Bug 1412687

Summary: Awkward attempted login error
Product: Red Hat Enterprise Virtualization Manager Reporter: Matt Reid <mreid>
Component: ovirt-engineAssignee: Ravi Nori <rnori>
Status: CLOSED ERRATA QA Contact: Radim Hrazdil <rhrazdil>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.0.5CC: bgraveno, gklein, gshereme, lsurette, lsvaty, mperina, pstehlik, rbalakri, Rhev-m-bugs, rnori, srevivo, ykaul
Target Milestone: ovirt-4.1.1Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-16 09:21:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Error message
none
Portal page none

Description Matt Reid 2017-01-12 14:48:23 UTC
Created attachment 1239965 [details]
Error message

Description of problem:
When trying to log into my freshly configured 4.0.5-5 engine (set up in a test environment using QCI) and trying to access it via the IP address, I'm greeted with a message "The client is not authorized to request an authorization. It's required to access the system using FQDN." With a link "Click here to continue", which takes me to the standard landing page, but trying to go to the admin portal from there results in the same issue.

If we truly do need to require users to log in using the hostname, and are rejecting any attempt through the IP address, it would be nice if this message was a little clearer. I'm trying to log in, not become authorized.

The "Click here to continue" message should probably be changed, since it makes it sound like this is a recoverable thing. What can you still do? Access the doc links from that Portal page?

Version-Release number of selected component (if applicable):
4.0.5

Additional info:

Comment 1 Matt Reid 2017-01-12 14:48:51 UTC
Created attachment 1239966 [details]
Portal page

Comment 2 Greg Sheremeta 2017-01-12 21:13:36 UTC
The error should use the Alert pattern in PatternFly

http://www.patternfly.org/pattern-library/communication/inline-notifications/#/_code

See
<div class="alert alert-danger alert-dismissable">

Comment 3 Martin Perina 2017-01-16 09:21:42 UTC
Accessing engine using only predefined FQDN is mandatory, because part of OAUTH2 protocol (which is used by our new SSO module) is client FQDN checking (client in that is engine). So by default you should access engine only by FQDN defined during installation, if you want to add alternate FQDNs (or even IP address) please take a look at BZ1325746.

Btw "The client is not authorized to request an authorization." is the official error message suggest in OAUTH2 spec, we have added "It's required to access the system using FQDN." part to make that error more understandable to users :-)

So I'm closing this as NOTABUG ...

Comment 4 Greg Sheremeta 2017-01-16 14:56:06 UTC
Re-opening. See Comment 2. The error message must show visually as an error by using the Alert pattern.

Also, even if that's the official error message text, it's poorly worded and a bad user experience. It should be changed.

Also, 'The "Click here to continue" message should probably be changed' -- agree. The current flow makes it seem like this is a recoverable error.

Comment 5 Martin Perina 2017-01-24 15:00:31 UTC
We will adapt the problematic error message to PatternFly Alert pattern, moving this to 4.2, when patch is ready we can discuss backport

Comment 6 Radim Hrazdil 2017-02-20 08:22:15 UTC
Verified that PatternFly Alert pattern is used and "Click here to continue" message has been removed in version ovirt-engine-4.1.1.2-0.1.el7.noarch.