Bug 1121954 - [AAA] Unable to assign permissions to user
Summary: [AAA] Unable to assign permissions to user
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-core
Version: 3.5
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 3.5.1
Assignee: Yair Zaslavsky
QA Contact: Ondra Machacek
URL:
Whiteboard: infra
Depends On:
Blocks: 1017030 oVirt-AAA-rewrite
TreeView+ depends on / blocked
 
Reported: 2014-07-22 08:37 UTC by Ondra Machacek
Modified: 2016-02-10 19:33 UTC (History)
11 users (show)

Fixed In Version: vt3
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-21 16:02:14 UTC
oVirt Team: Infra


Attachments (Terms of Use)
engine.log (2.89 KB, text/plain)
2014-07-22 08:37 UTC, Ondra Machacek
no flags Details


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 30473 None None None Never
oVirt gerrit 30487 None None None Never
oVirt gerrit 34155 master MERGED aaa: Change the check of internal command execution Never
oVirt gerrit 34300 ovirt-engine-3.5 MERGED aaa: Change the check of internal command execution Never

Description Ondra Machacek 2014-07-22 08:37:38 UTC
Created attachment 919831 [details]
engine.log

Description of problem:


Version-Release number of selected component (if applicable):
ovirt-engine-3.5.0-0.0.master.20140715172116.git4687dc1.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. Create in LDAP user with some UTF-8 characters in username.
2. Connect LDAP to engine.
3. go to datacenter tab -> permissions sub tab, and assign this user some 
   permissions

Actual results:
Action fail. User is not added and permissions are not assigned.

Expected results:
Action succeed. User is added and permissions are assigned.

Additional info:

Comment 1 Ondra Machacek 2014-07-22 08:50:44 UTC
Well it's not applicable only for UTF-8 users, but for every user.

Comment 2 Yair Zaslavsky 2014-07-24 14:32:30 UTC
Works on master.

Comment 3 Oved Ourfali 2014-07-24 14:34:06 UTC
(In reply to Yair Zaslavsky from comment #2)
> Works on master.

What about 3.5?

Comment 4 Yair Zaslavsky 2014-07-24 14:57:28 UTC
and on 3.5 as well.
Actually, I verified this when worked on

http://gerrit.ovirt.org/#/c/30473/6

Comment 5 Jiri Belka 2014-08-20 11:50:31 UTC
Could we move forward a bit? We can't test almost anything in User Portal.

Comment 6 Alon Bar-Lev 2014-08-20 11:53:09 UTC
(In reply to Jiri Belka from comment #5)
> Could we move forward a bit? We can't test almost anything in User Portal.

what version do you use for test?

Comment 7 Jiri Belka 2014-08-20 12:11:11 UTC
ovirt-engine-backend-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch

but it's super odd. i had same issue and was told to try on clean installation, then it worked, but i needed to add new domain and it stopped working. (i still have admin@internal in 'System Permissions' with 'UserRole' as I added right it after clean installation admin@internal.)

Comment 8 Alon Bar-Lev 2014-08-20 12:42:22 UTC
Can you please provide sequence so I can try and reproduce? please start with fresh installation.
Thanks!

Comment 9 Ondra Machacek 2014-09-16 10:28:36 UTC
I didn't succeed reproducing. It's OK in vt 3.1.

Comment 10 Ondra Machacek 2014-10-08 17:23:47 UTC
Ok, i again hit this issue, these are exact reproducion steps(vt5):

1) yum install -y ovirt-engine-extension-aaa-ldap-0.0.0-0.0.4.master.el6ev.noarch

2) cd /etc/ovirt-engine/extensions.d

3) cat << conf_ldap-authn-digest_openldap.properties >> EOF
include = <openldap.properties>
pool.default.serverset.type = single
pool.default.serverset.single.server = brq-openldap.rhev.lab.eng.brq.redhat.com
pool.authz.auth.type = digest-md5
pool.authz.auth.digest-md5.authenticationID = user_digest
pool.authz.auth.digest-md5.password = 1234567
EOF

4) cat << ldap-authz-digest_openldap.properties >> EOF
ovirt.engine.extension.enabled = true
ovirt.engine.extension.name = ldap-authz-digest_openldap
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/extensions.d/conf_ldap-authn-digest_openldap.properties
EOF

5) cat << ldap-authn-digest_openldap.properties >> EOF
ovirt.engine.extension.enabled = true
ovirt.engine.extension.name = ldap-auth-digest_openldap
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
config.profile.file.1 = /etc/ovirt-engine/extensions.d/conf_ldap-authn-digest_openldap.properties
ovirt.engine.aaa.authn.profile.name = ldap-authn-digest_openldap
ovirt.engine.aaa.authn.authz.plugin = ldap-authz-digest_openldap
EOF

6) chown ovirt:ovirt *.properties

7) service ovirt-engine restart

8) Go to webadmin, click Clusters , click default cluster -> permissions subtab -> add permission for some user from openldap.

Actual result:
"User admin failed to grant permission for Role UserRole on Data Center Default to User/Group <UNKNOWN>."

relevant error in log:
2014-10-08 17:10:53,988 ERROR [org.ovirt.engine.core.bll.AddPermissionCommand] (org.ovirt.thread.pool-7-thread-5) [12154c42] Command org.ovirt.engine.core.bll.AddPermissionCommand throw exception: java.lang.NullPointerException
	at org.ovirt.engine.core.compat.Guid.hashCode(Guid.java:114) [compat.jar:]

Comment 11 Alon Bar-Lev 2014-10-08 18:42:13 UTC
working for me... cannot reproduce.
strange.

Comment 12 Ondra Machacek 2014-10-09 11:42:55 UTC
OK. Me neither, but with these steps I am able to reproduce 100%.

replace
pool.authz.auth.type = digest-md5
pool.authz.auth.digest-md5.authenticationID = user_digest
pool.authz.auth.digest-md5.password = 1234567

with
pool.default.auth.type = digest-md5
pool.default.auth.digest-md5.authenticationID = user_digest
pool.default.auth.digest-md5.password = 1234567

then add another domain. don't care which, ie:
$ rhevm-manage-domains add --domain=brq-openldap.rhev.lab.eng.brq.redhat.com --user=user1 --provider=openldap

now you are not able to use ldap-auth-digest_openldap,
but you should be able to use brq-openldap.rhev.lab.eng.brq.redhat.com.

If you try to assign some user from brq-openldap.rhev.lab.eng.brq.redhat.com
permissions, the it fails with above error.

Comment 13 Alon Bar-Lev 2014-10-09 14:17:50 UTC
pool.default.auth.type = digest-md5 should not be modified it effects the authn pool which should be anonymous.

I also not sure why effecting the authn will not allow you to assign permissions, as it is using authz only.

Please do not mix legacy and new implementation when opening bugs.

Please do not mix legacy and new implementation especially when using sasl, as java has very poor support for multiple sasl connections.

Comment 14 Yair Zaslavsky 2014-10-10 09:12:40 UTC
Please switch to working generic ldap extensions mechanism.
Adding a permission adds a user if it doesnt exist, if you cant seem to add a user, there might be an issue with the generic ldap extension mechanism, not with the MLA or the AddUserCommand at engine.

Comment 15 Alon Bar-Lev 2014-10-10 23:06:03 UTC
yair, the add user should work also if provider was not initialized, or anything is wrong. The failure should be a specific error and not null pointer exception.

Comment 16 Yair Zaslavsky 2014-10-14 12:27:39 UTC
Failed to reproduce on my env,
Are you sure I can use "any" domain with manage-domains?
Please provide credentials for the relevant domain you tried to add and full engine.log of your reproduction,

Thanks!

Comment 17 Sandro Bonazzola 2014-10-17 12:14:13 UTC
Moving pending bugs not fixed in 3.5.0 to 3.5.1.

Comment 18 Ondra Machacek 2014-12-09 13:23:14 UTC
OK in vt 13.1. I didn't succeed to reproduce.

Comment 19 Sandro Bonazzola 2015-01-21 16:02:14 UTC
oVirt 3.5.1 has been released. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.