Bug 1379000

Summary: [RFE] - [AAA] Add support for IBM Security (Tivoli) Directory server
Product: Red Hat Enterprise Virtualization Manager Reporter: Anitha Udgiri <audgiri>
Component: ovirt-engine-extension-aaa-ldapAssignee: Martin Perina <mperina>
Status: CLOSED ERRATA QA Contact: Gonza <grafuls>
Severity: medium Docs Contact:
Priority: high    
Version: 4.0.0CC: audgiri, bazulay, cnagarka, gklein, hannsj_uhl, lsurette, melewis, mgoldboi, mperina, oourfali, pstehlik, Rhev-m-bugs, ykaul
Target Milestone: ovirt-4.1.0-betaKeywords: FutureFeature
Target Release: ---Flags: grafuls: testing_plan_complete+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
With this update, IBM Security (Tivoli) Directory Server has been added to supported LDAP servers in ovirt-engine-extension-aaa-ldap. This allows customers to attach Red Hat Virtualization 4.1 to their IBM Security (Tivoli) Directory Server setup and to use users and groups from this setup in Red Hat Virtualization.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-25 00:46:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1387254    
Bug Blocks: 1359843, 1427730    

Description Anitha Udgiri 2016-09-23 20:49:10 UTC 
Description of problem:

In customer's words :

"We have configured rhv with ovirt-engine-extension-aaa-ldap-setup with 389ds LDAP implementation following the documentation https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/single/administration-guide#sect-Configuring_an_External_LDAP_Provider and RHV say it’s OK (both login and search). 
Then we have restarted the RHV engine and as admin try to add some role to a user. The GUI says nothing but it does not add anything."

The engine.log file has the following logged :

2016-09-22 08:27:48,227 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call getuserbyuserid(?, ?)}]
2016-09-22 08:27:48,227 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [GetUserByUserId] compiled
2016-09-22 08:27:48,229 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call getgroupbyid(?)}]
2016-09-22 08:27:48,229 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [GetGroupById] compiled
2016-09-22 08:27:48,230 DEBUG [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (default task-4) [480d72b] Checking whether user '0000002c-002c-002c-002c-0000000000ad' or one of the groups he is member of, have the following permissions:  ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER,  ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
2016-09-22 08:27:48,233 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call get_entity_permissions(?, ?, ?, ?)}]
2016-09-22 08:27:48,233 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [get_entity_permissions] compiled
2016-09-22 08:27:48,235 DEBUG [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (default task-4) [480d72b] Found permission '0000002d-002d-002d-002d-0000000003a1' for user when running 'AddSystemPermission', on 'System' with id 'aaa00000-0000-0000-0000-123456789aaa'
2016-09-22 08:27:48,236 DEBUG [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (default task-4) [480d72b] Found permission '0000002d-002d-002d-002d-0000000003a1' for user when running 'AddSystemPermission', on 'System' with id 'aaa00000-0000-0000-0000-123456789aaa'
2016-09-22 08:27:48,240 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call getrolsbyid(?)}]
2016-09-22 08:27:48,240 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [GetRolsByid] compiled
2016-09-22 08:27:48,245 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call getforroleandadelementandobject_wgroupcheck(?, ?, ?)}]
2016-09-22 08:27:48,245 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [GetForRoleAndAdElementAndObject_wGroupCheck] compiled
2016-09-22 08:27:48,247 DEBUG [org.ovirt.engine.core.bll.PrevalidatingMultipleActionsRunner] (org.ovirt.thread.pool-6-thread-13) [480d72b] Executing command AddSystemPermission for user admin@internal-authz.
2016-09-22 08:27:48,249 INFO  [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-13) [480d72b] Running command: AddSystemPermissionCommand(User = org.ovirt.engine.core.common.businessentities.aaa.DbUser@ba985bb6, Group = null, TargetId = null, Permission = org.ovirt.engine.core.common.businessentities.Permission@929e7a01) internal: false. Entities affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER,  ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
2016-09-22 08:27:48,256 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (org.ovirt.thread.pool-6-thread-13) [480d72b] Compiled stored procedure. Call string is [{call get_entity_snapshot_by_command_id(?)}]
2016-09-22 08:27:48,256 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (org.ovirt.thread.pool-6-thread-13) [480d72b] SqlCall for procedure [get_entity_snapshot_by_command_id] compiled
2016-09-22 08:27:48,256 DEBUG [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-13) [480d72b] Command [id=39462e54-f17a-43e6-b92e-184773232034]: No compensation data.
2016-09-22 08:27:48,261 ERROR [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-13) [480d72b] Transaction rolled-back for command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'.
2016-09-22 08:27:48,321 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-13) [480d72b] Correlation ID: 480d72b, Call Stack: null, Custom Event ID: -1, Message: User admin@internal-authz failed to grant permission for Role UserRole on System to User/Group <UNKNOWN>.


The logs show that adding permissions did not succeed. But this is not relayed back to the user. The user is under the assumption that everything worked when it did not.
Comment 6 Ondra Machacek 2016-09-25 18:04:00 UTC 
Why they use 389ds? I see it's IBM ldap server. Unfortunatelly it's not supported 
in aaa-ldap.
Comment 19 Martin Perina 2016-10-24 09:02:56 UTC 
Targeting for now to 4.1
Comment 21 Martin Perina 2016-12-19 10:14:27 UTC 
Included in ovirt-engine-extension-aaa-ldap-1.3.0
Comment 23 Gonza 2017-02-03 13:43:23 UTC 
Verified basic functionality with:
ovirt-engine-extension-aaa-ldap-setup-1.3.1-0.0.master.20161219093217.git9a5d8da.el7.noarch
ovirt-engine-4.1.0-0.2.master.20161213122836.git2cd5587.el7.centos.noarch