Bug 1463634

Summary: Running the command logon on the VM via the REST failed
Product: [oVirt] ovirt-engine Reporter: Miguel Martin <mmartinv>
Component: AAAAssignee: Ravi Nori <rnori>
Status: CLOSED CURRENTRELEASE QA Contact: Gonza <grafuls>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.1.2.2CC: bugs, juan.hernandez, khuh, mperina, paul
Target Milestone: ovirt-4.2.0Keywords: Regression
Target Release: 4.2.0Flags: rule-engine: ovirt-4.2+
rule-engine: blocker+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1463698 (view as bug list) Environment:
Last Closed: 2017-12-20 11:33:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1463698    
Attachments:
Description Flags
Python reproducer
none
Ruby reproducer
none
Java reproducer none

Description Miguel Martin 2017-06-21 11:43:30 UTC 
Created attachment 1290026 [details]
Python reproducer

Description of problem:

Logon REST API calls don't work. It doesn't matter what sdk client implementation is used. It looks like 'VmLogonVDSCommandParameters' doesn't contain the actual user password.
 
Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
1. Call logon REST API Operation with any sdk implementation.

Actual results:
No logon is performed in VM Spice console

Expected results:
Logon performed in VM Spice console


Additional info:

The following logs can be seen when running any of the attached reproducers: 

~~~
[root@rhvm-41 ~]# 2017-06-21 13:06:05,214+02 INFO  [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-27) [] User user successfully logged in with scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access
2017-06-21 13:06:05,333+02 INFO  [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-26) [774525c2] Running command: CreateUserSessionCommand internal: false.
2017-06-21 13:06:05,362+02 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-26) [774525c2] EVENT_ID: USER_VDC_LOGIN(30), Correlation ID: 774525c2, Call Stack: null, Custom Event ID: -1, Message: User user@example.com logged in.
2017-06-21 13:06:05,481+02 INFO  [org.ovirt.engine.core.bll.VmLogonCommand] (default task-26) [ce585e69-02c0-418a-adba-bdfcc0bd4cb1] Running command: VmLogonCommand internal: false. Entities affected :  ID: 15678820-2ddd-4351-9f7e-57693dde1b93 Type: VMAction group CONNECT_TO_VM with role type USER
2017-06-21 13:06:05,529+02 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-26) [ce585e69-02c0-418a-adba-bdfcc0bd4cb1] START, VmLogonVDSCommand(HostName = rhvh-41-1, VmLogonVDSCommandParameters:{runAsync='true', hostId='ba2a9daf-9be8-408e-ae7a-6f806c3ded68', vmId='15678820-2ddd-4351-9f7e-57693dde1b93', domain='example.com', password='null', userName='user@example.com'}), log id: 6c3c98e7
2017-06-21 13:06:05,673+02 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-26) [ce585e69-02c0-418a-adba-bdfcc0bd4cb1] FINISH, VmLogonVDSCommand, log id: 6c3c98e7
~~~

The following logs can be seen when performing auto login from user portal:

~~~
2017-06-21 13:31:46,361+02 INFO  [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-22) [] User user successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access
2017-06-21 13:31:46,478+02 INFO  [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-24) [502349ff] Running command: CreateUserSessionCommand internal: false.
2017-06-21 13:31:46,487+02 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-24) [502349ff] EVENT_ID: USER_VDC_LOGIN(30), Correlation ID: 502349ff, Call Stack: null, Custom Event ID: -1, Message: User user@example.com logged in.
2017-06-21 13:31:49,278+02 INFO  [org.ovirt.engine.core.bll.VmLogonCommand] (default task-16) [ee9749df-1afb-49cb-b770-d33a50960d8b] Running command: VmLogonCommand internal: false. Entities affected :  ID: 15678820-2ddd-4351-9f7e-57693dde1b93 Type: VMAction group CONNECT_TO_VM with role type USER
2017-06-21 13:31:49,322+02 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-16) [ee9749df-1afb-49cb-b770-d33a50960d8b] START, VmLogonVDSCommand(HostName = rhvh-41-1, VmLogonVDSCommandParameters:{runAsync='true', hostId='ba2a9daf-9be8-408e-ae7a-6f806c3ded68', vmId='15678820-2ddd-4351-9f7e-57693dde1b93', domain='win2008AD.mamux.org', password='***', userName='user@example.com'}), log id: 339d652f
2017-06-21 13:31:50,327+02 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-16) [ee9749df-1afb-49cb-b770-d33a50960d8b] FINISH, VmLogonVDSCommand, log id: 339d652f
~~~
Comment 1 Miguel Martin 2017-06-21 11:44:29 UTC 
Created attachment 1290027 [details]
Ruby reproducer
Comment 2 Miguel Martin 2017-06-21 11:45:37 UTC 
Created attachment 1290028 [details]
Java reproducer
Comment 3 Juan Hernández 2017-06-21 13:39:13 UTC 
Apparently the SSO service doesn't store the user password in the SSO session when called from the API, this the password isn't available when invoking the 'logon' command.

The password isn't stored because the SSL session doesn't contain a 'clientId'. From 'SSOUtils.java':

      public static void persistUserPassword(
            HttpServletRequest request,
            SsoSession ssoSession,
            String password) {
        try {
            if (ssoSession.getScopeAsList().contains("ovirt-ext=token:password-access") &&
                    password != null &&
                    StringUtils.isNotEmpty(ssoSession.getClientId())) {
                ssoSession.setPassword(encrypt(request.getServletContext(), ssoSession.getClientId(), password));
            }
        } catch (Exception ex) {
            log.error("Unable to encrypt password: {}", ex.getMessage());
            log.debug("Exception", ex);
        }
    }

I am moving the bug to the AAA components, as I think there is nothing that can be done to fix this in the API.
Comment 5 Red Hat Bugzilla Rules Engine 2017-06-22 13:23:12 UTC 
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Comment 6 Juan Hernández 2017-06-23 13:27:51 UTC 
*** Bug 1464457 has been marked as a duplicate of this bug. ***
Comment 7 Juan Hernández 2017-06-23 13:29:23 UTC 
Martin would you consider re-targeting for 4.1.z? I think that it is serious enough to do it.
Comment 8 Martin Perina 2017-06-23 19:22:02 UTC 
(In reply to Juan Hernández from comment #7)
> Martin would you consider re-targeting for 4.1.z? I think that it is serious
> enough to do it.

I know, there is also downstream clone BZ1463698 of this bug, which is targeted to 4.1.4, so that's why I targeted upstream to 4.2
Comment 9 Gonza 2017-09-12 09:17:06 UTC 
Verified with:
ovirt-engine-4.2.0-0.0.master.20170906185835.gitcee3e58.el7.centos.noarch

# curl -X POST -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Authorization: Bearer qUOO_j_hEEWkSVcs8SjHnmwEWOUX-iFxPrnBwHIJaCgHAC7hY890CopoZ5ERqX5UhkJfX0yES8dSJplRlXuDXQ" --cacert ca.pem -d "<action/>" https://engine.com/ovirt-engine/api/vms/6b3b3157-4068-4e14-b396-04db62f5398a/logon
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<action>
    <job href="/ovirt-engine/api/jobs/b9da5d7a-09bb-4ccc-b050-80c3cfe3d53b" id="b9da5d7a-09bb-4ccc-b050-80c3cfe3d53b"/>
    <status>complete</status>
    <vm href="/ovirt-engine/api/vms/6b3b3157-4068-4e14-b396-04db62f5398a" id="6b3b3157-4068-4e14-b396-04db62f5398a">
....
    </vm>
</action>

from engine.log:
2017-09-12 12:14:46,045+03 INFO  [org.ovirt.engine.core.bll.VmLogonCommand] (default task-5) [23adb453-a191-452a-9a6f-f57e2bfeda8d] Running command: VmLogonCommand internal: false. Entities affected :  ID: 6b3b3157-4068-4e14-b396-04db62f5398a Type: VMAction group CONNECT_TO_VM with role type USER
2017-09-12 12:14:46,086+03 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-5) [23adb453-a191-452a-9a6f-f57e2bfeda8d] START, VmLogonVDSCommand(HostName = host_mixed_1, VmLogonVDSCommandParameters:{hostId='5201c168-340a-4314-a216-c02035e76b85', vmId='6b3b3157-4068-4e14-b396-04db62f5398a', domain='internal-authz', password='***', userName='admin@internal-authz'}), log id: 59637de9
2017-09-12 12:14:46,095+03 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-5) [23adb453-a191-452a-9a6f-f57e2bfeda8d] FINISH, VmLogonVDSCommand, log id: 59637de9
Comment 10 Sandro Bonazzola 2017-12-20 11:33:20 UTC 
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.