I created https://bugzilla.redhat.com/1568413 to track the issue.
On Thu, 12 Apr 2018 13:57:45 +0200 Martin Perina <mper...@redhat.com> wrote: > On Thu, Apr 12, 2018 at 1:04 PM, Martin Perina <mper...@redhat.com> > wrote: > > > > > > > On Thu, Apr 12, 2018 at 12:44 PM, Eitan Raviv <era...@redhat.com> > > wrote: > >> The recurring denied access for every SyncNetworkProvider might be > >> because you changed the admin password on the engine but not on the > >> provider. > >> > >> Dominik, will updating to the same password on the provider solve > >> the denied access? > >> Martin, does the engine lock out the admin user for failed retries? > >> > > > > Of course, after 5 incorrect logins the account is locked. But I > > looked at logs and I can't see any login errors, so currently > > trying to reproduce to find out what's going on ... > > > > OK, so confirmed. If you change password for admin@internal using > aaa-jdbc-tool and you don't change immediately for OVN provider, then > admin@interal account is locked. > > We should probably change logic in OVN provider to shutdown the OVN > provider service if authentication failure to engine is raised. Using > this we will break OVN provider, but > it seems to me much less severe than locking admin@internal account. > Dominik, what do you think? > > > > > > > > > > >> > >> > >> HTH > >> > >> > >> On Thu, Apr 12, 2018 at 12:29 PM, Käfer Marcel < > >> marcel.kae...@putzbrunn.de> wrote: > >> > >>> Here are the logfiles… > >>> > >>> > >>> > >>> Thanks > >>> > >>> > >>> > >>> *Von:* Eitan Raviv [mailto:era...@redhat.com] > >>> *Gesendet:* Donnerstag, 12. April 2018 11:12 > >>> *An:* Käfer Marcel > >>> *Cc:* users@ovirt.org; Martin Perina > >>> *Betreff:* Re: [ovirt-users] admin account constantly gets locked > >>> > >>> > >>> > >>> The sync network command is probably unrelated. > >>> > >>> Can you attach the full engine and the setup logs? > >>> > >>> Martin, this looks a bit like [1]. Any idea? > >>> > >>> Thanks > >>> > >>> > >>> > >>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1410955 > >>> > >>> > >>> > >>> On Thu, Apr 12, 2018 at 10:22 AM, Käfer Marcel < > >>> marcel.kae...@putzbrunn.de> wrote: > >>> > >>> Hello, > >>> > >>> a few days ago I installed an ovirt-engine 4.2.2.6 following the > >>> steps of the documentation. After the installation I logged in to > >>> the admin page, configured a datadomain and changed the admin > >>> password. After a few hours I tried to login again, using the new > >>> password and got "Unable to log in because the user account is > >>> disabled or locked. Contact the system administrator." So I > >>> unlocked the admin account from the shell using > >>> "ovirt-aaa-jdbc-tool user unlock admin" which worked fine and I > >>> was able to continue working till the next login. > >>> > >>> I traced the /var/log/ovirt-engine/engine.log and found this after > >>> unlocking the admin account again. > >>> > >>> 2018-04-12 09:06:19,984+02 INFO [org.ovirt.engine.core.bll.pro > >>> vider.network.SyncNetworkProviderCommand] > >>> (EE-ManagedThreadFactory-engineScheduled-Thread-87) [2ed5aa42] > >>> Lock Acquired to object > >>> 'EngineLock:{exclusiveLocks='[ > >>> e37c0b9e-09bc-4893-9b0c-c70f56d6ecfc=PROVIDER]', > >>> sharedLocks=''}' 2018-04-12 09:06:19,991+02 INFO > >>> [org.ovirt.engine.core.bll.pro > >>> vider.network.SyncNetworkProviderCommand] > >>> (EE-ManagedThreadFactory-engineScheduled-Thread-87) [2ed5aa42] > >>> Running command: SyncNetworkProviderCommand internal: true. > >>> 2018-04-12 09:06:20,102+02 INFO > >>> [org.ovirt.engine.extension.aaa.jdbc.core.Authentication] > >>> (default task-239) [] locking user: admin due to interval > >>> failures 2018-04-12 09:06:25,046+02 ERROR > >>> [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-239) [] > >>> OAuthException access_denied: Cannot authenticate user > >>> 'admin@internal': The username or password is incorrect.. > >>> 2018-04-12 09:06:25,049+02 ERROR [org.ovirt.engine.core.bll.pro > >>> vider.network.SyncNetworkProviderCommand] > >>> (EE-ManagedThreadFactory-engineScheduled-Thread-87) [2ed5aa42] > >>> Command 'org.ovirt.engine.core.bll.pro > >>> vider.network.SyncNetworkProviderCommand' failed: > >>> EngineException: (Failed with error Unauthorized and code 5050) > >>> 2018-04-12 09:06:25,050+02 INFO [org.ovirt.engine.core.bll.pro > >>> vider.network.SyncNetworkProviderCommand] > >>> (EE-ManagedThreadFactory-engineScheduled-Thread-87) [2ed5aa42] > >>> Lock freed to object > >>> 'EngineLock:{exclusiveLocks='[ > >>> e37c0b9e-09bc-4893-9b0c-c70f56d6ecfc=PROVIDER]', > >>> sharedLocks=''}' > >>> > >>> It seems like the SyncNetworkProviderCommand is somehow locking > >>> the admin account. I already restarted the whole machine but it > >>> didn't help. > >>> > >>> Can someone please point me in the right direction, where to find > >>> the error? > >>> > >>> Thanks in advance > >>> > >>> > >>> _______________________________________________ > >>> Users mailing list > >>> Users@ovirt.org > >>> http://lists.ovirt.org/mailman/listinfo/users > >>> > >>> > >>> > >>> > >>> -- > >>> > >>> Eitan Raviv > >>> IRC: erav (#ovirt #vdsm #devel #rhev-dev) > >>> > >> > >> > >> > >> -- > >> Eitan Raviv > >> IRC: erav (#ovirt #vdsm #devel #rhev-dev) > >> > > > > > > > > -- > > Martin Perina > > Associate Manager, Software Engineering > > Red Hat Czech s.r.o. > > > > > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users