On 06/21/2016 09:18 PM, Julián Tete wrote:
Roger Ondra!

1) su - postgres -c "psql -t engine -c \"delete from users where
user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""

Output:

DELETE 1

2) su - postgres -c "psql -t engine -c \"UPDATE users set
domain='internal-authz'  where
user_id='fdfc627c-d875-11e0-90f0-83df133b58cc';\""

Output:

ERROR:  duplicate key value violates unique constraint
"users_domain_external_id_unique"
DETAIL:  Key (domain, external_id)=(internal-authz,
fdfc627c-d875-11e0-90f0-83df133b58cc) already exists.

OK, this is really strange, because this shouldn't be printed as you removed all contraints in step 1).

So, can you please first stop ovirt-engine, before running steps above? So the steps now
would be:

 1) service ovirt-engine stop

2) remove admin@internal-authz (c9dcda67-9b3e-4255-aa9f-d69043a02b2b) (note id changed, from last time) If there is more admin users with domain internal-authz, please
remove them all.
$ su - postgres -c "psql -t engine -c \"delete from users where user_id='c9dcda67-9b3e-4255-aa9f-d69043a02b2b';\""

 3) rename admin@internal to admin@internal-authz
$ su - postgres -c "psql -t engine -c \"UPDATE users set domain='internal-authz' where user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""

  4) service ovirt-engine start


3) systemctl restart ovirt-engine.service

No login yet :(

Look at this:

ovirt-aaa-jdbc-tool user show admin

Output:
-- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
Namespace: *
Name: admin
ID: fdfc627c-d875-11e0-90f0-83df133b58cc
Display Name:
Email:
First Name: admin
Last Name:
Department:
Title:
Description:
Account Disabled: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2015-10-01 00:00:00Z
Account Valid To: 2100-01-01 00:00:00Z
Account Without Password: false
Last successful Login At: 2016-06-21 19:15:59Z
Last unsuccessful Login At: 2016-06-20 17:33:24Z
Password Valid To: 2100-01-01 00:00:00Z

su - postgres -c "psql -t engine -c \"select * from users;\""

Output:

 fdfc627c-d875-11e0-90f0-83df133b58cc | admin  |               |
internal             | admin    |            |
|      | t                       | fdfc627c-d875-11e0-90f0-83df133b58cc
| 2015-09-19 21:38:44.838161-
05 | 2016-06-18 20:42:18.883738-05 | *
 16f666bb-b4c8-44c9-8264-30c3aff63a6e |        | Administrator |
udistritaloas.edu.co <http://udistritaloas.edu.co> | admin
|            |                         |      | f
| 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19 11:53:39.249812-
05 | 2016-06-19 12:24:41.590162-05 | *
 c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete          |
internal-authz       | julian   |            | danteconra...@gmail.com
<mailto:danteconra...@gmail.com> |      | f                       |
1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20 11:22:56.483292-
05 | 2016-06-20 11:23:19.261686-05 | *
 c9dcda67-9b3e-4255-aa9f-d69043a02b2b | admin  |               |
internal-authz       | admin    |            |
|      | f                       | fdfc627c-d875-11e0-90f0-83df133b58cc
| 2016-06-21 13:54:07.765767-
05 | 2016-06-21 14:15:59.352697-05 | *


su - postgres -c "psql -t engine -c \"select * from permissions;\""

Output:

 00000004-0004-0004-0004-00000000025e |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000000-0000-0000-0000-000000000000 |              4 |    1447535033
 0000000f-000f-000f-000f-000000000293 |
def0000a-0000-0000-0000-def000000010 |
eee00000-0000-0000-0000-123456789eee |
0000000e-000e-000e-000e-0000000002d6 |             27 |    1447535033
 00000003-0003-0003-0003-00000000009c |
00000000-0000-0000-0000-000000000001 |
fdfc627c-d875-11e0-90f0-83df133b58cc |
aaa00000-0000-0000-0000-123456789aaa |              1 |    1447535033
 00000006-0006-0006-0006-0000000000e3 |
00000000-0000-0000-0001-000000000002 |
fdfc627c-d875-11e0-90f0-83df133b58cc |
aaa00000-0000-0000-0000-123456789aaa |              1 |    1447535033
 00000011-0011-0011-0011-0000000002a9 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000010-0010-0010-0010-0000000001d1 |              4 |    1447535033
 00000013-0013-0013-0013-00000000031e |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000012-0012-0012-0012-0000000001c6 |              4 |    1447535033
 00000015-0015-0015-0015-0000000003b8 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000014-0014-0014-0014-0000000002fd |              4 |    1447535033
 00000017-0017-0017-0017-000000000388 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000016-0016-0016-0016-0000000002b0 |              4 |    1447535033
 00000019-0019-0019-0019-0000000003d5 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
00000018-0018-0018-0018-000000000314 |              4 |    1447535033
 00000027-0027-0027-0027-00000000027e |
def00021-0000-0000-0000-def000000015 |
eee00000-0000-0000-0000-123456789eee |
aaa00000-0000-0000-0000-123456789aaa |              1 |    1447535037
 7a3917ea-b2df-444f-938c-f768feeaee04 |
def00009-0000-0000-0000-def000000009 |
eee00000-0000-0000-0000-123456789eee |
8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |    1457665842
 e8abc833-b860-451c-b580-780c7d1049d4 |
def0000a-0000-0000-0000-def00000000f |
fdfc627c-d875-11e0-90f0-83df133b58cc |
8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |    1457665842
 c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
def0000a-0000-0000-0000-def00000000b |
fdfc627c-d875-11e0-90f0-83df133b58cc |
9881e686-90d0-4da3-85b4-b8a1b3638396 |             19 |    1463161875




2016-06-21 13:30 GMT-05:00 Ondra Machacek <omach...@redhat.com
<mailto:omach...@redhat.com>>:

    On 06/21/2016 04:54 PM, Julián Tete wrote:

        That's right I remove internal properties :/

        This is the output of the commands:

        */usr/share/ovirt-engine/bin/o**virt-engine-role.sh --command=add
        --user-name=admin --authz-name=internal-authz --role=SuperUser

        *
        *Output:
        *

        FATAL: Please specify provider namespace


    You don't have to run it, I've just send it for a future reference :)
    But if you for example want to add SuperUser permissions to user
    'julian', you can run:

      /usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add
    --principal-id='c01c263a-78c5-4524-a94e-c9aa38141ea9'
    --role=SuperUser --user-name=julian --authz-name=internal-authz
    --principal-namespace=*

    And you don't need admin@internal-authz user.


        *su - postgres -c "psql -t engine -c \"select * from users;\""

        *
        *Output:*

        fdfc627c-d875-11e0-90f0-83df133b58cc | admin  |               |
        internal             | admin    |            |
        |      | t                       |
        fdfc627c-d875-11e0-90f0-83df133b58cc
        | 2015-09-19 21:38:44.838161-
        05 | 2016-06-18 20:42:18.883738-05 | *
         16f666bb-b4c8-44c9-8264-30c3aff63a6e |        | Administrator |
        udistritaloas.edu.co <http://udistritaloas.edu.co>
        <http://udistritaloas.edu.co> | admin
        |            |                         |      | f
        | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19 11:53:39.249812-
        05 | 2016-06-19 12:24:41.590162-05 <tel:41.590162-05> | *
         c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete          |
        internal-authz       | julian   |            |
        danteconra...@gmail.com <mailto:danteconra...@gmail.com>
        <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>> |      | f                       |
        1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20 11:22:56.483292-
        05 | 2016-06-20 11:23:19.261686-05 | *
         7f300f43-9972-4c0e-bfa9-e86df6f1659f | admin  |               |
        internal-authz       | admin    |            |
        |      | f                       |
        fdfc627c-d875-11e0-90f0-83df133b58cc
        | 2016-06-19 11:43:51.644981-
        05 | 2016-06-20 16:06:49.138862-05 | *
        *
        su - postgres -c "psql -t engine -c \"select * from permissions;\""


    Ok, according to current status I would suggest you to:

     1) remove admin@internal-authz (7f300f43-9972-4c0e-bfa9-e86df6f1659f)
          $ su - postgres -c "psql -t engine -c \"delete from users
    where user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""

      2) rename admin@internal to admin@internal-authz
          $ su - postgres -c "psql -t engine -c \"UPDATE users set
    domain='internal-authz'  where
    user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""

    Then restart ovirt-engine and try to login.

    The problem here is that it tries to login with admin user which
    don't have any permissions, and
    you have two admin users, because you have removed
    internal-*properties files, so it added
    another one.


        *
        *Otput:
        *


         00000004-0004-0004-0004-00000000025e |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        00000000-0000-0000-0000-000000000000 |              4 |
        1447535033
         0000000f-000f-000f-000f-000000000293 |
        def0000a-0000-0000-0000-def000000010 |
        eee00000-0000-0000-0000-123456789eee |
        0000000e-000e-000e-000e-0000000002d6 |             27 |
        1447535033
         00000003-0003-0003-0003-00000000009c |
        00000000-0000-0000-0000-000000000001 |
        fdfc627c-d875-11e0-90f0-83df133b58cc |
        aaa00000-0000-0000-0000-123456789aaa |              1 |
        1447535033
         00000006-0006-0006-0006-0000000000e3 |
        00000000-0000-0000-0001-000000000002 |
        fdfc627c-d875-11e0-90f0-83df133b58cc |
        aaa00000-0000-0000-0000-123456789aaa |              1 |
        1447535033
         00000011-0011-0011-0011-0000000002a9 |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        00000010-0010-0010-0010-0000000001d1 |              4 |
        1447535033
         00000013-0013-0013-0013-00000000031e |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        00000012-0012-0012-0012-0000000001c6 |              4 |
        1447535033
         00000015-0015-0015-0015-0000000003b8 |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        00000014-0014-0014-0014-0000000002fd |              4 |
        1447535033
         00000017-0017-0017-0017-000000000388 |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        00000016-0016-0016-0016-0000000002b0 |              4 |
        1447535033
         00000019-0019-0019-0019-0000000003d5 |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        00000018-0018-0018-0018-000000000314 |              4 |
        1447535033
         00000027-0027-0027-0027-00000000027e |
        def00021-0000-0000-0000-def000000015 |
        eee00000-0000-0000-0000-123456789eee |
        aaa00000-0000-0000-0000-123456789aaa |              1 |
        1447535037
         7a3917ea-b2df-444f-938c-f768feeaee04 |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
        1457665842
         e8abc833-b860-451c-b580-780c7d1049d4 |
        def0000a-0000-0000-0000-def00000000f |
        fdfc627c-d875-11e0-90f0-83df133b58cc |
        8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
        1457665842
         c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
        def0000a-0000-0000-0000-def00000000b |
        fdfc627c-d875-11e0-90f0-83df133b58cc |
        9881e686-90d0-4da3-85b4-b8a1b3638396 |             19 |
        1463161875


        2016-06-21 9:18 GMT-05:00 Ondra Machacek <omach...@redhat.com
        <mailto:omach...@redhat.com>
        <mailto:omach...@redhat.com <mailto:omach...@redhat.com>>>:


            On 06/20/2016 08:33 PM, Julián Tete wrote:

                Thanks Ondra :)

                With the command:

                su - postgres -c "psql -t engine -c \"insert into
        permissions values
                ('0000001b-001b-001b-001b-00000000029f',
                '00000000-0000-0000-0000-000000000001',
                'fdfc627c-d875-11e0-90f0-83df133b58cc',
                'aaa00000-0000-0000-0000-123456789aaa', 1);\""


            I've just remembered, that there is bash script for it:

             /usr/share/ovirt-engine/bin/ovirt-engine-role.sh

            You can use it as follows:

             /usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add
            --user-name=admin --authz-name=internal-authz --role=SuperUser

            But, as per your output above, obviously your problem is not
        missing
            permissions.
            I think the problem is that you removed internal*.properties
        files
            and then re-add it.
            Can you please send output of users table and permissions
        table. Thanks.

             su - postgres -c "psql -t engine -c \"select * from users;\""
             su - postgres -c "psql -t engine -c \"select * from
        permissions;\""

                I get:

                ERROR:  duplicate key value violates unique constraint
                "idx_combined_ad_role_object"
                DETAIL:  Key (ad_element_id, role_id,
                object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
                00000000-0000-0000-0000-000000000001,
                aaa00000-0000-0000-0000-123456789aaa) already exists.

                History

                  261  yum install ovirt-engine-extension-aaa-ldap
                  262  cp -r

        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
                /etc/ovirt-engine/
                  263  cd /etc/ovirt-engine/
                  264  ll
                  265  vim profile1.properties
                  266  ll
                  267  cd cp

        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
                /etc/ovirt-engine/extensions.d/
                  268  cd cp
        /usr/share/ovirt-engine-extension-aaa-ldap/examples/
                  269  cd

        /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
                  270  ll
                  271  cp

        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
                /etc/ovirt-engine/extensions.d/
                  272  cd /etc/ovirt-engine/extensions.d/
                  273  ll
                  274  find / -type f -iname profile1.properties
                  275  cp -r

        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
                /etc/ovirt-engine/aaa/
                  276  find / -type f -iname profile1.properties
                  277  vim /etc/ovirt-engine/aaa/profile1.properties
                  278  chown ovirt:ovirt
        /etc/ovirt-engine/aaa/profile1.properties
                  279  chmod 600 /etc/ovirt-engine/aaa/profile1.properties
                  280  systemctl restart ovirt-engine
                  281  vim
        /etc/ovirt-engine/extensions.d/profile1-authn.properties
                  282  cd /usr/share/
                  283  ls
                  284  cd ovirt-engine-aaa-ldap
                  285  ls
                  286  cd ovirt-engine-extension-aaa-ldap/
                  287  ls
                  288  cd examples/
                  289  ls
                  290  cd ad
                  291  ls
                  292  cd extensions.d/
                  293  ls
                  294  vim profile1-authn.properties
                  295  pwd
                  296  cd ..
                  297  pwd
                  298  cd ..
                  299  ls
                  300  cd simple
                  301  ls
                  302  cd aaa/
                  303  ls
                  304  vim profile1.properties
                  305  pwd
                  306  rm -rf /etc/ovirt-engine/aaa/profile1.properties
                  307  cp -r

        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
                /etc/ovirt-engine/aaa/
                  308  vim /etc/ovirt-engine/aaa/profile1.properties
                  309  history
                  310  chown ovirt:ovirt
        /etc/ovirt-engine/aaa/profile1.properties
                  311  chmod 600 /etc/ovirt-engine/aaa/profile1.properties
                  312  systemctl restart ovirt-engine
                  313  updatedb
                  314  locate domain1-authn.properties
                  315  history
                  316  cd

        /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
                  317  ll
                  318  cd
                /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
                  319  ls
                  320  cd extensions.d/
                  321  ls
                  322  pwd
                  323  cd /etc/ovirt-engine/extensions.d/
                  324  ls
                  325  cp -r

        /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
                /etc/ovirt-engine/extensions.d/
                  326   cp -r

        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
                /etc/ovirt-engine/extensions.d/
                  327  rm -rf
                /etc/ovirt-engine/extensions.d/profile1-authn.properties
                  328  rm -rf
                /etc/ovirt-engine/extensions.d/profile1-authz.properties
                  329   cp -r

        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
                /etc/ovirt-engine/extensions.d/
                  330  ll
                  331  history
                  332  chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
                  333  chmod 600 /etc/ovirt-engine/extensions.d/*
                  334  ll
                  335  cd extensions.d/
                  336  ll
                  337  cd
                  338  engine-config -s SASL_QOP=auth
                  339  systemctl restart ovirt-engine
                  340  engine-manage-domains add
        --domain=udistritaloas.edu.co <http://udistritaloas.edu.co>
                <http://udistritaloas.edu.co>
                <http://udistritaloas.edu.co> --provider=ipa --user=admin
                --ldap-servers=freeipa.udistritaloas.edu.co
        <http://freeipa.udistritaloas.edu.co>
                <http://freeipa.udistritaloas.edu.co>
                <http://freeipa.udistritaloas.edu.co>
                  341  systemctl restart ovirt-engine
                  342  engine-manage-domains list
                  343  history
                  344  cd /etc/ovirt-engine/extensions.d/
                  345  ll
                  346  rm -rf internal-authn.properties
                  347  rm -rf internal-authz.properties
                  348  rm -rf profile1-authn.properties
                  349  rm -rf profile1-authz.properties
                  350  history
                  351  cd /etc/ovirt-engine/aaa/
                  352  ll
                  353  rm -rf profile1.properties
                  354  vim internal.properties
                  355  systemctl restart ovirt-engine
                  356  ovirt-aaa-jdbc-tool user edit admin
                --account-valid-to="2100-01-01 00:00:00Z"
                  357  ovirt-aaa-jdbc-tool user password-reset admin
                --password-valid-to="2100-01-01 00:00:00Z"
                  358  engine-config -s AdminPassword=interactive
                  359  ovirt-aaa-jdbc-tool user password-reset admin
                --password-valid-to="2100-01-01 00:00:00Z"
                  360  systemctl restart ovirt-engine
                  361  exit
                  362  cd /etc/ovirt-engine/aaa/
                  363  ll
                  364  vim internal.properties
                  365  /etc/ovirt-engine/extensions.d/
                  366  cd /etc/ovirt-engine/extensions.d/
                  367  ll
                  368  cd extensions.d/
                  369  ll
                  370  pwd
                  371  ll
                  372  cd ..
                  373  ll
                  374  cd ..
                  375  ll
                  376  cd /etc/ovirt-engine/extensions.d/
                  377  ll
                  378  cd extensions.d/
                  379  ll
                  380  pwd
                  381  ll
                  382  cd ..
                  383  ll
                  384  systemctl restart ovirt-engine.service
                  385  ovirt-aaa-jdbc-tool user edit admin
                --account-valid-to="2100-01-01 00:00:00Z"
                  386  ovirt-aaa-jdbc-tool user password-reset admin
                --password-valid-to="2100-01-01 00:00:00Z"
                  387  systemctl restart ovirt-engine.service
                  388  ovirt-aaa-jdbc-tool user password-reset
        admin@internal
                --password-valid-to="2100-01-01 00:00:00Z"
                  389  yum install -y ovirt-engine-extension-aaa-jdbc
                  390  engine-setup
                  391  ovirt-aaa-jdbc-tool user show admin
                  392  ovirt-aaa-jdbc-tool settings show
                  393  cd /var/log
                  394  ll
                  395  cd ovirt-engine
                  396  ll
                  397  tail -f n 100 ui.log
                  398  ll
                  399  tail -f -n engine.log
                  400  tail -f -n 1000 engine.log
                  401  tail -n 5000 engine.log | grep admin@internal
                  402  ovirt-aaa-jdbc-tool user show admin
                  403  ovirt-aaa-jdbc-tool user show admin@internal
                  404  ovirt-aaa-jdbc-tool query --what=user
                  405  engine-config -s AdminPassword=interactive
                  406  vim
        /etc/ovirt-engine/extension.d/internal-authn.properties
                  407  vim
        /etc/ovirt-engine/extensions.d/internal-authn.properties
                  408  cd /etc/ovirt-engine/extensions.d/
                  409  ll
                  410  vim /etc/ovirt-engine/aaa/internal.properties
                  411  cd /etc/ovirt-engine/aaa/
                  412  ll
                  413  vim internal.properties
                  414  pwd
                  415  ovirt-aaa-jdbc-tool user add julian
                --attribute=firstName=Julian     --attribute=lastName=Tete
                --attribute=email=danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>
                <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>>
        <mailto:danteconra...@gmail.com <mailto:danteconra...@gmail.com>
                <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>>>
                  416  ovirt-aaa-jdbc-tool user password-reset julian
                --password-valid-to="2025-08-15 10:30:00Z"
                  417  history
                  418  tail -n 5000 engine.log | grep admin@internal
                  419  tail -n 5000 /var/log/ovirt-engine/engine.log | grep
                admin@internal
                  420  ovirt-aaa-jdbc-tool user edit admin
                --account-valid-from="2015-10-01 00:00:00Z"
                  421  ovirt-aaa-jdbc-tool user password-reset admin --force
                --password-valid-to="2100-01-01 00:00:00Z"
                  422  systemctl restart ovirt-engine.service
                  423  history
                  424  ovirt-aaa-jdbc-tool query --what=user
                  425  updatedb
                  426  locate internal
                  427  yum install -y ovirt-engine-cli
                  428  cd /opt
                  429  cd /opt/



                2016-06-20 13:24 GMT-05:00 Ondra Machacek
        <omach...@redhat.com <mailto:omach...@redhat.com>
                <mailto:omach...@redhat.com <mailto:omach...@redhat.com>>
                <mailto:omach...@redhat.com <mailto:omach...@redhat.com>
        <mailto:omach...@redhat.com <mailto:omach...@redhat.com>>>>:



                    On 06/20/2016 06:36 PM, Julián Tete wrote:

                        oVirt: 3.6.2

                        Trying to use:



        https://github.com/machacekondra/ovirt-engine-kerbldap-migration

                        First use:

                        engine-manage-domains add
        --domain=udistritaloas.edu.co <http://udistritaloas.edu.co>
                <http://udistritaloas.edu.co>
                        <http://udistritaloas.edu.co>
                        <http://udistritaloas.edu.co> --provider=ipa
        --user=admin
                        --ldap-servers=freeipa.udistritaloas.edu.co
        <http://freeipa.udistritaloas.edu.co>
                <http://freeipa.udistritaloas.edu.co>
                        <http://freeipa.udistritaloas.edu.co>
                        <http://freeipa.udistritaloas.edu.co>


                        The domain was added, but a I can't access to the
                webadmin portal :/

                        I get the message:

                        "User is not authorized to perform this action."

                        In ovirt-cli

                        [401] - Unauthorized

                        tail -n 5000 /var/log/ovirt-engine/engine.log | grep
                admin@internal

                        2016-06-20 10:52:22,835 ERROR


        [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
                        (default task-32) [] Correlation ID: null, Call
        Stack:
                null, Custom
                        Event ID: -1, Message: User admin@internal
        failed to log in.
                        2016-06-20 10:52:22,836 WARN

        [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
                (default
                        task-32)
                        [] CanDoAction of action 'LoginAdminUser' failed
        for user
                        admin@internal. Reasons:
                USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
                        2016-06-20 11:00:37,679 ERROR


        [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
                        (default task-3) [] Correlation ID: null, Call
        Stack: null,
                        Custom Event
                        ID: -1, Message: User admin@internal failed to
        log in.
                        2016-06-20 11:00:37,679 WARN
                        [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
                (default task-3) []
                        CanDoAction of action 'LoginUser' failed for user
                admin@internal.
                        Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
                        2016-06-20 11:01:04,016 ERROR


        [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
                        (default task-4) [] Correlation ID: null, Call
        Stack: null,
                        Custom Event
                        ID: -1, Message: User admin@internal failed to
        log in.
                        2016-06-20 11:01:04,016 WARN
                        [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
                (default task-4) []
                        CanDoAction of action 'LoginUser' failed for user
                admin@internal.
                        Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION


                    I am little bit lost, what was your steps, to get
        into this
                state,
                    but it looks that your admin@internal user was
        removed SuperUser
                    permissions, I am really not sure how could you achieve
                that, but to
                    fix it please run following command:

                     $ su - postgres -c "psql -t engine -c \"insert into
        permissions
                    values ('0000001b-001b-001b-001b-00000000029f',
                    '00000000-0000-0000-0000-000000000001',
                    'fdfc627c-d875-11e0-90f0-83df133b58cc',
                    'aaa00000-0000-0000-0000-123456789aaa', 1);\""

                    This command will add your admin@internal SuperUser
                permissions on
                    system.

                    Can you please describe what have you done a bit
        more, so we can
                    understand the problem?

                    Thanks.


                        Properties of Internal domain:

                        cat /etc/ovirt-engine/aaa/internal.properties

                        ovirt.engine.extension.name
        <http://ovirt.engine.extension.name>
                <http://ovirt.engine.extension.name>
                <http://ovirt.engine.extension.name>
                        <http://ovirt.engine.extension.name> =
                        internal-authn
                        ovirt.engine.extension.bindings.method = jbossmodule
                        ovirt.engine.extension.binding.jbossmodule.module =
                        org.ovirt.engine.extension.aaa.jdbc
                        ovirt.engine.extension.binding.jbossmodule.class =


        org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
                        ovirt.engine.extension.provides =
                        org.ovirt.engine.api.extensions.aaa.Authn
                        ovirt.engine.aaa.authn.profile.name
        <http://ovirt.engine.aaa.authn.profile.name>
                <http://ovirt.engine.aaa.authn.profile.name>
                        <http://ovirt.engine.aaa.authn.profile.name>
                        <http://ovirt.engine.aaa.authn.profile.name> =
        internal
                        ovirt.engine.aaa.authn.authz.plugin = internal-authz
                        config.datasource.file =
                /etc/ovirt-engine/aaa/internal.properties

                        cat
        /etc/ovirt-engine/extensions.d/internal-authn.properties

                        ovirt.engine.extension.name
        <http://ovirt.engine.extension.name>
                <http://ovirt.engine.extension.name>
                <http://ovirt.engine.extension.name>
                        <http://ovirt.engine.extension.name> =
                        internal-authn
                        ovirt.engine.extension.bindings.method = jbossmodule
                        ovirt.engine.extension.binding.jbossmodule.module =
                        org.ovirt.engine.extension.aaa.jdbc
                        ovirt.engine.extension.binding.jbossmodule.class =


        org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
                        ovirt.engine.extension.provides =
                        org.ovirt.engine.api.extensions.aaa.Authn
                        ovirt.engine.aaa.authn.profile.name
        <http://ovirt.engine.aaa.authn.profile.name>
                <http://ovirt.engine.aaa.authn.profile.name>
                        <http://ovirt.engine.aaa.authn.profile.name>
                        <http://ovirt.engine.aaa.authn.profile.name> =
        internal
                        ovirt.engine.aaa.authn.authz.plugin = internal-authz
                        config.datasource.file =
                /etc/ovirt-engine/aaa/internal.properties

                        cat
        /etc/ovirt-engine/extensions.d/internal-authz.properties

                        ovirt.engine.extension.name
        <http://ovirt.engine.extension.name>
                <http://ovirt.engine.extension.name>
                <http://ovirt.engine.extension.name>
                        <http://ovirt.engine.extension.name> =

                        internal-authz
                        ovirt.engine.extension.bindings.method = jbossmodule
                        ovirt.engine.extension.binding.jbossmodule.module =
                        org.ovirt.engine.extension.aaa.jdbc
                        ovirt.engine.extension.binding.jbossmodule.class =


        org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
                        ovirt.engine.extension.provides =
                        org.ovirt.engine.api.extensions.aaa.Authz
                        config.datasource.file =
                /etc/ovirt-engine/aaa/internal.properties

                        Properties of admin@internal user:

                        ovirt-aaa-jdbc-tool user show admin

                        -- User
        admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
                        Namespace: *
                        Name: admin
                        ID: fdfc627c-d875-11e0-90f0-83df133b58cc
                        Display Name:
                        Email:
                        First Name: admin
                        Last Name:
                        Department:
                        Title:
                        Description:
                        Account Disabled: false
                        Account Unlocked At: 1970-01-01 00:00:00Z
                        Account Valid From: 2015-10-01 00:00:00Z
                        Account Valid To: 2100-01-01 00:00:00Z
                        Account Without Password: false
                        Last successful Login At: 2016-06-20 16:01:03Z
                        Last unsuccessful Login At: 2016-06-19 16:53:07Z
                        Password Valid To: 2100-01-01 00:00:00Z

                        ¿ Can I assign privilegies to the user ? ¿ Any
        idea ?


                        _______________________________________________
                        Users mailing list
                        Users@ovirt.org <mailto:Users@ovirt.org>
        <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>
                <mailto:Users@ovirt.org <mailto:Users@ovirt.org>
        <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>
                        http://lists.ovirt.org/mailman/listinfo/users




_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to