Bug 1191204

Summary: Logging in to admin@internal fails
Product: [Retired] oVirt Reporter: Dima Kuznetsov <dkuznets>
Component: ovirt-engine-coreAssignee: Eli Mesika <emesika>
Status: CLOSED CURRENTRELEASE QA Contact: Karolína Hajná <khajna>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: alonbl, amureini, bugs, ecohen, emesika, gklein, lsurette, oourfali, pstehlik, rbalakri, yeylon
Target Milestone: ---   
Target Release: 3.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: ovirt-engine-3.6.0-0.0.master.20150412172306.git55ba764 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-04 11:46:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dima Kuznetsov 2015-02-10 16:55:49 UTC 
Description of problem:
Log-in fails on clean installation of ovirt engine

Version-Release number of selected component (if applicable):
up-to-date ovirt-engine master (51e4e8)

How reproducible:

Steps to Reproduce:
1. Run engine-setup with provided answer file
2. Try logging in
3.

Actual results:
Login fails

Expected results:
Login succeeds 

Additional info:
Error when logging in through both web-admin and REST API

Log contains this for each connect attempt:
2015-02-10 16:47:57,156 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal failed to log in.
2015-02-10 16:47:57,157 WARN  [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) [] CanDoAction of action 'LoginAdminUser' failed for user admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

Setup answer file contains:
# action=setup
[environment:default]
OVESETUP_DIALOG/confirmSettings=bool:True
OVESETUP_CONFIG/applicationMode=str:both
OVESETUP_CONFIG/remoteEngineSetupStyle=none:None
OVESETUP_CONFIG/adminPassword=str:123
OVESETUP_CONFIG/storageIsLocal=bool:False
OVESETUP_CONFIG/firewallManager=str:iptables
OVESETUP_CONFIG/remoteEngineHostRootPassword=none:None
OVESETUP_CONFIG/firewallChangesReview=bool:False
OVESETUP_CONFIG/updateFirewall=bool:True
OVESETUP_CONFIG/remoteEngineHostSshPort=none:None
OVESETUP_CONFIG/fqdn=str:engine
OVESETUP_CONFIG/storageType=none:None
OSETUP_RPMDISTRO/requireRollback=none:None
OSETUP_RPMDISTRO/enableUpgrade=none:None
OVESETUP_DB/database=str:engine
OVESETUP_DB/fixDbViolations=none:None
OVESETUP_DB/secured=bool:False
OVESETUP_DB/host=str:localhost
OVESETUP_DB/user=str:engine
OVESETUP_DB/securedHostValidation=bool:False
OVESETUP_DB/port=int:5432
OVESETUP_ENGINE_CORE/enable=bool:True
OVESETUP_CORE/engineStop=none:None
OVESETUP_SYSTEM/memCheckEnabled=bool:True
OVESETUP_SYSTEM/nfsConfigEnabled=bool:False
OVESETUP_PKI/organization=str:Test
OVESETUP_CONFIG/isoDomainMountPoint=none:None
OVESETUP_CONFIG/isoDomainName=none:None
OVESETUP_CONFIG/isoDomainACL=none:None
OVESETUP_AIO/configure=none:None
OVESETUP_AIO/storageDomainName=none:None
OVESETUP_AIO/storageDomainDir=none:None
OVESETUP_PROVISIONING/postgresProvisioningEnabled=bool:True
OVESETUP_APACHE/configureRootRedirection=bool:True
OVESETUP_APACHE/configureSsl=bool:True
OVESETUP_CONFIG/websocketProxyConfig=bool:True
Comment 1 Dima Kuznetsov 2015-02-10 16:57:27 UTC 
Please note that the displayed message is:
User is not authorized to perform this action

Rather than:
The user name or password is incorrect.

that happens when password is invalid.
Comment 2 Eli Mesika 2015-02-11 07:52:28 UTC 
(In reply to Dima Kuznetsov from comment #1)
> Please note that the displayed message is:
> User is not authorized to perform this action
> 
> Rather than:
> The user name or password is incorrect.
> 
> that happens when password is invalid.

So, basically this is not specific to user setup and can be reproduced by login to from webadmin/REST API with wrong password ???
Comment 3 Dima Kuznetsov 2015-02-11 07:59:51 UTC 
No, it can only be reproduced by logging in with the correct password, when logging with a wrong password it displays a different message.
Comment 4 Eli Mesika 2015-02-11 10:53:59 UTC 
(In reply to Dima Kuznetsov from comment #3)
> No, it can only be reproduced by logging in with the correct password, when
> logging with a wrong password it displays a different message.

Please read again what you had wrote in comment 1 :

==============================================
Please note that the displayed message is:
User is not authorized to perform this action

Rather than:
The user name or password is incorrect.
==============================================

So, if the user name and password is correct, why should it display that it is incorrect ???

Please explain ...
Comment 5 Dima Kuznetsov 2015-02-11 10:57:56 UTC 
I meant to say that password provided is correct and ovirt recognizes it as such.
Comment 6 Alon Bar-Lev 2015-02-12 16:32:05 UTC 
Root cause[1], 00100_insert_users.sql change.

[1] http://gerrit.ovirt.org/#/c/37668/
Comment 7 Alon Bar-Lev 2015-02-12 16:32:44 UTC 
*** Bug 1192044 has been marked as a duplicate of this bug. ***
Comment 8 Eli Mesika 2015-02-12 16:34:57 UTC 
The problem is that the upgrade script 03_05_0220_update_user_ids.sql changes the default user is to something else 
This causes the default user id to be added again with 'fdfc627cd87511e090f083df133b58cc' as user_id , but now the permissions are set on the changed user_id and the new one has no permissions 

The upgrade script should not change 'fdfc627cd87511e090f083df133b58cc' which is used constantly in :

--- start ---

git grep "fdfc627c-d875-11e0-90f0-83df133b58cc"
PredefinedUsers.java:    ADMIN_USER(new Guid("fdfc627c-d875-11e0-90f0-83df133b58cc"));
EngineExtensionsManager.java:        dirConfig.put("config.authz.user.id", "fdfc627c-d875-11e0-90f0-83df
data/00100_insert_users.sql:INSERT INTO users (user_id, name, surname, domain, username, groups, department, role, email, note, status, last_admin_check_status, group_ids
data/00600_insert_permissions.sql:INSERT INTO permissions (id, role_id, ad_element_id, object_id, object_type_id) VALUES ('00000003-0003-0003-0003-000000000016', '0000000
data/00600_insert_permissions.sql:INSERT INTO permissions (id, role_id, ad_element_id, object_id, object_type_id) VALUES ('00000006-0006-0006-0006-00000000016d', '0000000

---  end  --- 


Setting NEEDINFO on Yair that wrote this upgrade script
Comment 9 Eli Mesika 2015-02-12 16:39:30 UTC 
(In reply to Alon Bar-Lev from comment #6)
> Root cause[1], 00100_insert_users.sql change.
> 
> [1] http://gerrit.ovirt.org/#/c/37668/

Agree, that;s the problem cause , please ignore comment 8
Comment 10 Alon Bar-Lev 2015-02-12 16:40:41 UTC 
it changes the uuid psql type into a string.
Comment 11 Karolína Hajná 2015-04-28 10:38:51 UTC 
Verified on 3.6.0-0.0.master.20150427173543.git61dec8c.el6
Comment 13 Sandro Bonazzola 2015-11-04 11:46:41 UTC 
oVirt 3.6.0 has been released on November 4th, 2015 and should fix this issue.
If problems still persist, please open a new BZ and reference this one.