On Fri, 22 Mar 2019 10:49:08 +0100 Gianluca Cecchi <[email protected]> wrote:
> On Thu, Mar 21, 2019 at 3:46 PM Gianluca Cecchi <[email protected]> > wrote: > > > > > . . . > > > > I'm trying to add with name "MYOVN" from web admin gui: should I use > > instead another name? > > > > Gianluca > > > > > > Tried also this as detailed by Dominik, renewing certificates: > https://www.mail-archive.com/[email protected]/msg53697.html > > Not understood what to do in step > 2. Use the SSO_CLIENT_SECRET from the outfile produced by the previous > command in > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf > "Use" in which way??? > use as <my_secret_omitted> in [OVIRT] ovirt-sso-client-secret=<my_secret_omitted> > I named with default "ovirt-provider-ovn" the OVN provider, after enabling > debug in OVN I get thsi when I test the connection in web admin gui > > 2019-03-22 10:40:41,917 root From: ::ffff:10.4.192.43:44744 Request: POST > /v2.0/tokens > 2019-03-22 10:40:41,918 root Request body: > {"auth": {"passwordCredentials": {"username": "admin@internal", "password": > "<PASSWORD_HIDDEN>"}}} > 2019-03-22 10:40:41,918 auth.plugins.ovirt.sso Connecting to oVirt engine's > SSO module: https://ovmgr1.mydomain:443/ovirt-engine/sso/oauth/token > 2019-03-22 10:40:41,918 auth.plugins.ovirt.sso Connecting to oVirt engine's > SSO module: https://ovmgr1.mydomain:443/ovirt-engine/sso/oauth/token > 2019-03-22 10:40:41,921 urllib3.connectionpool Starting new HTTPS > connection (1): ovmgr1.mydomain > 2019-03-22 10:40:46,961 urllib3.connectionpool https://ovmgr1.mydomain:443 > "POST /ovirt-engine/sso/oauth/token HTTP/1.1" 400 148 > 2019-03-22 10:40:46,964 root From: ::ffff:10.4.192.43:44744 Request: POST > /v2.0/tokens > 2019-03-22 10:40:46,964 root Request body: > {"auth": {"passwordCredentials": {"username": "admin@internal", "password": > "<PASSWORD_HIDDEN>"}}} > 2019-03-22 10:40:46,964 root Error during SSO authentication Cannot > authenticate user 'admin@internal': Unable to log in. Verify your login > information or contact the system administrator.. : access_denied > Traceback (most recent call last): > File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 134, > in _handle_request > method, path_parts, content > File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line > 175, in handle_request > return self.call_response_handler(handler, content, parameters) > File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in > call_response_handler > return response_handler(content, parameters) > File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line > 62, in post_tokens > user_password=user_password) > File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in > create_token > return auth.core.plugin.create_token(user_at_domain, user_password) > File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line > 48, in create_token > timeout=self._timeout()) > File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, > in create_token > username, password, engine_url, ca_file, timeout) > File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, > in _get_sso_token > timeout=timeout > File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 55, > in wrapper > _check_for_error(response) > File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 181, > in _check_for_error > result['error'], details)) > Unauthorized: Error during SSO authentication Cannot authenticate user > 'admin@internal': Unable to log in. Verify your login information or > contact the system administrator.. : access_denied > > It seems I have not completely understood the link between SSO and > admin@internal as a user for OVN authentication.... > The ovirt-sso-client-id and ovirt-sso-client-secret is required, to allow the ovirt-provider-ovn to connect to Engine's SSO for checking to user visible username, e.g. admin@internal, and password. I guess you are already aware of the doc in https://github.com/oVirt/ovirt-provider-ovn/#section-ovirt ovirt-provider-ovn does not store neither the user, e.g. admin@internal password nor the session token, it is just forwarded to Engine's SSO to check for validity. If you are interested in the details, the session token is generated by _get_sso_token in https://github.com/oVirt/ovirt-provider-ovn/blob/master/provider/auth/plugins/ovirt/sso.py#L79 and validated by another method in https://github.com/oVirt/ovirt-provider-ovn/blob/master/provider/auth/plugins/ovirt/sso.py#L125 where the ovirt-sso-client-id and ovirt-sso-client-secret are used as client_id, client_secret. In your case _get_sso_token is already failing, which does not use the ovirt-sso-client-secret. To solve this praticular issue, the provider in oVirt web admin ui should use the usual oVirt password for admin@internal. > Gianluca _______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/NAQFVHO6KMWGFKZLYAH7F36ZY6RH2AOK/
