Bug 1273261

Summary: [Docs] [RFE] AAA Local User Authentication - changing internal domain to work with the jdbc extension
Product: Red Hat Enterprise Virtualization Manager Reporter: Andrew Burden <aburden>
Component: DocumentationAssignee: Julie <juwu>
Status: CLOSED CURRENTRELEASE QA Contact: Tahlia Richardson <trichard>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.6.0CC: abradshaw, bazulay, ecohen, gklein, juwu, lsurette, mperina, omachace, oourfali, pstehlik, rbalakri, rhev-docs, Rhev-m-bugs, yeylon, ylavi
Target Milestone: ovirt-3.6.2Keywords: FutureFeature
Target Release: 3.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: docs
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1249639 Environment:
Last Closed: 2016-01-28 08:06:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Docs RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 917035, 1249639, 1260573    
Bug Blocks:    

Description Andrew Burden 2015-10-20 05:30:27 UTC 
Doc text for BZ#1249639:
"
Feature: 
Legacy provider for 'internal' domain was replaced by aaa-jdbc provider, so following things needs to be documented for RHEVM 3.6.0:

1. During the upgrade 'internal' domain is converted from legacy provider to aaa-jdbc provider, password for 'admin@internal' is preserved. For new installation aaa-jdbc provider is installed by default and 'admin@internal' password is set during engine-setup execution.

2. There's completely new infrastructure how to manage users/groups/passwords provided by aaa-jdbc provider, for details please take a look at feature page http://www.ovirt.org/Features/AAA_JDBC
3. Document that describes how to change password of admin@internal is no longer valid for RHEV 3.6:
https://access.redhat.com/solutions/63677

Please update it with information contained in feature page.

4. aaa-jdbc provider is contained in ovirt-engine-extension-aaa-jdbc package which is not upgraded automatically by engine-setup (only specific upgrades are forced to be applied during engine-setup execution). So if user wants aaa-jdbc to be upgraded he needs to execute following commands:

  yum update ovirt-engine-extension-aaa-jdbc
  service restart ovirt-engine

"


+++ This bug was initially created as a clone of Bug #1249639 +++

Changing internal domain to work with the jdbc extension

--- Additional comment from Pavel Stehlik on 2015-08-18 03:41:46 EDT ---

CodeChange? Or how should be tested?

--- Additional comment from Martin Perina on 2015-08-18 09:23:43 EDT ---

Legacy provider for 'internal', which supports only only one user (admin) and no groups, was replaced with aaa-jdbc provider which supports unlimited number of users and groups same as aaa-ldap provider. So I think that verification should be similar to 1076971:

1. Upgrade for previous version is OK, internal legacy provider is replaced with aaa-jdbc, admin@internal can be logged in with the same password as before

2. New installation is OK, aaa-jdbc is configured properly, admin@internal can be logged in using password specified during engine-setup

3. For both upgrade and new installation verify that user/groups management using ovirt-aaa-jdbc-tool command works correctly
Comment 1 Ondra Machacek 2015-10-20 11:16:43 UTC 
(In reply to Andrew Burden from comment #0)
>So if user wants aaa-jdbc to be upgraded he needs to execute following commands:
> 
>   yum update ovirt-engine-extension-aaa-jdbc
>   service restart ovirt-engine

AFAIK it's not enough. ie. DB upgrade is run within engine-setup command.
That means to properly upgrade you need to run:

  yum update ovirt-engine-extension-aaa-jdbc
  engine-setup
  service restart ovirt-engine
Comment 2 Sandro Bonazzola 2015-10-26 12:49:44 UTC 
this is an automated message. oVirt 3.6.0 RC3 has been released and GA is targeted to next week, Nov 4th 2015.
Please review this bug and if not a blocker, please postpone to a later release.
All bugs not postponed on GA release will be automatically re-targeted to

- 3.6.1 if severity >= high
- 4.0 if severity < high
Comment 3 Martin Perina 2015-11-02 11:26:49 UTC 
(In reply to Ondra Machacek from comment #1)
> (In reply to Andrew Burden from comment #0)
> >So if user wants aaa-jdbc to be upgraded he needs to execute following commands:
> > 
> >   yum update ovirt-engine-extension-aaa-jdbc
> >   service restart ovirt-engine
> 
> AFAIK it's not enough. ie. DB upgrade is run within engine-setup command.
> That means to properly upgrade you need to run:
> 
>   yum update ovirt-engine-extension-aaa-jdbc
>   engine-setup
>   service restart ovirt-engine

I've updated README.admin in ovirt-engine-extension-aaa-jdbc package with concrete steps to install/upgrade aaa-jdbc profiles:

https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-jdbc.git;a=blob_plain;f=README.admin;hb=38dcec6efd9141b8dc6c6395b501bc231bb8ffc4
Comment 5 Martin Perina 2016-01-20 10:33:47 UTC 
Upgrade of aaa-jdbc extension has been changed by BZ1293338. There's no need for manual upgrade of 'internal' profile, everything is done automatically by engine-setup.

Only custom aaa-jdbc profiles have to be upgraded manually.

Updated installation info can be found at 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-jdbc.git;a=blob_plain;f=README.admin
Comment 10 Julie 2016-01-28 08:06:16 UTC 
Documentation available at:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6-Beta/html/Administration_Guide/sect-Administering_User_Tasks_From_the_commandline.html
Comment 11 Yaniv Lavi 2016-02-02 12:16:47 UTC 
*** Bug 1302273 has been marked as a duplicate of this bug. ***