is displayed for the LDAP user rather than an 'Admin' icon.
>> This is in contrast to 4.2.8, where an Admin icon would
>> be displayed.
>>
>>
>> 5) Repeat step 4 above.
>> If you logout then log back into the Administration Portal as
>> the same member of the LDAP group specified above then
>> check Administration >> Users, an additional user entry appears:
>> same First Name, Last Name, Authorization provider, Namespace
>> and E-mail.
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/PC2JLU65QED36MLLN7I5BJEPYEADKUO2/
>>
>
>
> --
> Martin Perina
> Associate Manager, Software Engineering
> Red Hat Czech s.r.o.
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/REPKBSLKHRM5QXRGWDJQRU3V5MZRGBV4/


[ovirt-users] Re: error failed to execute stage 'misc configuration': failed to start service 'openvswitch'

2019-03-08 Thread Ravi Shankar Nori
Can you provide a few more details of your setup. Which OS and which
version of oVirt you are trying to install.

Thanks

On Fri, Mar 8, 2019 at 9:41 AM Katia Monjes  wrote:

> I'm starting in the world of ovirt, so I would appreciate the help
> I'm trying to install ovirt-engine and it gives me the following error
>
> error failed to execute stage 'misc configuration': failed to start
> service 'openvswitch'
>
> Could someone guide me to find the solution?
> thanks
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/R23EIJY2ZAXYFV6BXIS25CJZA5FKGCGC/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PYXJJMTEQXU7BKWYJKIX5WPHPUXAXP2I/


[ovirt-users] Re: access engine by http

2019-02-15 Thread Ravi Shankar Nori
I am not sure we can do what you are asking for. A lot of stuff is not
going to work. AFAIK you will need a dedicated machine to run ovirt engine
on the default ports.

On Thu, Feb 14, 2019 at 10:29 PM du_hon...@yeah.net 
wrote:

> hi Ravi
>  sorry, I do not understand when I visit http:
> 192.168.122.176:80/ovirt-engine still redirect to https:
> 192.168.122.176:443/ovirt-engine, I already fix sso_clients table;
> who redirect http to https??
>  thanks
>
> engine=# select * from sso_clients
> engine-# ;
>  id | client_id  |
>
>  client_secret
>
> | callback_prefix
>   |  certificate_location
>|notification_callback|
>  description | email |
>
>  scope
>
>
> | trusted | notification_callback_protocol |
> notification_callback_verify_host | notification_callback_verify_chain
>
> ++
>
> --+-+-
>
> ---+-++---+---
>
> --
>
> +-++---+
>   1 | ovirt-engine-core  |
> eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6ImRSc3Y1bnNCR2F0b3M1WTNNOHhiQktGaDlSbEd4SnpjWWxmdzY3NmNUaFk9Iiwic2VjcmV0IjoicE5RM2E0TXQ2aU40MU5YVVY3R0ZMZjcvVnZBMWlWWnN
> oOE1ERXozQkIwZz0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3JpdGhtIjoiUEJLREYyV2l0aEhtYWNTSEExIn0=
> | http://192.168.122.176:80/ovirt-engine/ |
> /etc/pki/ovirt-engine/certs/engine.c
> er | http:/192.168.122.176:80/ovirt-engine/services/sso-callback | oVirt
> Engine   |   | openid ovirt-app-portal ovirt-app-admin
> ovirt-app-api ovirt-ext=auth:identity ovirt-ext=token:
> password-access ovirt-ext=auth:sequence-priority
> ovirt-ext=token:login-on-behalf ovirt-ext=token-info:authz-search
> ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovir
> t-ext=revoke:revoke-all | t   | TLS| f
> | t
>   2 | ovirt-provider-ovn |
> eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6Ikh0Zlp5eFJEUXB2RmVaOTJCeU83NUxISXR3Uk9Nd05YUWYzd2wyS2lvSkE9Iiwic2VjcmV0IjoiOVlMZldRSHRiZDdBbVVQdnRNcTgwdndzWG8xMzN6a1V
> 5WXN2dEJxVEttWT0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3JpdGhtIjoiUEJLREYyV2l0aEhtYWNTSEExIn0=
> | http://192.168.122.176:80/ovirt-engine/ |
> /etc/pki/ovirt-engine/certs/engine.c
> er | http:/192.168.122.176:80/ovirt-engine/services/sso-callback |
> ovirt-provider-ovn |   | ovirt-app-api ovirt-ext=token-info:validate
> ovirt-ext=token-info:public-authz-search
>
>
>
> | t   | TLS| f
> | t
> (2 rows)
>
> --
>
> Regards
>
> Hongyu Du
>
>
> *From:* du_hon...@yeah.net
> *Date:* 2019-02-14 23:32
> *To:* Ravi Nori 
> *CC:* users 
> *Subject:* [ovirt-users] Re: access engine by http
> thanks Ravi, because  my engine certification is signed by myself, when I
> visit my ovirt-engine by browser,  browser need add security exception, so
> I want to engine by http.
>
> I realise /etc/httpd/conf.d/z-ovirt-engine-proxy.conf redirect
> /ovirt-engine to 127.0.0.1:8702  , but I do not know how to  redirect
> https , I do not find some redirect https info.
>
> I fix "ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600 retry=5"   to
> "ProxyPassMatch ajp://127.0.0.1:8543 timeout=3600 retry=5"?
>
> --
>
> Regards
>
> Hongyu Du
>
>
> *From:* Ravi Shankar Nori 
> *Date:* 2019-02-14 23:16
> *To:* du_hon...@yeah.net
> *CC:* Greg Sheremeta ; users 
> *Subject:* Re: Re: [ovirt-users] access engine by http
> Apache uses ajp to communicate with engine on port 8702. You can redirect
> from Apache with a simple RewriteCond
> to jboss port 8543 but certificate verification is not going to work which
> will cause issues with all

[ovirt-users] Re: access engine by http

2019-02-14 Thread Ravi Shankar Nori
Apache uses ajp to communicate with engine on port 8702. You can redirect
from Apache with a simple RewriteCond
to jboss port 8543 but certificate verification is not going to work which
will cause issues with all oVirt tools.

More over oVirt SSO is not going to let you access UI on port other than
443 when installed through rpms.
You will need to fiddle with the database to update the redirect uris in
the sso_clients table.

The best you can do is change the proxy port in
/etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf and keep the AJP in
place.

Why are you trying to by pass Apache?

On Thu, Feb 14, 2019 at 9:25 AM du_hon...@yeah.net 
wrote:

> sorry I describe errror,
>  my /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf
>
> ENGINE_FQDN=localhost.localdomain
> ENGINE_PROXY_ENABLED=false
> ENGINE_PROXY_HTTP_PORT=None
> ENGINE_PROXY_HTTPS_PORT=None
> ENGINE_AJP_ENABLED=false
> ENGINE_AJP_PORT=None
> ENGINE_HTTP_ENABLED=true
> ENGINE_HTTPS_ENABLED=false
> ENGINE_HTTP_PORT=8080
> ENGINE_HTTPS_PORT=8443
>
> I know install ovirt-engine from source in a developer setup, this can
> visit engine by http.  and  not apache  in the frontend.  but I want to
> visit engine that is installed rpm by http?
>
> Besides I realize apache not redirect http to https  ovirt  jboss redirect
> http to https?
>
> --
>
> Regards
>
> Hongyu Du
>
>
> *From:* Greg Sheremeta 
> *Date:* 2019-02-14 19:24
> *To:* du_hon...@yeah.net
> *CC:* Ravi Nori ; users 
> *Subject:* Re: Re: [ovirt-users] access engine by http
> Sorry, I'm still not understanding what you are trying to achieve. Nothing
> is on 8843 - ?
>
> If you install ovirt-engine from source in a developer setup, it's 8080
> http by default and no apache in front. Maybe try that.
>
> Greg
>
> On Thu, Feb 14, 2019 at 12:14 AM du_hon...@yeah.net 
> wrote:
>
>> hi Greg, Ravi
>> thanks, https is ok,when I try to visit http://ip:8080/ovirt-engine but
>> still rediect https://192.168.122.176:8443/tchyp-engine/,  I want to
>> know How to redirect to 8843?
>> Besides I try to disable ssl by comment /etc/httpd/conf/httpd.conf
>> #IncludeOptional conf.d/*.conf,
>> But http is still redirect to https,  I should how disable redirect?
>> I find  this file  /usr/share/ovirt-engine/services/ovirt-engine/
>> ovirt-engine.xml.in, I try to delete follow line. but ovirt-engine
>> server is not boot
>> > name="redirect"
>> port="{{ HTTPS_PORT }}"/>
>> /var/log/ovirt-engine/boot.log has some error?
>> 13:12:43,144 INFO  [org.jboss.as] WFLYSRV0049: WildFly Full 11.0.0.Final
>> (WildFly Core 3.0.8.Final) starting
>> 13:12:44,644 INFO  [org.jboss.as.controller.management-deprecated]
>> WFLYCTL0028: Attribute 'security-realm' in the resource at address
>> '/core-service=management/management-interface=native-interface' is
>> deprecated, and may be removed in future version. See the attribute
>> description in the output of the read-resource-description operation to
>> learn more about the deprecation.
>> 13:12:44,646 INFO  [org.jboss.as.controller.management-deprecated]
>> WFLYCTL0028: Attribute 'security-realm' in the resource at address
>> '/core-service=management/management-interface=http-interface' is
>> deprecated, and may be removed in future version. See the attribute
>> description in the output of the read-resource-description operation to
>> learn more about the deprecation.
>> 13:12:44,677 INFO  [org.jboss.as.controller.management-deprecated]
>> WFLYCTL0028: Attribute 'security-realm' in the resource at address
>> '/subsystem=undertow/server=default-server/https-listener=https' is
>> deprecated, and may be removed in future version. See the attribute
>> description in the output of the read-resource-description operation to
>> learn more about the deprecation.
>> 13:12:44,677 INFO  [org.jboss.as.controller.management-deprecated]
>> WFLYCTL0028: Attribute 'enabled-protocols' in the resource at address
>> '/subsystem=undertow/server=default-server/https-listener=https' is
>> deprecated, and may be removed in future version. See the attribute
>> description in the output of the read-resource-description operation to
>> learn more about the deprecation.
>> 13:12:44,840 INFO  [org.jboss.as.server.deployment.scanner] WFLYDS0004:
>> Found restapi.war in deployment directory. To trigger deployment create a
>> file called restapi.war.dodeploy
>> 13:12:44,840 INFO  [org.jboss.as.server.deployment.scanner] WFLYDS0004:
>> Found engine.ear in deployment directory. To trigger deployment create a
>> file called engine.ear.dodeploy
>> 13:12:44,840 INFO  [org.jboss.as.server.deployment.scanner] WFLYDS0004:
>> Found ovirt-web-ui.war in deployment directory. To trigger deployment
>> create a file called ovirt-web-ui.war.dodeploy
>> 13:12:44,840 INFO  [org.jboss.as.server.deployment.scanner] WFLYDS0004:
>> Found apidoc.war in deployment directory. To trigger deployment create a
>> file called apidoc.war.dodeploy
>> 13:12:44,895 ERROR 

[ovirt-users] Re: sun.security.validator

2019-02-06 Thread Ravi Shankar Nori
On Wed, Feb 6, 2019 at 11:18 AM Greg Sheremeta  wrote:

> Ravi, can you assist?
>
> Greg
>
>
> On Tue, Feb 5, 2019 at 8:39 PM  wrote:
>
>> Did you ever get an answer to this?  I am experiencing the same issue
>> after:
>>
>> 1) Updating the BIOS on my system to the latest one
>> 2) Installing a new 10GbE NIC
>>
>> Both the BIOS update and the NIC installation completed without incident,
>> but I am getting the exact same error.
>>
>> Any advice out there?
>> __
>
>

If you are not using custom certificates check the FQDN of the host and run
engine-setup again.

If you are using custom certificates you can follow the steps in oVirt blog
[1]

[1] https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html


> _
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/6CSADXLGCOMYYC22ZJEQ46EBOINK257H/
>>
>
>
> --
>
> GREG SHEREMETA
>
> SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
>
> Red Hat NA
>
> 
>
> gsher...@redhat.comIRC: gshereme
> 
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MC42TO5TLPJLW5RO2RUROLGLDFRGRJ4Q/


[ovirt-users] Re: oVirt upgrade 4.1 to 4.2

2019-01-09 Thread Ravi Shankar Nori
You can try

curl -k -X GET -u admin@internal: -H 'Accept: application/xml'
https://
/ovirt-engine/api/vms?search=custom_compatibility_level%3D4.1

should list all the vms with custom_compatibility_level 4.1

On Mon, Jan 7, 2019 at 10:09 AM  wrote:

> Hello when we did a live upgrade of our VDC from 4.1 to 4.2 we had a large
> number of VMs running that had a Custom Compatibility Version set to 4.1 to
> allow them to keep running while the cluster and VDC were upgraded.
> Unfortunately there was a large number of snapshots taken be the users
> before they were restarted their VMs so they have the
> Custom_Compatibility_Version set to 4.1 and so can't run in the 4.2 VDC, is
> there a way to search for them in the API or SDK because I can only find
> them in the events log when they fail to start.
>
> Thanks,
>   Paul S.
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/4A5WZ3ULHI7IAG44P3T5RTH5LPXK6BJT/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WOWCBU3AYLXWEP5GL2HHJUT32Y74UHCQ/


[ovirt-users] Re: The user admin@internal is not authorized to perform login

2018-11-26 Thread Ravi Shankar Nori
Looks like the permissions for admin@internal were removed by another admin
user

You can try the following

1. Get the admin user external id

select external_id from users where name = 'admin' and domain =
'internal-authz'

2.  Add permissions for admin user

select attach_user_to_role(
'admin',
'internal-authz',
'*',
'b71c937c-441b-42cc-bf21-33fa2d9704ce', <=== the
external id from above
'SuperUser'
)

Let us know if it helps

On Sat, Nov 24, 2018 at 9:22 AM Greg Sheremeta  wrote:

> Perhaps Ravi can assist with this.
>
> -- Forwarded message -
> From: Shawn Southern 
> Date: Fri, Nov 23, 2018 at 9:52 PM
> Subject: [ovirt-users] The user admin@internal is not authorized to
> perform login
> To: users@ovirt.org 
>
>
> No one can log in to our oVirt instance today.  LDAP users cannot
> authenticate, and the internal ‘admin’ user gets “The user admin@internal
> is not authorized to perform login” after being authenticated.
>
>
>
> From engine.log:
>
> 2018-11-23 10:17:12,454-05 INFO
> [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-24) []
> User admin@internal successfully logged in with scopes: ovirt-app-admin
> ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~
> ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search
> ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate
> ovirt-ext=token:password-access
>
> 2018-11-23 10:17:12,576-05 INFO
> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-24)
> [43bd2e4f] Running command: CreateUserSessionCommand internal: false.
>
> 2018-11-23 10:17:12,584-05 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-24) [43bd2e4f] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User
> admin@internal-authz connecting from '10.11.12.13' failed to log
> in.
>
> 2018-11-23 10:17:12,585-05 ERROR
> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-24)
> [] The user admin@internal is not authorized to perform login
>
>
>
> Where do I go from here?
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/OQNDRRXT3EZGGKGMBDIRZRLJYC2546N4/
>
>
> --
>
> GREG SHEREMETA
>
> SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
>
> Red Hat NA
>
> 
>
> gsher...@redhat.comIRC: gshereme
> 
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/J6JV4XLO3PFBSFH53QV5T2VL5SNYGBK6/


[ovirt-users] Re: Unable to login to the WEB UI Unexpected character ('<' (code 60))....

2018-08-06 Thread Ravi Shankar Nori
I think the problem was the host name with a "." in it "RH7.1"

On Mon, Aug 6, 2018 at 3:27 PM,  wrote:

> It works for me !
>
> So, you need a hostname with a domain
> Update your /etc/hosts file on the server and the clients
> (C:\Windows\System32\drivers\etc\Hosts for Windows)
>
> Thanks a lot !
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/BE5L6S6HLJEG4LWXH5KMNJJOMBHJSP3B/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MWBZMEDBYY6GRLJGMYSH3D53M4KZV2RJ/


[ovirt-users] Re: Unable to login to the WEB UI Unexpected character ('<' (code 60))....

2018-08-06 Thread Ravi Shankar Nori
Please share the contents of file

/etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf

and

/etc/ovirt-engine/engine.conf.d/11-setup-sso.conf

On Mon, Aug 6, 2018 at 2:22 PM, Klauber Lucilla  wrote:

> Hello,
> I´ve got same error here, tried all above.
> Same screen like sylvain.pal...@gmail.com and no logs.
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/HF6GG3TSZW4YPQGTPVDYKENXXLFLPOP4/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/VQHO3L6ICZUZNGJ4H64RH7RV763IGS7G/


[ovirt-users] Re: Unable to login to the WEB UI Unexpected character ('<' (code 60))....

2018-08-06 Thread Ravi Shankar Nori
Try the following
1. systemctl stop ovirt-engine

2. set hostname to rh71.domain.com

3. update /etc/hosts to add
 rh71.domain.com

4. Run engine-rename to change name to the new hostname

/usr/share/ovirt-engine/setup/bin/ovirt-engine-rename

5.  systemctl start ovirt-engine

Now you can try accessing engine from web browser at rh71.domain.com



On Mon, Aug 6, 2018 at 1:08 PM,  wrote:

> - I can't login, this error appears instantly when i reach
> https://192.168.1.100
>
> - Same error with English as the locale :
> [root@RH7 ~]# localectl status
>System Locale: LANG=en_US.UTF-8
>VC Keymap: fr-oss
>   X11 Layout: fr
>  X11 Variant: oss
>
> - Same error when i try via a browser on the ovirt server.
>
> - Added the server on my Windows Client and there is new error with the
> name instead of ip: error 400 Bad request
>
> For informations :
> [root@RH7 ~]# hostnamectl
>Static hostname: RH7.1
>  Icon name: computer-desktop
>Chassis: desktop
> Machine ID: XX
>Boot ID: XX
>   Operating System: Red Hat Enterprise Linux
>CPE OS Name: cpe:/o:redhat:enterprise_linux:7.5:GA:server
> Kernel: Linux 3.10.0-862.9.1.el7.x86_64
>   Architecture: x86-64
>
> Ovirt version : 4.2
> http://resources.ovirt.org/pub/yum-repo/ovirt-release42.rpm
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/MRRBNVQ3JWDY47CU2KUNR2GVA6FQOCH4/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/VUWR5DTQAPA7JZ4XEF2FRYSNF7AAVUD4/


[ovirt-users] Re: Unable to login to the WEB UI Unexpected character ('<' (code 60))....

2018-08-06 Thread Ravi Shankar Nori
Are you able to login from the browser on same host you are running engine?

Please check if the FQDN os the engine host is resolvable on the engine
host and from the host you are trying to access the Web Admin

Also do you have any other setup on Apache that is interfering with Apache
redirecting the request to engine SSO?

On Mon, Aug 6, 2018 at 7:22 AM, Greg Sheremeta  wrote:

> On Mon, Aug 6, 2018 at 6:25 AM  wrote:
>
>> It doesn't show any errors :
>> https://ibb.co/cD2A1K
>
>
> Thanks. This is a bug, so adding devel.
>
> So that console being empty + an empty ui.log means it's not a gwt problem.
>
> Are you logging in with the default admin user?
> Does it happen with English selected as the locale?
> Does it happen when you connect via a browser on the same machine?
> Can you try adding entries to /etc/hosts and connect via a hostname
> instead of IP?
>
> Adding @Ravi Nori  in case this is some known issue
> with connecting via IP.
>
>
>>
>> Test with another site :
>> https://ibb.co/cnVDMK
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
>> guidelines/
>> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
>> message/FQZ5GDBFLJLQDF2EXPCL5NXQAQUSMQTD/
>>
>
>
> --
>
> GREG SHEREMETA
>
> SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
>
> Red Hat NA
>
> 
>
> gsher...@redhat.comIRC: gshereme
> 
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WTCOZTT6DY6ORNLDX4OWKXPKQ2L5SWHT/


[ovirt-users] Re: ENGINE_SSO_AUTH_URL configuration

2018-07-05 Thread Ravi Shankar Nori
In short, it is not possible to replace engine sso service with an out of
the box oauth2 or OIDC end point.

We have a few custom end points that improve the performance of engine and
also help with authz searches which is used to assign permissions to
users/groups on engine side.


On Wed, Jul 4, 2018 at 10:12 AM, Martin Perina  wrote:

>
>
> On Wed, Jul 4, 2018 at 3:06 PM, Hari Prasanth Loganathan  msystechnologies.com> wrote:
>
>> Hi Martin,
>>
>> Thanks for pointing this url.
>>
>> 1) Based on this post, I created a client id using the
>> 'ovirt-register-sso-client-tool'
>>
>>
>> select * from sso_clients;
>>
>>   3 | *test*   | eyJhcnRpZmFjdCI6IkVudmVsb3BlUE
>> JFIiwic2FsdCI6IjFuYktJa3JrWEFCc2R5NzNnNFIrc09NWitGNHI1dW5UY2
>> s1U2t3cWlCMGs9Iiwic2VjcmV0
>> IjoiRTVwNExDQXpxenhGSHFxdmQwNDhTNDRkN3dNMEwrZVQrYTZlK3lXR044
>> VT0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3Jp
>> dGhtIjoiUEJLREYyV2l0aEh
>> tYWNTSEExIn0= | http://172.30.39.176:9090/api/auth/sso  |
>> /root/ssl/ssl/certificate.pem  |
>>
>>  | oVirt Engine Client |   | openid
>> ovirt-app-portal ovirt-app-admin ovirt-app-api ovirt-ext=auth:identity
>> ovirt-ex
>> t=token:password-access ovirt-ext=auth:sequence-priority
>> ovirt-ext=token:login-on-behalf ovirt-ext=token-info:authz-search
>> ovirt-ext=token-info
>> :public-authz-search ovirt-ext=token-info:validate
>> ovirt-ext=revoke:revoke-all | t   | TLS|
>> f
>>| t
>>
>>
>>
>> I will store this sso_client information in my application too.
>>
>>
>> 2) Is it possible to use *JUST* this 'client_id' and 'client_secret' to
>> communicate from my application to oVirt instead of oVirt token?
>>
>>   I mean like My_Application ---> (using client id - test) oVirt
>> API
>>
>
> ​I don't think so, the client id/secret is used only to authenticate OIDC
> client to the OIDC server, and not real client to the application ​using
> SSO. But leaving this final answer to this question to Ravi, he is our
> expert on OIDC. Ravi?
>
>
>>
>> Thanks,
>> Hari
>>
>>
>>
>>
>>
>>
>> On Wed, Jul 4, 2018 at 5:32 PM, Martin Perina  wrote:
>>
>>>
>>>
>>> On Wed, Jul 4, 2018 at 1:54 PM, Hari Prasanth Loganathan <
>>> hariprasant...@msystechnologies.com> wrote:
>>>
 Okay Thanks Martin.
 I already come across this blog but curious any way to point the
 authentication and authorization to my HTTP URL. so that I don't want to
 depend on the ovirt token.

>>>
>>> ​There's no way how to replace oVirt SSO with different implementation,
>>> you need to use oVirt token.
>>>
>>> But other than relying on Apache you could also configure your
>>> application as OpenID Connect client to oVirt SSO similarly as it's
>>> described for Kibana/Elastic search  integration:
>>>
>>> https://www.ovirt.org/blog/2017/05/openshift-openId-integrat
>>> ion-with-engine-sso/​
>>>
>>> Then you would have only single token for both your application and oVirt
>>>
>>>




 On Wed, Jul 4, 2018 at 5:04 PM, Martin Perina 
 wrote:

>
>
> On Wed, Jul 4, 2018 at 12:02 PM, Hari Prasanth Loganathan <
> hariprasant...@msystechnologies.com> wrote:
>
>> Hi Team,
>>
>> I want oVirt to point to my Authentication / Authorization HTTP URL,
>> so I modified the following property in
>> */etc/ovirt-engine/engine.conf.d/11-setup-sso.conf*
>>
>>
>> #ENGINE_SSO_AUTH_URL="https://${ENGINE_FQDN}:443/ovirt-engine/sso;
>>   ENGINE_SSO_AUTH_URL="http://172.30.39.176:9090/api/auth/sso;
>>
>> #SSO_ENGINE_URL="https://${ENGINE_FQDN}:443/ovirt-engine/;
>>   SSO_ENGINE_URL="http://172.30.39.176:9090/api/auth/;
>> ​
>>
>
>> I verified in the log and found the following message :
>>
>> engine.log:2018-07-04 15:12:46,238+05 INFO
>> [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService
>> Thread Pool -- 42) [] Value of property 'ENGINE_SSO_AUTH_URL' is '
>> http://172.30.39.176:9090/api/auth/sso'.
>> engine.log:2018-07-04 15:12:46,244+05 INFO
>> [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService
>> Thread Pool -- 42) [] Value of property 'SSO_ENGINE_URL' is '
>> http://172.30.39.176:9090/api/auth/'.
>>
>>
>> But still it is not point to my Authentication URL, Is there any
>> other change we need to make to point the oVirt Authentication to my HTTP
>> URL?
>>
>
> ​Hi,
>
> what exactly are you trying to achieve? To change URL where engine is
> available or to replace existing oVirt SSO module with custom
> implementation? If the latter, then this is not supported.
>
> But if you need to configure additional authentication methods, for
> example kerberos SSO or CAS, you can do this using combination of Apache
> with relevant modules + ovirt-engine-extension-aaa-lda
> p/ovirt-engine-extension-aaa-misc packages:
>

Re: [ovirt-users] oVirt Metrics

2017-07-14 Thread Ravi Shankar Nori
On Tue, Jul 11, 2017 at 6:27 AM, Yedidyah Bar David  wrote:

> On Tue, Jul 11, 2017 at 1:13 PM, Arsène Gschwind
>  wrote:
> > Hi all,
> >
> > I'm trying to setup oVirt metrics as described at
> > https://www.ovirt.org/develop/release-management/features/
> engine/metrics-store/
> > using SSO.
> > My oVirt installation is based on Version: 4.1.3.5-1.el7.centos.
> >
> > I'm missing the SSO tool called ovirt-register-sso-client as written in
> the
> > doc to register new SSO client. I couldn't figure out which package
> contains
> > that tool, is it included in the latest distribution ?
>
> I do not think it's included in 4.1. I can only see it in the master
> branch, see [1]. Adding Ravi. Ravi - is it planned to be in 4.1? If not,
> perhaps the blog post should mention this.
>


This is available only in master and is not in 4.1, I will update the blog
post



>
> You can try this by using the nightly snapshot [2]. Obviously do not do
> this on a production setup.
>
> Or you can use the version without sso.
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1425935
> [2] http://www.ovirt.org/develop/dev-process/install-nightly-snapshot/
>
> >
> > Thanks for any help.
> >
> > rgds,
> > Arsène
> >
> > --
> >
> > Arsène Gschwind
> > Fa. Sapify AG im Auftrag der Universität Basel
> > IT Services
> > Klingelbergstr. 70 |  CH-4056 Basel  |  Switzerland
> > Tel. +41 79 449 25 63  |  http://its.unibas.ch
> > ITS-ServiceDesk: support-...@unibas.ch | +41 61 267 14 11
> >
> >
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>
>
>
> --
> Didi
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users