Bug 1467401

Summary: Rest API fails with a 404 when listing sessions for a VM if an external AD user is logged in into the VM.
Product: [oVirt] ovirt-engine Reporter: Miguel Martin <mmartinv>
Component: RestAPIAssignee: Ondra Machacek <omachace>
Status: CLOSED DUPLICATE QA Contact: Pavel Stehlik <pstehlik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.1.2.2CC: bugs, mmartinv, mperina, omachace, rnori
Target Milestone: ---Flags: mmartinv: planning_ack?
mmartinv: devel_ack?
mmartinv: testing_ack?
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-04 13:38:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miguel Martin 2017-07-03 16:38:22 UTC 
Description of problem:
Rest API fails with a 404 when listing sessions for a VM if an external AD user is logged in into the VM.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Use 'ovirt-engine-extension-aaa-ldap-setup' to configure an AD domain as an external provider
2. In 'webadmin' portal add 'userRole' role to an AD user for the target VM  
3. Use the previous AD user to login into 'userportal'
4. Open the target VM console.
5. Open a new browser and request the session list for the target VM:

https://rhvm.example.com/ovirt-engine/api/vms/<vmid>/sessions  

Actual results:

The API returns a 404 error

Expected results:

<sessions>
<session href="/ovirt-engine/api/vms/08fcbdf4-e44a-476b-b0f5-a876480af483/sessions/37a6259c-c0c1-dae2-99a7-866489dff0bd" id="37a6259c-c0c1-dae2-99a7-866489dff0bd">
<vm href="/ovirt-engine/api/vms/08fcbdf4-e44a-476b-b0f5-a876480af483" id="08fcbdf4-e44a-476b-b0f5-a876480af483"/>
<user>
<user_name>user</user_name>
</user>
</session>
</sessions>

Additional info:
server.log exception raised:

2017-07-03 16:48:34,345+02 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-4) RESTEASY002010: Failed to execute: javax.ws.rs.WebApplicationException: HTTP 404 Not Found
        at org.ovirt.engine.api.restapi.resource.BaseBackendResource.handleError(BaseBackendResource.java:228) [restapi-jaxrs.jar:]
        at org.ovirt.engine.api.restapi.resource.BackendResource.getEntity(BackendResource.java:118) [restapi-jaxrs.jar:]
        at org.ovirt.engine.api.restapi.resource.BackendResource.getEntity(BackendResource.java:98) [restapi-jaxrs.jar:]
        at org.ovirt.engine.api.restapi.resource.AbstractBackendSubResource.performGet(AbstractBackendSubResource.java:34) [restapi-jaxrs.jar:]
        at org.ovirt.engine.api.restapi.resource.aaa.BackendUserResource.getUserByNameAndDomain(BackendUserResource.java:75) [restapi-jaxrs.jar:]
        at org.ovirt.engine.api.restapi.resource.BackendVmSessionsResource.setSessionUser(BackendVmSessionsResource.java:87) [restapi-jaxrs.jar:]
        at org.ovirt.engine.api.restapi.resource.BackendVmSessionsResource.addLinksIncludingUser(BackendVmSessionsResource.java:59) [restapi-jaxrs.jar:]
        at org.ovirt.engine.api.restapi.resource.BackendVmSessionsResource.list(BackendVmSessionsResource.java:42) [restapi-jaxrs.jar:]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_131]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_131]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_131]
        at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_131]
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs.jar:3.0.19.SP3-redhat-1]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec.jar:1.0.0.Final-redhat-1]
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:81) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core.jar:1.3.28.Final-redhat-4]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core.jar:1.3.28.Final-redhat-4]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:266) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:201) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:202) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:109) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at org.ovirt.engine.api.restapi.invocation.VersionFilter.doFilter(VersionFilter.java:139) [restapi-jaxrs.jar:]
        at org.ovirt.engine.api.restapi.invocation.VersionFilter.doFilter(VersionFilter.java:68) [restapi-jaxrs.jar:]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at org.ovirt.engine.api.restapi.invocation.CurrentFilter.doFilter(CurrentFilter.java:116) [restapi-jaxrs.jar:]
        at org.ovirt.engine.api.restapi.invocation.CurrentFilter.doFilter(CurrentFilter.java:71) [restapi-jaxrs.jar:]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at org.ovirt.engine.core.aaa.filters.RestApiSessionMgmtFilter.doFilter(RestApiSessionMgmtFilter.java:78) [aaa.jar:]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at org.ovirt.engine.core.aaa.filters.EnforceAuthFilter.doFilter(EnforceAuthFilter.java:39) [aaa.jar:]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at org.ovirt.engine.core.aaa.filters.SsoRestApiNegotiationFilter.doFilter(SsoRestApiNegotiationFilter.java:91) [aaa.jar:]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at org.ovirt.engine.core.aaa.filters.SsoRestApiAuthFilter.doFilter(SsoRestApiAuthFilter.java:47) [aaa.jar:]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at org.ovirt.engine.core.aaa.filters.SessionValidationFilter.doFilter(SessionValidationFilter.java:59) [aaa.jar:]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at org.ovirt.engine.core.aaa.filters.RestApiSessionValidationFilter.doFilter(RestApiSessionValidationFilter.java:35) [aaa.jar:]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at org.ovirt.engine.api.restapi.security.CSRFProtectionFilter.doFilter(CSRFProtectionFilter.java:111) [restapi-jaxrs.jar:]
        at org.ovirt.engine.api.restapi.security.CSRFProtectionFilter.doFilter(CSRFProtectionFilter.java:102) [restapi-jaxrs.jar:]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at org.ovirt.engine.api.restapi.security.CORSSupportFilter.doFilter(CORSSupportFilter.java:183) [restapi-jaxrs.jar:]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core.jar:1.3.28.Final-redhat-4]
        at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core.jar:1.3.28.Final-redhat-4]
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [undertow-core.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) [undertow-core.jar:1.3.28.Final-redhat-4]
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [undertow-core.jar:1.3.28.Final-redhat-4]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core.jar:1.3.28.Final-redhat-4]
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core.jar:1.3.28.Final-redhat-4]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet.jar:1.3.28.Final-redhat-4]
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:246) [undertow-core.jar:1.3.28.Final-redhat-4]
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802) [undertow-core.jar:1.3.28.Final-redhat-4]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_131]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_131]
        at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_131]
Comment 1 Juan Hernández 2017-07-03 16:43:02 UTC 
This happens because for LDAP authentication profiles we are storing in the 'users' table the name of the user with the profile name suffix, but then, in the API, when we do the query we do it with the profile name.

Note that for the internal authentication profile we are instead storing the user name without the profile suffix.

So we need to find a way to do the query with or without the profile name, depending on how we store it in the 'users' table.

Ondra, can you please take a look?
Comment 2 Ondra Machacek 2017-07-04 08:27:36 UTC 
I think this is duplicate of bug 1440861. I guess your user is part of group, right? Can you re-test with 4.1.3 version?
Comment 3 Miguel Martin 2017-07-04 10:38:27 UTC 
I can confirm that it works as expected in version 4.1.3:

~~~
<sessions>
<session href="/ovirt-engine/api/vms/2c98f68a-5107-4c02-b664-7c2c2b17085f/sessions/184bd21b-eb41-22a7-83f2-07401485e9ea" id="184bd21b-eb41-22a7-83f2-07401485e9ea">
<console_user>true</console_user>
<ip>
<address>192.168.1.10</address>
</ip>
<user>
<user_name>user</user_name>
<domain>
<name>example.com</name>
</domain>
</user>
<vm href="/ovirt-engine/api/vms/2c98f68a-5107-4c02-b664-7c2c2b17085f" id="2c98f68a-5107-4c02-b664-7c2c2b17085f"/>
</session>
<session href="/ovirt-engine/api/vms/2c98f68a-5107-4c02-b664-7c2c2b17085f/sessions/37a6259c-c0c1-dae2-99a7-866489dff0bd" id="37a6259c-c0c1-dae2-99a7-866489dff0bd">
<user>
<user_name>Administrator@DOMAIN</user_name>
</user>
<vm href="/ovirt-engine/api/vms/2c98f68a-5107-4c02-b664-7c2c2b17085f" id="2c98f68a-5107-4c02-b664-7c2c2b17085f"/>
</session>
</sessions>
~~~

Thanks
Comment 4 Ondra Machacek 2017-07-04 13:38:03 UTC 

*** This bug has been marked as a duplicate of bug 1440861 ***