1. Proposed title of this feature request
Disable operations on a managed domain in case the provided admin account can no longer login
3. What is the nature and description of the request?
Disable requests that need the admin account of the managed domain in case there is a password mismatch error.
Restore connectivity once that is adjusted manually.
4. Why does the customer need this? (List the business requirements here)
To avoid the lock out of technical (admin) users that are attached to the REHV-M whithin its domain authority.
5. How would the customer like to achieve this? (List the functional requirements here)
In case the admin password of the attached (IPA-)domain is changed, RHEV-M can easily lock out the account due to subsequent trials. This should be avoided by disabling the requests to the domain that need the admin credentials as soon as this is observed.
The connectivity should be restored, once the domains are updated with the engine-manage-domains.
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Change the IPA-admin password, but do not update the domain within IPA.
Do some user changes. If RHEV-M realizes it can't connect as admin, it should no longer try to query this source.
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
Not that I know.
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
asap within the RHEV 3 release cycle.
9. Is the sales team involved in this request and do they have any additional input?
No
10. List any affected packages or components.
ovirt-engine
11. Would the customer be able to assist in testing this functionality if implemented?
Yes.
the user allocated to ovirt-engine should not have any special privileges but ability to search for users and groups.
the user allocated to the ovirt-engine application should serve only ovirt-engine, nothing more.
as it serve only the ovirt-engine application and not used for any other purpose, locking it up does not have any effect.
if you have not allocated a dedicated user for ovirt-engine, please do, and close this RFE.
thanks!
Ok. Given that it might make sense to add this information to the Administration manual.
Currently the manual just states:
" A user must be created in the directory server specifically for use as the Red Hat Enterprise Virtualization administrative user. Do not use the administrative user for the directory server as the Red Hat Enterprise Virtualization administrative user."
This could be a bit more detailed as describing which rights the user needs. As I understood this is just browsing users and groups right.
Please let me know if you want me to file an additional RFE for documentation then.
Cheers,
Martin
1. Proposed title of this feature request Disable operations on a managed domain in case the provided admin account can no longer login 3. What is the nature and description of the request? Disable requests that need the admin account of the managed domain in case there is a password mismatch error. Restore connectivity once that is adjusted manually. 4. Why does the customer need this? (List the business requirements here) To avoid the lock out of technical (admin) users that are attached to the REHV-M whithin its domain authority. 5. How would the customer like to achieve this? (List the functional requirements here) In case the admin password of the attached (IPA-)domain is changed, RHEV-M can easily lock out the account due to subsequent trials. This should be avoided by disabling the requests to the domain that need the admin credentials as soon as this is observed. The connectivity should be restored, once the domains are updated with the engine-manage-domains. 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. Change the IPA-admin password, but do not update the domain within IPA. Do some user changes. If RHEV-M realizes it can't connect as admin, it should no longer try to query this source. 7. Is there already an existing RFE upstream or in Red Hat Bugzilla? Not that I know. 8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)? asap within the RHEV 3 release cycle. 9. Is the sales team involved in this request and do they have any additional input? No 10. List any affected packages or components. ovirt-engine 11. Would the customer be able to assist in testing this functionality if implemented? Yes.