On 06/21/2016 04:54 PM, Julián Tete wrote:
That's right I remove internal properties :/

This is the output of the commands:

*/usr/share/ovirt-engine/bin/o**virt-engine-role.sh --command=add
--user-name=admin --authz-name=internal-authz --role=SuperUser

*
*Output:
*

FATAL: Please specify provider namespace

You don't have to run it, I've just send it for a future reference :)
But if you for example want to add SuperUser permissions to user 'julian', you can run:

/usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add --principal-id='c01c263a-78c5-4524-a94e-c9aa38141ea9' --role=SuperUser --user-name=julian --authz-name=internal-authz --principal-namespace=*

And you don't need admin@internal-authz user.


*su - postgres -c "psql -t engine -c \"select * from users;\""

*
*Output:*

fdfc627c-d875-11e0-90f0-83df133b58cc | admin  |               |
internal             | admin    |            |
|      | t                       | fdfc627c-d875-11e0-90f0-83df133b58cc
| 2015-09-19 21:38:44.838161-
05 | 2016-06-18 20:42:18.883738-05 | *
 16f666bb-b4c8-44c9-8264-30c3aff63a6e |        | Administrator |
udistritaloas.edu.co <http://udistritaloas.edu.co> | admin
|            |                         |      | f
| 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19 11:53:39.249812-
05 | 2016-06-19 12:24:41.590162-05 | *
 c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete          |
internal-authz       | julian   |            | danteconra...@gmail.com
<mailto:danteconra...@gmail.com> |      | f                       |
1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20 11:22:56.483292-
05 | 2016-06-20 11:23:19.261686-05 | *
 7f300f43-9972-4c0e-bfa9-e86df6f1659f | admin  |               |
internal-authz       | admin    |            |
|      | f                       | fdfc627c-d875-11e0-90f0-83df133b58cc
| 2016-06-19 11:43:51.644981-
05 | 2016-06-20 16:06:49.138862-05 | *
*
su - postgres -c "psql -t engine -c \"select * from permissions;\""

Ok, according to current status I would suggest you to:

 1) remove admin@internal-authz (7f300f43-9972-4c0e-bfa9-e86df6f1659f)
$ su - postgres -c "psql -t engine -c \"delete from users where user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""

  2) rename admin@internal to admin@internal-authz
$ su - postgres -c "psql -t engine -c \"UPDATE users set domain='internal-authz' where user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""

Then restart ovirt-engine and try to login.

The problem here is that it tries to login with admin user which don't have any permissions, and you have two admin users, because you have removed internal-*properties files, so it added
another one.


*
*Otput:
*

 00000004-0004-0004-0004-00000000025e |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000000-0000-0000-0000-000000000000 |              4 |    1447535033
 0000000f-000f-000f-000f-000000000293 |
def0000a-0000-0000-0000-def000000010 |
eee00000-0000-0000-0000-123456789eee |
0000000e-000e-000e-000e-0000000002d6 |             27 |    1447535033
 00000003-0003-0003-0003-00000000009c |
00000000-0000-0000-0000-000000000001 |
fdfc627c-d875-11e0-90f0-83df133b58cc |
aaa00000-0000-0000-0000-123456789aaa |              1 |    1447535033
 00000006-0006-0006-0006-0000000000e3 |
00000000-0000-0000-0001-000000000002 |
fdfc627c-d875-11e0-90f0-83df133b58cc |
aaa00000-0000-0000-0000-123456789aaa |              1 |    1447535033
 00000011-0011-0011-0011-0000000002a9 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000010-0010-0010-0010-0000000001d1 |              4 |    1447535033
 00000013-0013-0013-0013-00000000031e |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000012-0012-0012-0012-0000000001c6 |              4 |    1447535033
 00000015-0015-0015-0015-0000000003b8 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000014-0014-0014-0014-0000000002fd |              4 |    1447535033
 00000017-0017-0017-0017-000000000388 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000016-0016-0016-0016-0000000002b0 |              4 |    1447535033
 00000019-0019-0019-0019-0000000003d5 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000018-0018-0018-0018-000000000314 |              4 |    1447535033
 00000027-0027-0027-0027-00000000027e |
def00021-0000-0000-0000-def000000015 |
eee00000-0000-0000-0000-123456789eee |
aaa00000-0000-0000-0000-123456789aaa |              1 |    1447535037
 7a3917ea-b2df-444f-938c-f768feeaee04 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |    1457665842
 e8abc833-b860-451c-b580-780c7d1049d4 |
def0000a-0000-0000-0000-def00000000f |
fdfc627c-d875-11e0-90f0-83df133b58cc |
8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |    1457665842
 c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
def0000a-0000-0000-0000-def00000000b |
fdfc627c-d875-11e0-90f0-83df133b58cc |
9881e686-90d0-4da3-85b4-b8a1b3638396 |             19 |    1463161875


2016-06-21 9:18 GMT-05:00 Ondra Machacek <omach...@redhat.com
<mailto:omach...@redhat.com>>:

    On 06/20/2016 08:33 PM, Julián Tete wrote:

        Thanks Ondra :)

        With the command:

        su - postgres -c "psql -t engine -c \"insert into permissions values
        ('0000001b-001b-001b-001b-00000000029f',
        '00000000-0000-0000-0000-000000000001',
        'fdfc627c-d875-11e0-90f0-83df133b58cc',
        'aaa00000-0000-0000-0000-123456789aaa', 1);\""


    I've just remembered, that there is bash script for it:

     /usr/share/ovirt-engine/bin/ovirt-engine-role.sh

    You can use it as follows:

     /usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add
    --user-name=admin --authz-name=internal-authz --role=SuperUser

    But, as per your output above, obviously your problem is not missing
    permissions.
    I think the problem is that you removed internal*.properties files
    and then re-add it.
    Can you please send output of users table and permissions table. Thanks.

     su - postgres -c "psql -t engine -c \"select * from users;\""
     su - postgres -c "psql -t engine -c \"select * from permissions;\""

        I get:

        ERROR:  duplicate key value violates unique constraint
        "idx_combined_ad_role_object"
        DETAIL:  Key (ad_element_id, role_id,
        object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
        00000000-0000-0000-0000-000000000001,
        aaa00000-0000-0000-0000-123456789aaa) already exists.

        History

          261  yum install ovirt-engine-extension-aaa-ldap
          262  cp -r
        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
        /etc/ovirt-engine/
          263  cd /etc/ovirt-engine/
          264  ll
          265  vim profile1.properties
          266  ll
          267  cd cp
        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
        /etc/ovirt-engine/extensions.d/
          268  cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/
          269  cd
        /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
          270  ll
          271  cp
        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
        /etc/ovirt-engine/extensions.d/
          272  cd /etc/ovirt-engine/extensions.d/
          273  ll
          274  find / -type f -iname profile1.properties
          275  cp -r
        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
        /etc/ovirt-engine/aaa/
          276  find / -type f -iname profile1.properties
          277  vim /etc/ovirt-engine/aaa/profile1.properties
          278  chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
          279  chmod 600 /etc/ovirt-engine/aaa/profile1.properties
          280  systemctl restart ovirt-engine
          281  vim /etc/ovirt-engine/extensions.d/profile1-authn.properties
          282  cd /usr/share/
          283  ls
          284  cd ovirt-engine-aaa-ldap
          285  ls
          286  cd ovirt-engine-extension-aaa-ldap/
          287  ls
          288  cd examples/
          289  ls
          290  cd ad
          291  ls
          292  cd extensions.d/
          293  ls
          294  vim profile1-authn.properties
          295  pwd
          296  cd ..
          297  pwd
          298  cd ..
          299  ls
          300  cd simple
          301  ls
          302  cd aaa/
          303  ls
          304  vim profile1.properties
          305  pwd
          306  rm -rf /etc/ovirt-engine/aaa/profile1.properties
          307  cp -r
        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
        /etc/ovirt-engine/aaa/
          308  vim /etc/ovirt-engine/aaa/profile1.properties
          309  history
          310  chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
          311  chmod 600 /etc/ovirt-engine/aaa/profile1.properties
          312  systemctl restart ovirt-engine
          313  updatedb
          314  locate domain1-authn.properties
          315  history
          316  cd
        /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
          317  ll
          318  cd
        /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
          319  ls
          320  cd extensions.d/
          321  ls
          322  pwd
          323  cd /etc/ovirt-engine/extensions.d/
          324  ls
          325  cp -r
        /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
        /etc/ovirt-engine/extensions.d/
          326   cp -r
        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
        /etc/ovirt-engine/extensions.d/
          327  rm -rf
        /etc/ovirt-engine/extensions.d/profile1-authn.properties
          328  rm -rf
        /etc/ovirt-engine/extensions.d/profile1-authz.properties
          329   cp -r
        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
        /etc/ovirt-engine/extensions.d/
          330  ll
          331  history
          332  chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
          333  chmod 600 /etc/ovirt-engine/extensions.d/*
          334  ll
          335  cd extensions.d/
          336  ll
          337  cd
          338  engine-config -s SASL_QOP=auth
          339  systemctl restart ovirt-engine
          340  engine-manage-domains add --domain=udistritaloas.edu.co
        <http://udistritaloas.edu.co>
        <http://udistritaloas.edu.co> --provider=ipa --user=admin
        --ldap-servers=freeipa.udistritaloas.edu.co
        <http://freeipa.udistritaloas.edu.co>
        <http://freeipa.udistritaloas.edu.co>
          341  systemctl restart ovirt-engine
          342  engine-manage-domains list
          343  history
          344  cd /etc/ovirt-engine/extensions.d/
          345  ll
          346  rm -rf internal-authn.properties
          347  rm -rf internal-authz.properties
          348  rm -rf profile1-authn.properties
          349  rm -rf profile1-authz.properties
          350  history
          351  cd /etc/ovirt-engine/aaa/
          352  ll
          353  rm -rf profile1.properties
          354  vim internal.properties
          355  systemctl restart ovirt-engine
          356  ovirt-aaa-jdbc-tool user edit admin
        --account-valid-to="2100-01-01 00:00:00Z"
          357  ovirt-aaa-jdbc-tool user password-reset admin
        --password-valid-to="2100-01-01 00:00:00Z"
          358  engine-config -s AdminPassword=interactive
          359  ovirt-aaa-jdbc-tool user password-reset admin
        --password-valid-to="2100-01-01 00:00:00Z"
          360  systemctl restart ovirt-engine
          361  exit
          362  cd /etc/ovirt-engine/aaa/
          363  ll
          364  vim internal.properties
          365  /etc/ovirt-engine/extensions.d/
          366  cd /etc/ovirt-engine/extensions.d/
          367  ll
          368  cd extensions.d/
          369  ll
          370  pwd
          371  ll
          372  cd ..
          373  ll
          374  cd ..
          375  ll
          376  cd /etc/ovirt-engine/extensions.d/
          377  ll
          378  cd extensions.d/
          379  ll
          380  pwd
          381  ll
          382  cd ..
          383  ll
          384  systemctl restart ovirt-engine.service
          385  ovirt-aaa-jdbc-tool user edit admin
        --account-valid-to="2100-01-01 00:00:00Z"
          386  ovirt-aaa-jdbc-tool user password-reset admin
        --password-valid-to="2100-01-01 00:00:00Z"
          387  systemctl restart ovirt-engine.service
          388  ovirt-aaa-jdbc-tool user password-reset admin@internal
        --password-valid-to="2100-01-01 00:00:00Z"
          389  yum install -y ovirt-engine-extension-aaa-jdbc
          390  engine-setup
          391  ovirt-aaa-jdbc-tool user show admin
          392  ovirt-aaa-jdbc-tool settings show
          393  cd /var/log
          394  ll
          395  cd ovirt-engine
          396  ll
          397  tail -f n 100 ui.log
          398  ll
          399  tail -f -n engine.log
          400  tail -f -n 1000 engine.log
          401  tail -n 5000 engine.log | grep admin@internal
          402  ovirt-aaa-jdbc-tool user show admin
          403  ovirt-aaa-jdbc-tool user show admin@internal
          404  ovirt-aaa-jdbc-tool query --what=user
          405  engine-config -s AdminPassword=interactive
          406  vim /etc/ovirt-engine/extension.d/internal-authn.properties
          407  vim /etc/ovirt-engine/extensions.d/internal-authn.properties
          408  cd /etc/ovirt-engine/extensions.d/
          409  ll
          410  vim /etc/ovirt-engine/aaa/internal.properties
          411  cd /etc/ovirt-engine/aaa/
          412  ll
          413  vim internal.properties
          414  pwd
          415  ovirt-aaa-jdbc-tool user add julian
        --attribute=firstName=Julian     --attribute=lastName=Tete
        --attribute=email=danteconra...@gmail.com
        <mailto:danteconra...@gmail.com> <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>>
          416  ovirt-aaa-jdbc-tool user password-reset julian
        --password-valid-to="2025-08-15 10:30:00Z"
          417  history
          418  tail -n 5000 engine.log | grep admin@internal
          419  tail -n 5000 /var/log/ovirt-engine/engine.log | grep
        admin@internal
          420  ovirt-aaa-jdbc-tool user edit admin
        --account-valid-from="2015-10-01 00:00:00Z"
          421  ovirt-aaa-jdbc-tool user password-reset admin --force
        --password-valid-to="2100-01-01 00:00:00Z"
          422  systemctl restart ovirt-engine.service
          423  history
          424  ovirt-aaa-jdbc-tool query --what=user
          425  updatedb
          426  locate internal
          427  yum install -y ovirt-engine-cli
          428  cd /opt
          429  cd /opt/



        2016-06-20 13:24 GMT-05:00 Ondra Machacek <omach...@redhat.com
        <mailto:omach...@redhat.com>
        <mailto:omach...@redhat.com <mailto:omach...@redhat.com>>>:


            On 06/20/2016 06:36 PM, Julián Tete wrote:

                oVirt: 3.6.2

                Trying to use:


        https://github.com/machacekondra/ovirt-engine-kerbldap-migration

                First use:

                engine-manage-domains add --domain=udistritaloas.edu.co
        <http://udistritaloas.edu.co>
                <http://udistritaloas.edu.co>
                <http://udistritaloas.edu.co> --provider=ipa --user=admin
                --ldap-servers=freeipa.udistritaloas.edu.co
        <http://freeipa.udistritaloas.edu.co>
                <http://freeipa.udistritaloas.edu.co>
                <http://freeipa.udistritaloas.edu.co>


                The domain was added, but a I can't access to the
        webadmin portal :/

                I get the message:

                "User is not authorized to perform this action."

                In ovirt-cli

                [401] - Unauthorized

                tail -n 5000 /var/log/ovirt-engine/engine.log | grep
        admin@internal

                2016-06-20 10:52:22,835 ERROR

        [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
                (default task-32) [] Correlation ID: null, Call Stack:
        null, Custom
                Event ID: -1, Message: User admin@internal failed to log in.
                2016-06-20 10:52:22,836 WARN
                [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
        (default
                task-32)
                [] CanDoAction of action 'LoginAdminUser' failed for user
                admin@internal. Reasons:
        USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
                2016-06-20 11:00:37,679 ERROR

        [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
                (default task-3) [] Correlation ID: null, Call Stack: null,
                Custom Event
                ID: -1, Message: User admin@internal failed to log in.
                2016-06-20 11:00:37,679 WARN
                [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
        (default task-3) []
                CanDoAction of action 'LoginUser' failed for user
        admin@internal.
                Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
                2016-06-20 11:01:04,016 ERROR

        [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
                (default task-4) [] Correlation ID: null, Call Stack: null,
                Custom Event
                ID: -1, Message: User admin@internal failed to log in.
                2016-06-20 11:01:04,016 WARN
                [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
        (default task-4) []
                CanDoAction of action 'LoginUser' failed for user
        admin@internal.
                Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION


            I am little bit lost, what was your steps, to get into this
        state,
            but it looks that your admin@internal user was removed SuperUser
            permissions, I am really not sure how could you achieve
        that, but to
            fix it please run following command:

             $ su - postgres -c "psql -t engine -c \"insert into permissions
            values ('0000001b-001b-001b-001b-00000000029f',
            '00000000-0000-0000-0000-000000000001',
            'fdfc627c-d875-11e0-90f0-83df133b58cc',
            'aaa00000-0000-0000-0000-123456789aaa', 1);\""

            This command will add your admin@internal SuperUser
        permissions on
            system.

            Can you please describe what have you done a bit more, so we can
            understand the problem?

            Thanks.


                Properties of Internal domain:

                cat /etc/ovirt-engine/aaa/internal.properties

                ovirt.engine.extension.name
        <http://ovirt.engine.extension.name>
        <http://ovirt.engine.extension.name>
                <http://ovirt.engine.extension.name> =
                internal-authn
                ovirt.engine.extension.bindings.method = jbossmodule
                ovirt.engine.extension.binding.jbossmodule.module =
                org.ovirt.engine.extension.aaa.jdbc
                ovirt.engine.extension.binding.jbossmodule.class =

        org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
                ovirt.engine.extension.provides =
                org.ovirt.engine.api.extensions.aaa.Authn
                ovirt.engine.aaa.authn.profile.name
        <http://ovirt.engine.aaa.authn.profile.name>
                <http://ovirt.engine.aaa.authn.profile.name>
                <http://ovirt.engine.aaa.authn.profile.name> = internal
                ovirt.engine.aaa.authn.authz.plugin = internal-authz
                config.datasource.file =
        /etc/ovirt-engine/aaa/internal.properties

                cat /etc/ovirt-engine/extensions.d/internal-authn.properties

                ovirt.engine.extension.name
        <http://ovirt.engine.extension.name>
        <http://ovirt.engine.extension.name>
                <http://ovirt.engine.extension.name> =
                internal-authn
                ovirt.engine.extension.bindings.method = jbossmodule
                ovirt.engine.extension.binding.jbossmodule.module =
                org.ovirt.engine.extension.aaa.jdbc
                ovirt.engine.extension.binding.jbossmodule.class =

        org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
                ovirt.engine.extension.provides =
                org.ovirt.engine.api.extensions.aaa.Authn
                ovirt.engine.aaa.authn.profile.name
        <http://ovirt.engine.aaa.authn.profile.name>
                <http://ovirt.engine.aaa.authn.profile.name>
                <http://ovirt.engine.aaa.authn.profile.name> = internal
                ovirt.engine.aaa.authn.authz.plugin = internal-authz
                config.datasource.file =
        /etc/ovirt-engine/aaa/internal.properties

                cat /etc/ovirt-engine/extensions.d/internal-authz.properties

                ovirt.engine.extension.name
        <http://ovirt.engine.extension.name>
        <http://ovirt.engine.extension.name>
                <http://ovirt.engine.extension.name> =

                internal-authz
                ovirt.engine.extension.bindings.method = jbossmodule
                ovirt.engine.extension.binding.jbossmodule.module =
                org.ovirt.engine.extension.aaa.jdbc
                ovirt.engine.extension.binding.jbossmodule.class =

        org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
                ovirt.engine.extension.provides =
                org.ovirt.engine.api.extensions.aaa.Authz
                config.datasource.file =
        /etc/ovirt-engine/aaa/internal.properties

                Properties of admin@internal user:

                ovirt-aaa-jdbc-tool user show admin

                -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
                Namespace: *
                Name: admin
                ID: fdfc627c-d875-11e0-90f0-83df133b58cc
                Display Name:
                Email:
                First Name: admin
                Last Name:
                Department:
                Title:
                Description:
                Account Disabled: false
                Account Unlocked At: 1970-01-01 00:00:00Z
                Account Valid From: 2015-10-01 00:00:00Z
                Account Valid To: 2100-01-01 00:00:00Z
                Account Without Password: false
                Last successful Login At: 2016-06-20 16:01:03Z
                Last unsuccessful Login At: 2016-06-19 16:53:07Z
                Password Valid To: 2100-01-01 00:00:00Z

                ¿ Can I assign privilegies to the user ? ¿ Any idea ?


                _______________________________________________
                Users mailing list
                Users@ovirt.org <mailto:Users@ovirt.org>
        <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>
                http://lists.ovirt.org/mailman/listinfo/users



_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to