On 06/22/2016 05:21 PM, Julián Tete wrote:
S-O-L-V-E-D!!!

You are a Wizard Ondra Machacek!!!

Thank you very much !!! How Apache says: "It works"

Great! You are welcome


A have a question for you

In the command

su - postgres -c "psql -t engine -c \"insert into permissions values
('0000001b-001b-001b-001b-00000000029f',
'00000000-0000-0000-0000-000000000001',
'fdfc627c-d875-11e0-90f0-83df133b58cc',
'aaa00000-0000-0000-0000-123456789aaa', 1);\"

What's the meaning of:

0000001b-001b-001b-001b-00000000029f

This one is id of permission. It's auto generated.


00000000-0000-0000-0000-000000000001

This one is id of role. This is id of SuperUser as you can see by running:

 select * from roles;


aaa00000-0000-0000-0000-123456789aaa

This one is object id, in this case it's id of system.


1

This one represent object type, it is number that represent some object for example 1 represent
system object, number 2 represent Vm, number 3 Host... etc


¿?

Thanks again


2016-06-22 5:22 GMT-05:00 Ondra Machacek <omach...@redhat.com
<mailto:omach...@redhat.com>>:

    On 06/21/2016 09:18 PM, Julián Tete wrote:

        Roger Ondra!

        1) su - postgres -c "psql -t engine -c \"delete from users where
        user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""

        Output:

        DELETE 1

        2) su - postgres -c "psql -t engine -c \"UPDATE users set
        domain='internal-authz'  where
        user_id='fdfc627c-d875-11e0-90f0-83df133b58cc';\""

        Output:

        ERROR:  duplicate key value violates unique constraint
        "users_domain_external_id_unique"
        DETAIL:  Key (domain, external_id)=(internal-authz,
        fdfc627c-d875-11e0-90f0-83df133b58cc) already exists.


    OK, this is really strange, because this shouldn't be printed as you
    removed all contraints in step 1).

    So, can you please first stop ovirt-engine, before running steps
    above? So the steps now
    would be:

     1) service ovirt-engine stop

     2) remove admin@internal-authz
    (c9dcda67-9b3e-4255-aa9f-d69043a02b2b) (note id
    changed, from last time) If there is more admin users with domain
    internal-authz, please
    remove them all.
          $ su - postgres -c "psql -t engine -c \"delete from users
    where user_id='c9dcda67-9b3e-4255-aa9f-d69043a02b2b';\""

     3) rename admin@internal to admin@internal-authz
          $ su - postgres -c "psql -t engine -c \"UPDATE users set
    domain='internal-authz'  where
    user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""

      4) service ovirt-engine start


        3) systemctl restart ovirt-engine.service

        No login yet :(

        Look at this:

        ovirt-aaa-jdbc-tool user show admin

        Output:
        -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
        Namespace: *
        Name: admin
        ID: fdfc627c-d875-11e0-90f0-83df133b58cc
        Display Name:
        Email:
        First Name: admin
        Last Name:
        Department:
        Title:
        Description:
        Account Disabled: false
        Account Unlocked At: 1970-01-01 00:00:00Z
        Account Valid From: 2015-10-01 00:00:00Z
        Account Valid To: 2100-01-01 00:00:00Z
        Account Without Password: false
        Last successful Login At: 2016-06-21 19:15:59Z
        Last unsuccessful Login At: 2016-06-20 17:33:24Z
        Password Valid To: 2100-01-01 00:00:00Z

        su - postgres -c "psql -t engine -c \"select * from users;\""

        Output:

         fdfc627c-d875-11e0-90f0-83df133b58cc | admin  |               |
        internal             | admin    |            |
        |      | t                       |
        fdfc627c-d875-11e0-90f0-83df133b58cc
        | 2015-09-19 21:38:44.838161-
        05 | 2016-06-18 20:42:18.883738-05 | *
         16f666bb-b4c8-44c9-8264-30c3aff63a6e |        | Administrator |
        udistritaloas.edu.co <http://udistritaloas.edu.co>
        <http://udistritaloas.edu.co> | admin
        |            |                         |      | f
        | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19 11:53:39.249812-
        05 | 2016-06-19 12:24:41.590162-05 <tel:41.590162-05> | *
         c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete          |
        internal-authz       | julian   |            |
        danteconra...@gmail.com <mailto:danteconra...@gmail.com>
        <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>> |      | f                       |
        1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20 11:22:56.483292-
        05 | 2016-06-20 11:23:19.261686-05 | *
         c9dcda67-9b3e-4255-aa9f-d69043a02b2b | admin  |               |
        internal-authz       | admin    |            |
        |      | f                       |
        fdfc627c-d875-11e0-90f0-83df133b58cc
        | 2016-06-21 13:54:07.765767-
        05 | 2016-06-21 14:15:59.352697-05 | *


        su - postgres -c "psql -t engine -c \"select * from permissions;\""

        Output:

         00000004-0004-0004-0004-00000000025e |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        00000000-0000-0000-0000-000000000000 |              4 |
        1447535033
         0000000f-000f-000f-000f-000000000293 |
        def0000a-0000-0000-0000-def000000010 |
        eee00000-0000-0000-0000-123456789eee |
        0000000e-000e-000e-000e-0000000002d6 |             27 |
        1447535033
         00000003-0003-0003-0003-00000000009c |
        00000000-0000-0000-0000-000000000001 |
        fdfc627c-d875-11e0-90f0-83df133b58cc |
        aaa00000-0000-0000-0000-123456789aaa |              1 |
        1447535033
         00000006-0006-0006-0006-0000000000e3 |
        00000000-0000-0000-0001-000000000002 |
        fdfc627c-d875-11e0-90f0-83df133b58cc |
        aaa00000-0000-0000-0000-123456789aaa |              1 |
        1447535033
         00000011-0011-0011-0011-0000000002a9 |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        00000010-0010-0010-0010-0000000001d1 |              4 |
        1447535033
         00000013-0013-0013-0013-00000000031e |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        00000012-0012-0012-0012-0000000001c6 |              4 |
        1447535033
         00000015-0015-0015-0015-0000000003b8 |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        00000014-0014-0014-0014-0000000002fd |              4 |
        1447535033
         00000017-0017-0017-0017-000000000388 |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        00000016-0016-0016-0016-0000000002b0 |              4 |
        1447535033
         00000019-0019-0019-0019-0000000003d5 |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        00000018-0018-0018-0018-000000000314 |              4 |
        1447535033
         00000027-0027-0027-0027-00000000027e |
        def00021-0000-0000-0000-def000000015 |
        eee00000-0000-0000-0000-123456789eee |
        aaa00000-0000-0000-0000-123456789aaa |              1 |
        1447535037
         7a3917ea-b2df-444f-938c-f768feeaee04 |
        def00009-0000-0000-0000-def000000009 |
        eee00000-0000-0000-0000-123456789eee |
        8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
        1457665842
         e8abc833-b860-451c-b580-780c7d1049d4 |
        def0000a-0000-0000-0000-def00000000f |
        fdfc627c-d875-11e0-90f0-83df133b58cc |
        8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
        1457665842
         c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
        def0000a-0000-0000-0000-def00000000b |
        fdfc627c-d875-11e0-90f0-83df133b58cc |
        9881e686-90d0-4da3-85b4-b8a1b3638396 |             19 |
        1463161875




        2016-06-21 13:30 GMT-05:00 Ondra Machacek <omach...@redhat.com
        <mailto:omach...@redhat.com>
        <mailto:omach...@redhat.com <mailto:omach...@redhat.com>>>:


            On 06/21/2016 04:54 PM, Julián Tete wrote:

                That's right I remove internal properties :/

                This is the output of the commands:

                */usr/share/ovirt-engine/bin/o**virt-engine-role.sh
        --command=add
                --user-name=admin --authz-name=internal-authz
        --role=SuperUser

                *
                *Output:
                *

                FATAL: Please specify provider namespace


            You don't have to run it, I've just send it for a future
        reference :)
            But if you for example want to add SuperUser permissions to user
            'julian', you can run:

              /usr/share/ovirt-engine/bin/ovirt-engine-role.sh --command=add
            --principal-id='c01c263a-78c5-4524-a94e-c9aa38141ea9'
            --role=SuperUser --user-name=julian --authz-name=internal-authz
            --principal-namespace=*

            And you don't need admin@internal-authz user.


                *su - postgres -c "psql -t engine -c \"select * from
        users;\""

                *
                *Output:*

                fdfc627c-d875-11e0-90f0-83df133b58cc | admin  |
             |
                internal             | admin    |            |
                |      | t                       |
                fdfc627c-d875-11e0-90f0-83df133b58cc
                | 2015-09-19 21:38:44.838161-
                05 | 2016-06-18 20:42:18.883738-05 | *
                 16f666bb-b4c8-44c9-8264-30c3aff63a6e |        |
        Administrator |
                udistritaloas.edu.co <http://udistritaloas.edu.co>
        <http://udistritaloas.edu.co>
                <http://udistritaloas.edu.co> | admin
                |            |                         |      | f
                | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19
        11:53:39.249812-
                05 | 2016-06-19 12:24:41.590162-05 <tel:41.590162-05>
        <tel:41.590162-05 <tel:41.590162-05>> | *
                 c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete
              |
                internal-authz       | julian   |            |
                danteconra...@gmail.com <mailto:danteconra...@gmail.com>
        <mailto:danteconra...@gmail.com <mailto:danteconra...@gmail.com>>
                <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>

                <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>>> |      | f
           |
                1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20
        11:22:56.483292-
                05 | 2016-06-20 11:23:19.261686-05 | *
                 7f300f43-9972-4c0e-bfa9-e86df6f1659f | admin  |
               |
                internal-authz       | admin    |            |
                |      | f                       |
                fdfc627c-d875-11e0-90f0-83df133b58cc
                | 2016-06-19 11:43:51.644981-
                05 | 2016-06-20 16:06:49.138862-05 | *
                *
                su - postgres -c "psql -t engine -c \"select * from
        permissions;\""


            Ok, according to current status I would suggest you to:

             1) remove admin@internal-authz
        (7f300f43-9972-4c0e-bfa9-e86df6f1659f)
                  $ su - postgres -c "psql -t engine -c \"delete from users
            where user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""

              2) rename admin@internal to admin@internal-authz
                  $ su - postgres -c "psql -t engine -c \"UPDATE users set
            domain='internal-authz'  where
            user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""

            Then restart ovirt-engine and try to login.

            The problem here is that it tries to login with admin user which
            don't have any permissions, and
            you have two admin users, because you have removed
            internal-*properties files, so it added
            another one.


                *
                *Otput:
                *


                 00000004-0004-0004-0004-00000000025e |
                def00009-0000-0000-0000-def000000009 |
                eee00000-0000-0000-0000-123456789eee |
                00000000-0000-0000-0000-000000000000 |              4 |
                1447535033
                 0000000f-000f-000f-000f-000000000293 |
                def0000a-0000-0000-0000-def000000010 |
                eee00000-0000-0000-0000-123456789eee |
                0000000e-000e-000e-000e-0000000002d6 |             27 |
                1447535033
                 00000003-0003-0003-0003-00000000009c |
                00000000-0000-0000-0000-000000000001 |
                fdfc627c-d875-11e0-90f0-83df133b58cc |
                aaa00000-0000-0000-0000-123456789aaa |              1 |
                1447535033
                 00000006-0006-0006-0006-0000000000e3 |
                00000000-0000-0000-0001-000000000002 |
                fdfc627c-d875-11e0-90f0-83df133b58cc |
                aaa00000-0000-0000-0000-123456789aaa |              1 |
                1447535033
                 00000011-0011-0011-0011-0000000002a9 |
                def00009-0000-0000-0000-def000000009 |
                eee00000-0000-0000-0000-123456789eee |
                00000010-0010-0010-0010-0000000001d1 |              4 |
                1447535033
                 00000013-0013-0013-0013-00000000031e |
                def00009-0000-0000-0000-def000000009 |
                eee00000-0000-0000-0000-123456789eee |
                00000012-0012-0012-0012-0000000001c6 |              4 |
                1447535033
                 00000015-0015-0015-0015-0000000003b8 |
                def00009-0000-0000-0000-def000000009 |
                eee00000-0000-0000-0000-123456789eee |
                00000014-0014-0014-0014-0000000002fd |              4 |
                1447535033
                 00000017-0017-0017-0017-000000000388 |
                def00009-0000-0000-0000-def000000009 |
                eee00000-0000-0000-0000-123456789eee |
                00000016-0016-0016-0016-0000000002b0 |              4 |
                1447535033
                 00000019-0019-0019-0019-0000000003d5 |
                def00009-0000-0000-0000-def000000009 |
                eee00000-0000-0000-0000-123456789eee |
                00000018-0018-0018-0018-000000000314 |              4 |
                1447535033
                 00000027-0027-0027-0027-00000000027e |
                def00021-0000-0000-0000-def000000015 |
                eee00000-0000-0000-0000-123456789eee |
                aaa00000-0000-0000-0000-123456789aaa |              1 |
                1447535037
                 7a3917ea-b2df-444f-938c-f768feeaee04 |
                def00009-0000-0000-0000-def000000009 |
                eee00000-0000-0000-0000-123456789eee |
                8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
                1457665842
                 e8abc833-b860-451c-b580-780c7d1049d4 |
                def0000a-0000-0000-0000-def00000000f |
                fdfc627c-d875-11e0-90f0-83df133b58cc |
                8fa947f7-c698-4661-aea4-a093bbd0ba0b |              4 |
                1457665842
                 c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
                def0000a-0000-0000-0000-def00000000b |
                fdfc627c-d875-11e0-90f0-83df133b58cc |
                9881e686-90d0-4da3-85b4-b8a1b3638396 |             19 |
                1463161875


                2016-06-21 9:18 GMT-05:00 Ondra Machacek
        <omach...@redhat.com <mailto:omach...@redhat.com>
                <mailto:omach...@redhat.com <mailto:omach...@redhat.com>>
                <mailto:omach...@redhat.com <mailto:omach...@redhat.com>
        <mailto:omach...@redhat.com <mailto:omach...@redhat.com>>>>:


                    On 06/20/2016 08:33 PM, Julián Tete wrote:

                        Thanks Ondra :)

                        With the command:

                        su - postgres -c "psql -t engine -c \"insert into
                permissions values
                        ('0000001b-001b-001b-001b-00000000029f',
                        '00000000-0000-0000-0000-000000000001',
                        'fdfc627c-d875-11e0-90f0-83df133b58cc',
                        'aaa00000-0000-0000-0000-123456789aaa', 1);\""


                    I've just remembered, that there is bash script for it:

                     /usr/share/ovirt-engine/bin/ovirt-engine-role.sh

                    You can use it as follows:

                     /usr/share/ovirt-engine/bin/ovirt-engine-role.sh
        --command=add
                    --user-name=admin --authz-name=internal-authz
        --role=SuperUser

                    But, as per your output above, obviously your
        problem is not
                missing
                    permissions.
                    I think the problem is that you removed
        internal*.properties
                files
                    and then re-add it.
                    Can you please send output of users table and
        permissions
                table. Thanks.

                     su - postgres -c "psql -t engine -c \"select * from
        users;\""
                     su - postgres -c "psql -t engine -c \"select * from
                permissions;\""

                        I get:

                        ERROR:  duplicate key value violates unique
        constraint
                        "idx_combined_ad_role_object"
                        DETAIL:  Key (ad_element_id, role_id,
                        object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
                        00000000-0000-0000-0000-000000000001,
                        aaa00000-0000-0000-0000-123456789aaa) already
        exists.

                        History

                          261  yum install ovirt-engine-extension-aaa-ldap
                          262  cp -r


        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
                        /etc/ovirt-engine/
                          263  cd /etc/ovirt-engine/
                          264  ll
                          265  vim profile1.properties
                          266  ll
                          267  cd cp


        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
                        /etc/ovirt-engine/extensions.d/
                          268  cd cp
                /usr/share/ovirt-engine-extension-aaa-ldap/examples/
                          269  cd


        /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
                          270  ll
                          271  cp


        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
                        /etc/ovirt-engine/extensions.d/
                          272  cd /etc/ovirt-engine/extensions.d/
                          273  ll
                          274  find / -type f -iname profile1.properties
                          275  cp -r


        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
                        /etc/ovirt-engine/aaa/
                          276  find / -type f -iname profile1.properties
                          277  vim /etc/ovirt-engine/aaa/profile1.properties
                          278  chown ovirt:ovirt
                /etc/ovirt-engine/aaa/profile1.properties
                          279  chmod 600
        /etc/ovirt-engine/aaa/profile1.properties
                          280  systemctl restart ovirt-engine
                          281  vim
                /etc/ovirt-engine/extensions.d/profile1-authn.properties
                          282  cd /usr/share/
                          283  ls
                          284  cd ovirt-engine-aaa-ldap
                          285  ls
                          286  cd ovirt-engine-extension-aaa-ldap/
                          287  ls
                          288  cd examples/
                          289  ls
                          290  cd ad
                          291  ls
                          292  cd extensions.d/
                          293  ls
                          294  vim profile1-authn.properties
                          295  pwd
                          296  cd ..
                          297  pwd
                          298  cd ..
                          299  ls
                          300  cd simple
                          301  ls
                          302  cd aaa/
                          303  ls
                          304  vim profile1.properties
                          305  pwd
                          306  rm -rf
        /etc/ovirt-engine/aaa/profile1.properties
                          307  cp -r


        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
                        /etc/ovirt-engine/aaa/
                          308  vim /etc/ovirt-engine/aaa/profile1.properties
                          309  history
                          310  chown ovirt:ovirt
                /etc/ovirt-engine/aaa/profile1.properties
                          311  chmod 600
        /etc/ovirt-engine/aaa/profile1.properties
                          312  systemctl restart ovirt-engine
                          313  updatedb
                          314  locate domain1-authn.properties
                          315  history
                          316  cd


        /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
                          317  ll
                          318  cd

        /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
                          319  ls
                          320  cd extensions.d/
                          321  ls
                          322  pwd
                          323  cd /etc/ovirt-engine/extensions.d/
                          324  ls
                          325  cp -r


        /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
                        /etc/ovirt-engine/extensions.d/
                          326   cp -r


        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
                        /etc/ovirt-engine/extensions.d/
                          327  rm -rf

        /etc/ovirt-engine/extensions.d/profile1-authn.properties
                          328  rm -rf

        /etc/ovirt-engine/extensions.d/profile1-authz.properties
                          329   cp -r


        
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
                        /etc/ovirt-engine/extensions.d/
                          330  ll
                          331  history
                          332  chown ovirt:ovirt
        /etc/ovirt-engine/extensions.d/*
                          333  chmod 600 /etc/ovirt-engine/extensions.d/*
                          334  ll
                          335  cd extensions.d/
                          336  ll
                          337  cd
                          338  engine-config -s SASL_QOP=auth
                          339  systemctl restart ovirt-engine
                          340  engine-manage-domains add
                --domain=udistritaloas.edu.co
        <http://udistritaloas.edu.co> <http://udistritaloas.edu.co>
                        <http://udistritaloas.edu.co>
                        <http://udistritaloas.edu.co> --provider=ipa
        --user=admin
                        --ldap-servers=freeipa.udistritaloas.edu.co
        <http://freeipa.udistritaloas.edu.co>
                <http://freeipa.udistritaloas.edu.co>
                        <http://freeipa.udistritaloas.edu.co>
                        <http://freeipa.udistritaloas.edu.co>
                          341  systemctl restart ovirt-engine
                          342  engine-manage-domains list
                          343  history
                          344  cd /etc/ovirt-engine/extensions.d/
                          345  ll
                          346  rm -rf internal-authn.properties
                          347  rm -rf internal-authz.properties
                          348  rm -rf profile1-authn.properties
                          349  rm -rf profile1-authz.properties
                          350  history
                          351  cd /etc/ovirt-engine/aaa/
                          352  ll
                          353  rm -rf profile1.properties
                          354  vim internal.properties
                          355  systemctl restart ovirt-engine
                          356  ovirt-aaa-jdbc-tool user edit admin
                        --account-valid-to="2100-01-01 00:00:00Z"
                          357  ovirt-aaa-jdbc-tool user password-reset admin
                        --password-valid-to="2100-01-01 00:00:00Z"
                          358  engine-config -s AdminPassword=interactive
                          359  ovirt-aaa-jdbc-tool user password-reset admin
                        --password-valid-to="2100-01-01 00:00:00Z"
                          360  systemctl restart ovirt-engine
                          361  exit
                          362  cd /etc/ovirt-engine/aaa/
                          363  ll
                          364  vim internal.properties
                          365  /etc/ovirt-engine/extensions.d/
                          366  cd /etc/ovirt-engine/extensions.d/
                          367  ll
                          368  cd extensions.d/
                          369  ll
                          370  pwd
                          371  ll
                          372  cd ..
                          373  ll
                          374  cd ..
                          375  ll
                          376  cd /etc/ovirt-engine/extensions.d/
                          377  ll
                          378  cd extensions.d/
                          379  ll
                          380  pwd
                          381  ll
                          382  cd ..
                          383  ll
                          384  systemctl restart ovirt-engine.service
                          385  ovirt-aaa-jdbc-tool user edit admin
                        --account-valid-to="2100-01-01 00:00:00Z"
                          386  ovirt-aaa-jdbc-tool user password-reset admin
                        --password-valid-to="2100-01-01 00:00:00Z"
                          387  systemctl restart ovirt-engine.service
                          388  ovirt-aaa-jdbc-tool user password-reset
                admin@internal
                        --password-valid-to="2100-01-01 00:00:00Z"
                          389  yum install -y
        ovirt-engine-extension-aaa-jdbc
                          390  engine-setup
                          391  ovirt-aaa-jdbc-tool user show admin
                          392  ovirt-aaa-jdbc-tool settings show
                          393  cd /var/log
                          394  ll
                          395  cd ovirt-engine
                          396  ll
                          397  tail -f n 100 ui.log
                          398  ll
                          399  tail -f -n engine.log
                          400  tail -f -n 1000 engine.log
                          401  tail -n 5000 engine.log | grep admin@internal
                          402  ovirt-aaa-jdbc-tool user show admin
                          403  ovirt-aaa-jdbc-tool user show admin@internal
                          404  ovirt-aaa-jdbc-tool query --what=user
                          405  engine-config -s AdminPassword=interactive
                          406  vim
                /etc/ovirt-engine/extension.d/internal-authn.properties
                          407  vim
                /etc/ovirt-engine/extensions.d/internal-authn.properties
                          408  cd /etc/ovirt-engine/extensions.d/
                          409  ll
                          410  vim /etc/ovirt-engine/aaa/internal.properties
                          411  cd /etc/ovirt-engine/aaa/
                          412  ll
                          413  vim internal.properties
                          414  pwd
                          415  ovirt-aaa-jdbc-tool user add julian
                        --attribute=firstName=Julian
         --attribute=lastName=Tete
                        --attribute=email=danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>
                <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>>
                        <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>
                <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>>>
                <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com> <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>>
                        <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>
                <mailto:danteconra...@gmail.com
        <mailto:danteconra...@gmail.com>>>>
                          416  ovirt-aaa-jdbc-tool user password-reset
        julian
                        --password-valid-to="2025-08-15 10:30:00Z"
                          417  history
                          418  tail -n 5000 engine.log | grep admin@internal
                          419  tail -n 5000
        /var/log/ovirt-engine/engine.log | grep
                        admin@internal
                          420  ovirt-aaa-jdbc-tool user edit admin
                        --account-valid-from="2015-10-01 00:00:00Z"
                          421  ovirt-aaa-jdbc-tool user password-reset
        admin --force
                        --password-valid-to="2100-01-01 00:00:00Z"
                          422  systemctl restart ovirt-engine.service
                          423  history
                          424  ovirt-aaa-jdbc-tool query --what=user
                          425  updatedb
                          426  locate internal
                          427  yum install -y ovirt-engine-cli
                          428  cd /opt
                          429  cd /opt/



                        2016-06-20 13:24 GMT-05:00 Ondra Machacek
                <omach...@redhat.com <mailto:omach...@redhat.com>
        <mailto:omach...@redhat.com <mailto:omach...@redhat.com>>
                        <mailto:omach...@redhat.com
        <mailto:omach...@redhat.com> <mailto:omach...@redhat.com
        <mailto:omach...@redhat.com>>>
                        <mailto:omach...@redhat.com
        <mailto:omach...@redhat.com> <mailto:omach...@redhat.com
        <mailto:omach...@redhat.com>>
                <mailto:omach...@redhat.com <mailto:omach...@redhat.com>
        <mailto:omach...@redhat.com <mailto:omach...@redhat.com>>>>>:



                            On 06/20/2016 06:36 PM, Julián Tete wrote:

                                oVirt: 3.6.2

                                Trying to use:




        https://github.com/machacekondra/ovirt-engine-kerbldap-migration

                                First use:

                                engine-manage-domains add
                --domain=udistritaloas.edu.co
        <http://udistritaloas.edu.co> <http://udistritaloas.edu.co>
                        <http://udistritaloas.edu.co>
                                <http://udistritaloas.edu.co>
                                <http://udistritaloas.edu.co> --provider=ipa
                --user=admin

        --ldap-servers=freeipa.udistritaloas.edu.co
        <http://freeipa.udistritaloas.edu.co>
                <http://freeipa.udistritaloas.edu.co>
                        <http://freeipa.udistritaloas.edu.co>
                                <http://freeipa.udistritaloas.edu.co>
                                <http://freeipa.udistritaloas.edu.co>


                                The domain was added, but a I can't
        access to the
                        webadmin portal :/

                                I get the message:

                                "User is not authorized to perform this
        action."

                                In ovirt-cli

                                [401] - Unauthorized

                                tail -n 5000
        /var/log/ovirt-engine/engine.log | grep
                        admin@internal

                                2016-06-20 10:52:22,835 ERROR



        [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
                                (default task-32) [] Correlation ID:
        null, Call
                Stack:
                        null, Custom
                                Event ID: -1, Message: User admin@internal
                failed to log in.
                                2016-06-20 10:52:22,836 WARN

                [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
                        (default
                                task-32)
                                [] CanDoAction of action
        'LoginAdminUser' failed
                for user
                                admin@internal. Reasons:
                        USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
                                2016-06-20 11:00:37,679 ERROR



        [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
                                (default task-3) [] Correlation ID:
        null, Call
                Stack: null,
                                Custom Event
                                ID: -1, Message: User admin@internal
        failed to
                log in.
                                2016-06-20 11:00:37,679 WARN

        [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
                        (default task-3) []
                                CanDoAction of action 'LoginUser' failed
        for user
                        admin@internal.
                                Reasons:
        USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
                                2016-06-20 11:01:04,016 ERROR



        [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
                                (default task-4) [] Correlation ID:
        null, Call
                Stack: null,
                                Custom Event
                                ID: -1, Message: User admin@internal
        failed to
                log in.
                                2016-06-20 11:01:04,016 WARN

        [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
                        (default task-4) []
                                CanDoAction of action 'LoginUser' failed
        for user
                        admin@internal.
                                Reasons:
        USER_NOT_AUTHORIZED_TO_PERFORM_ACTION


                            I am little bit lost, what was your steps,
        to get
                into this
                        state,
                            but it looks that your admin@internal user was
                removed SuperUser
                            permissions, I am really not sure how could
        you achieve
                        that, but to
                            fix it please run following command:

                             $ su - postgres -c "psql -t engine -c
        \"insert into
                permissions
                            values ('0000001b-001b-001b-001b-00000000029f',
                            '00000000-0000-0000-0000-000000000001',
                            'fdfc627c-d875-11e0-90f0-83df133b58cc',
                            'aaa00000-0000-0000-0000-123456789aaa', 1);\""

                            This command will add your admin@internal
        SuperUser
                        permissions on
                            system.

                            Can you please describe what have you done a bit
                more, so we can
                            understand the problem?

                            Thanks.


                                Properties of Internal domain:

                                cat
        /etc/ovirt-engine/aaa/internal.properties

                                ovirt.engine.extension.name
        <http://ovirt.engine.extension.name>
                <http://ovirt.engine.extension.name>
                        <http://ovirt.engine.extension.name>
                        <http://ovirt.engine.extension.name>
                                <http://ovirt.engine.extension.name> =
                                internal-authn
                                ovirt.engine.extension.bindings.method =
        jbossmodule

        ovirt.engine.extension.binding.jbossmodule.module =
                                org.ovirt.engine.extension.aaa.jdbc

        ovirt.engine.extension.binding.jbossmodule.class =



        org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
                                ovirt.engine.extension.provides =
                                org.ovirt.engine.api.extensions.aaa.Authn
                                ovirt.engine.aaa.authn.profile.name
        <http://ovirt.engine.aaa.authn.profile.name>
                <http://ovirt.engine.aaa.authn.profile.name>
                        <http://ovirt.engine.aaa.authn.profile.name>
                                <http://ovirt.engine.aaa.authn.profile.name>

        <http://ovirt.engine.aaa.authn.profile.name> =
                internal
                                ovirt.engine.aaa.authn.authz.plugin =
        internal-authz
                                config.datasource.file =
                        /etc/ovirt-engine/aaa/internal.properties

                                cat
                /etc/ovirt-engine/extensions.d/internal-authn.properties

                                ovirt.engine.extension.name
        <http://ovirt.engine.extension.name>
                <http://ovirt.engine.extension.name>
                        <http://ovirt.engine.extension.name>
                        <http://ovirt.engine.extension.name>
                                <http://ovirt.engine.extension.name> =
                                internal-authn
                                ovirt.engine.extension.bindings.method =
        jbossmodule

        ovirt.engine.extension.binding.jbossmodule.module =
                                org.ovirt.engine.extension.aaa.jdbc

        ovirt.engine.extension.binding.jbossmodule.class =



        org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
                                ovirt.engine.extension.provides =
                                org.ovirt.engine.api.extensions.aaa.Authn
                                ovirt.engine.aaa.authn.profile.name
        <http://ovirt.engine.aaa.authn.profile.name>
                <http://ovirt.engine.aaa.authn.profile.name>
                        <http://ovirt.engine.aaa.authn.profile.name>
                                <http://ovirt.engine.aaa.authn.profile.name>

        <http://ovirt.engine.aaa.authn.profile.name> =
                internal
                                ovirt.engine.aaa.authn.authz.plugin =
        internal-authz
                                config.datasource.file =
                        /etc/ovirt-engine/aaa/internal.properties

                                cat
                /etc/ovirt-engine/extensions.d/internal-authz.properties

                                ovirt.engine.extension.name
        <http://ovirt.engine.extension.name>
                <http://ovirt.engine.extension.name>
                        <http://ovirt.engine.extension.name>
                        <http://ovirt.engine.extension.name>
                                <http://ovirt.engine.extension.name> =

                                internal-authz
                                ovirt.engine.extension.bindings.method =
        jbossmodule

        ovirt.engine.extension.binding.jbossmodule.module =
                                org.ovirt.engine.extension.aaa.jdbc

        ovirt.engine.extension.binding.jbossmodule.class =



        org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
                                ovirt.engine.extension.provides =
                                org.ovirt.engine.api.extensions.aaa.Authz
                                config.datasource.file =
                        /etc/ovirt-engine/aaa/internal.properties

                                Properties of admin@internal user:

                                ovirt-aaa-jdbc-tool user show admin

                                -- User
                admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
                                Namespace: *
                                Name: admin
                                ID: fdfc627c-d875-11e0-90f0-83df133b58cc
                                Display Name:
                                Email:
                                First Name: admin
                                Last Name:
                                Department:
                                Title:
                                Description:
                                Account Disabled: false
                                Account Unlocked At: 1970-01-01 00:00:00Z
                                Account Valid From: 2015-10-01 00:00:00Z
                                Account Valid To: 2100-01-01 00:00:00Z
                                Account Without Password: false
                                Last successful Login At: 2016-06-20
        16:01:03Z
                                Last unsuccessful Login At: 2016-06-19
        16:53:07Z
                                Password Valid To: 2100-01-01 00:00:00Z

                                ¿ Can I assign privilegies to the user ?
        ¿ Any
                idea ?



        _______________________________________________
                                Users mailing list
                                Users@ovirt.org <mailto:Users@ovirt.org>
        <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>
                <mailto:Users@ovirt.org <mailto:Users@ovirt.org>
        <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>
                        <mailto:Users@ovirt.org <mailto:Users@ovirt.org>
        <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>
                <mailto:Users@ovirt.org <mailto:Users@ovirt.org>
        <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>>

        http://lists.ovirt.org/mailman/listinfo/users





_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to