Bug 1438484
| Summary: | Running the command logon on the VM via the REST failed with the exception | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [oVirt] ovirt-engine | Reporter: | Artyom <alukiano> | ||||
| Component: | AAA | Assignee: | Ravi Nori <rnori> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Jiri Belka <jbelka> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 4.1.1.7 | CC: | bugs, jbelka, lleistne, lveyde, mperina, rnori, tjelinek | ||||
| Target Milestone: | ovirt-4.1.2 | Flags: | rule-engine:
ovirt-4.1+
|
||||
| Target Release: | 4.1.2 | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-05-23 08:14:09 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1439611 | ||||||
| Attachments: |
|
||||||
The root cause is that the: final String password = SsoUtils.getPassword( sessionDataContainer.getSsoAccessToken(getParameters().getSessionId())); throws an exception. It is a consequence of migrating to the new SSO and Im not really sure if this even can be solved. Moving to infra do investigate. |
Created attachment 1268401 [details] engine log Description of problem: Running the command logon on the VM via the REST failed with the exception: 22017-04-03 09:16:36,250-04 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-28) [] OAuthException invalid_scope: The requested scope '[ovirt-ext=token:password-access]' is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. 2017-04-03 09:16:36,251-04 ERROR [org.ovirt.engine.core.bll.VmLogonCommand] (default task-27) [966ba276-b110-46d0-abdc-f48f0d369cea] Command 'org.ovirt.engine.core.bll.VmLogonCommand' failed: invalid_scope: The requested scope '[ovirt-ext=token:password-access]' is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. 2017-04-03 09:16:36,251-04 ERROR [org.ovirt.engine.core.bll.VmLogonCommand] (default task-27) [966ba276-b110-46d0-abdc-f48f0d369cea] Exception: java.lang.RuntimeException: invalid_scope: The requested scope '[ovirt-ext=token:password-access]' is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. at org.ovirt.engine.core.aaa.filters.FiltersHelper.isStatusOk(FiltersHelper.java:64) [aaa.jar:] at org.ovirt.engine.core.aaa.SsoUtils.getPassword(SsoUtils.java:90) [aaa.jar:] at org.ovirt.engine.core.bll.VmLogonCommand.perform(VmLogonCommand.java:50) [bll.jar:] at org.ovirt.engine.core.bll.VmOperationCommandBase.executeVmCommand(VmOperationCommandBase.java:29) [bll.jar:] at org.ovirt.engine.core.bll.VmCommand.executeCommand(VmCommand.java:120) [bll.jar:] Version-Release number of selected component (if applicable): rhevm-4.1.1.7-0.1.el7.noarch How reproducible: Always Steps to Reproduce: 1. Create VM and configure it for SSO 2. Run logon command via REST as admin@internal user with the body: <action/> 3. Actual results: Command failed with the response <action> <fault> <detail>[Internal Engine Error]</detail> <reason>Operation Failed</reason> </fault> <status>failed</status> </action> Expected results: Command must succeed, admin@internal has SuperUser permissions, so it does not fail because insufficient permissions. Additional info: I tried also to login with other user, but the result is the same