It looks like the issue was caused by a new admin account being created in the internal-authz domain. Here is what the engine logs show.
2018-05-30 11:15:21,893-04 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-9) [] User admin@internal successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2018-05-30 11:15:22,175-04 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-11) [77362b19] Running command: CreateUserSessionCommand internal: false. 2018-05-30 11:15:22,252-04 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-11) [77362b19] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User admin@internal-authz connecting from '10.209.44.27' failed to log in<UNKNOWN>. 2018-05-30 11:15:22,253-04 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-11) [] The user admin@internal is not authorized to perform login I was able to login after updating the permissions table to use the new user ID as follows. update permissions set ad_element_id = (select user_id from users where domain = 'internal-authz' and username = 'admin') where ad_element_id = (select user_id from users where domain = 'internal' and username = 'admin') ; Despite this the ovirt-aaa-jdbc-tool still shows the wrong user ID when querying the admin account. For example: [root@mdct-ovirt-engine-dev ~]# ovirt-aaa-jdbc-tool user show admin -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) -- Namespace: * Name: admin ID: fdfc627c-d875-11e0-90f0-83df133b58cc Display Name: Email: First Name: admin Last Name: Department: Title: Description: Account Disabled: false Account Locked: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2016-11-16 15:27:01Z Account Valid To: 2216-11-16 15:27:01Z Account Without Password: false Last successful Login At: 2018-05-30 16:02:46Z Last unsuccessful Login At: 2018-05-29 19:25:28Z Password Valid To: 2216-09-29 15:27:01Z Is there a way to resolve this conflict? Where does the admin@internal-authz account come from? I tried renaming the account but it is recreated every time that the engine is restarted. On 05/29/2018 04:31 PM, Alex K wrote: > Are you using engine IP to login? Perhaps the sso default file was > overwritten? > > Alex > > On Tue, May 29, 2018, 20:32 Michael Watters <watte...@watters.ws > <mailto:watte...@watters.ws>> wrote: > > I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3 > release and the admin account is no longer able to login. After > entering the user name and password I receive a message that > states "The > user admin@internal is not authorized to perform login". > > Is there a way to resolve this? Resetting the password did not work. > _______________________________________________ > Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> > To unsubscribe send an email to users-le...@ovirt.org > <mailto:users-le...@ovirt.org> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > > https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMNDQEIWCVPMYSYSLVZSGJOM/ >
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/DT7ERVLLGIYEE2WM6UTPR37CMSZRCCYY/
