Bug 1121954
| Summary: | [AAA] Unable to assign permissions to user | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] oVirt | Reporter: | Ondra Machacek <omachace> | ||||
| Component: | ovirt-engine-core | Assignee: | Yair Zaslavsky <yzaslavs> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ondra Machacek <omachace> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 3.5 | CC: | alonbl, bugs, ecohen, gklein, iheim, jbelka, omachace, oourfali, rbalakri, yeylon, yzaslavs | ||||
| Target Milestone: | --- | Keywords: | Regression | ||||
| Target Release: | 3.5.1 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | infra | ||||||
| Fixed In Version: | vt3 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-01-21 16:02:14 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1017030, 1076964 | ||||||
| Attachments: |
|
||||||
Well it's not applicable only for UTF-8 users, but for every user. Works on master. (In reply to Yair Zaslavsky from comment #2) > Works on master. What about 3.5? and on 3.5 as well. Actually, I verified this when worked on http://gerrit.ovirt.org/#/c/30473/6 Could we move forward a bit? We can't test almost anything in User Portal. (In reply to Jiri Belka from comment #5) > Could we move forward a bit? We can't test almost anything in User Portal. what version do you use for test? ovirt-engine-backend-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch but it's super odd. i had same issue and was told to try on clean installation, then it worked, but i needed to add new domain and it stopped working. (i still have admin@internal in 'System Permissions' with 'UserRole' as I added right it after clean installation admin@internal.) Can you please provide sequence so I can try and reproduce? please start with fresh installation. Thanks! I didn't succeed reproducing. It's OK in vt 3.1. Ok, i again hit this issue, these are exact reproducion steps(vt5): 1) yum install -y ovirt-engine-extension-aaa-ldap-0.0.0-0.0.4.master.el6ev.noarch 2) cd /etc/ovirt-engine/extensions.d 3) cat << conf_ldap-authn-digest_openldap.properties >> EOF include = <openldap.properties> pool.default.serverset.type = single pool.default.serverset.single.server = brq-openldap.rhev.lab.eng.brq.redhat.com pool.authz.auth.type = digest-md5 pool.authz.auth.digest-md5.authenticationID = user_digest pool.authz.auth.digest-md5.password = 1234567 EOF 4) cat << ldap-authz-digest_openldap.properties >> EOF ovirt.engine.extension.enabled = true ovirt.engine.extension.name = ldap-authz-digest_openldap ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/conf_ldap-authn-digest_openldap.properties EOF 5) cat << ldap-authn-digest_openldap.properties >> EOF ovirt.engine.extension.enabled = true ovirt.engine.extension.name = ldap-auth-digest_openldap ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn config.profile.file.1 = /etc/ovirt-engine/extensions.d/conf_ldap-authn-digest_openldap.properties ovirt.engine.aaa.authn.profile.name = ldap-authn-digest_openldap ovirt.engine.aaa.authn.authz.plugin = ldap-authz-digest_openldap EOF 6) chown ovirt:ovirt *.properties 7) service ovirt-engine restart 8) Go to webadmin, click Clusters , click default cluster -> permissions subtab -> add permission for some user from openldap. Actual result: "User admin failed to grant permission for Role UserRole on Data Center Default to User/Group <UNKNOWN>." relevant error in log: 2014-10-08 17:10:53,988 ERROR [org.ovirt.engine.core.bll.AddPermissionCommand] (org.ovirt.thread.pool-7-thread-5) [12154c42] Command org.ovirt.engine.core.bll.AddPermissionCommand throw exception: java.lang.NullPointerException at org.ovirt.engine.core.compat.Guid.hashCode(Guid.java:114) [compat.jar:] working for me... cannot reproduce. strange. OK. Me neither, but with these steps I am able to reproduce 100%. replace pool.authz.auth.type = digest-md5 pool.authz.auth.digest-md5.authenticationID = user_digest pool.authz.auth.digest-md5.password = 1234567 with pool.default.auth.type = digest-md5 pool.default.auth.digest-md5.authenticationID = user_digest pool.default.auth.digest-md5.password = 1234567 then add another domain. don't care which, ie: $ rhevm-manage-domains add --domain=brq-openldap.rhev.lab.eng.brq.redhat.com --user=user1 --provider=openldap now you are not able to use ldap-auth-digest_openldap, but you should be able to use brq-openldap.rhev.lab.eng.brq.redhat.com. If you try to assign some user from brq-openldap.rhev.lab.eng.brq.redhat.com permissions, the it fails with above error. pool.default.auth.type = digest-md5 should not be modified it effects the authn pool which should be anonymous. I also not sure why effecting the authn will not allow you to assign permissions, as it is using authz only. Please do not mix legacy and new implementation when opening bugs. Please do not mix legacy and new implementation especially when using sasl, as java has very poor support for multiple sasl connections. Please switch to working generic ldap extensions mechanism. Adding a permission adds a user if it doesnt exist, if you cant seem to add a user, there might be an issue with the generic ldap extension mechanism, not with the MLA or the AddUserCommand at engine. yair, the add user should work also if provider was not initialized, or anything is wrong. The failure should be a specific error and not null pointer exception. Failed to reproduce on my env, Are you sure I can use "any" domain with manage-domains? Please provide credentials for the relevant domain you tried to add and full engine.log of your reproduction, Thanks! Moving pending bugs not fixed in 3.5.0 to 3.5.1. OK in vt 13.1. I didn't succeed to reproduce. oVirt 3.5.1 has been released. If problems still persist, please make note of it in this bug report. |
Created attachment 919831 [details] engine.log Description of problem: Version-Release number of selected component (if applicable): ovirt-engine-3.5.0-0.0.master.20140715172116.git4687dc1.el6.noarch How reproducible: always Steps to Reproduce: 1. Create in LDAP user with some UTF-8 characters in username. 2. Connect LDAP to engine. 3. go to datacenter tab -> permissions sub tab, and assign this user some permissions Actual results: Action fail. User is not added and permissions are not assigned. Expected results: Action succeed. User is added and permissions are assigned. Additional info: