Bug 1261382 - [aaa] When engine-setup is run after upgrade again, admin@internal get expired password
[aaa] When engine-setup is run after upgrade again, admin@internal get expire...
Status: CLOSED DUPLICATE of bug 1260573
Product: oVirt
Classification: Community
Component: ovirt-engine-installer (Show other bugs)
3.6
x86_64 Linux
unspecified Severity urgent
: ---
: 3.6.0
Assigned To: Martin Perina
Ondra Machacek
infra
:
Depends On: 1164870
Blocks: 917035
  Show dependency treegraph
 
Reported: 2015-09-09 04:31 EDT by Nikolai Sednev
Modified: 2016-02-10 14:34 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-10 07:52:43 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
engine logs (815.71 KB, application/x-gzip)
2015-09-09 04:37 EDT, Nikolai Sednev
no flags Details

  None (edit)
Description Nikolai Sednev 2015-09-09 04:31:52 EDT
Description of problem:
HE upgrade 3.5.4 to 3.6 (13) caused to user admin not to be able to log in to the engine or change the password after by using "engine-config -s AdminPassword=interactive".

Version-Release number of selected component (if applicable):
ovirt-host-deploy-1.4.0-0.0.5.master.el6ev.noarch
ovirt-engine-extension-aaa-jdbc-0.0.0-6.el6ev.noarch
ovirt-vmconsole-1.0.0-0.0.1.master.el6ev.noarch
ovirt-vmconsole-proxy-1.0.0-0.0.1.master.el6ev.noarch
rhevm-3.6.0-0.13.master.el6.noarch
ovirt-host-deploy-java-1.4.0-0.0.5.master.el6ev.noarch
qemu-guest-agent-0.12.1.2-2.479.el6.x86_64
rhevm-guest-agent-common-1.0.10-2.el6ev.noarch

How reproducible:
50%

Steps to Reproduce:
1.Install HE on two RHEL7.1 hosts with RHEVM3.5.4 latest.
2.Upgrade from latest 3.5.4 to 3.6 while both hosts in global maintenance. 
3.Return both hosts from maintenance and log in to the engine.
4.Set one of the hosts to global maintenance (the one that is not running the engine).
5.Upgrade the host to RHEL7.2, while second host remains with the running engine on top of RHEL7.1.
6.Set the host that is running the engine in to global maintenance.
7.On engine via CLI shell install ovirt-vmconsole-proxy.
8.On engine run engine-setup and enable vm-console configuration.
9.When engine-setup finished, try logging in to the engine via WEBUI.

Actual results:
User admin failed to log in in to the engine via WEBUI.

Expected results:
User admin should be able to log in.

Additional info:
At some point I was able to log in, I'm not really understand why, so adding all logs to this bug.
Comment 1 Nikolai Sednev 2015-09-09 04:37:04 EDT
Created attachment 1071618 [details]
engine logs
Comment 2 Nikolai Sednev 2015-09-09 04:41:06 EDT
I also tried to check if hosts and engine synced, then alligned them with required ntp configurations and that didn't helped, although time was the same on both hosts and the engine.

I tried to change password for the user and also failed, while was using steps defined here: http://www.ovirt.org/Engine_config_examples

# engine-config -s AdminPassword=interactive
Error setting AdminPassword's value. No such entry.
Comment 3 Nikolai Sednev 2015-09-09 05:33:54 EDT
Please disregard the sentence "Additional info:
At some point I was able to log in, I'm not really understand why, so adding all logs to this bug.". It actually not happened (mixed up with another engine).
Comment 4 Martin Perina 2015-09-09 06:09:26 EDT
(In reply to Nikolai Sednev from comment #2)
> I also tried to check if hosts and engine synced, then alligned them with
> required ntp configurations and that didn't helped, although time was the
> same on both hosts and the engine.
> 
> I tried to change password for the user and also failed, while was using
> steps defined here: http://www.ovirt.org/Engine_config_examples
> 
> # engine-config -s AdminPassword=interactive
> Error setting AdminPassword's value. No such entry.

In RHEV 3.6 'internal' domain is managed by aaa-jdbc provider. So if you want to change 'admin@internal' password please execute:

ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2025-08-15 10:30:00Z"

More info can be found at http://www.ovirt.org/Features/AAA_JDBC#Password_management
Comment 6 Yaniv Kaul 2015-09-09 06:53:36 EDT
(In reply to Martin Perina from comment #4)
> (In reply to Nikolai Sednev from comment #2)
> > I also tried to check if hosts and engine synced, then alligned them with
> > required ntp configurations and that didn't helped, although time was the
> > same on both hosts and the engine.
> > 
> > I tried to change password for the user and also failed, while was using
> > steps defined here: http://www.ovirt.org/Engine_config_examples
> > 
> > # engine-config -s AdminPassword=interactive
> > Error setting AdminPassword's value. No such entry.
> 
> In RHEV 3.6 'internal' domain is managed by aaa-jdbc provider. So if you
> want to change 'admin@internal' password please execute:
> 
> ovirt-aaa-jdbc-tool user password-reset admin
> --password-valid-to="2025-08-15 10:30:00Z"
> 
> More info can be found at
> http://www.ovirt.org/Features/AAA_JDBC#Password_management

Martin, I'd expect the 'old' method to return an error explaining the user to use the new method...
Comment 7 Ondra Machacek 2015-09-09 09:40:02 EDT
I succeed reproduce.
Steps:
1) install 3.5
2) change needed repos to for 3.6
3) yum update rhevm-setup
4) engine-setup
5) engine-setup

After step 4) there is not created proper jdbc schemas (not sure why). In this step also correct password expiration is set. Auth[zn] files are created as follows:

authn:
ovirt.engine.extension.name = internal-authn
...
ovirt.engine.aaa.authn.profile.name = internal
ovirt.engine.aaa.authn.authz.plugin = internal
config.authn.user.name = admin
config.authn.user.password = **********

authz:
ovirt.engine.extension.name = internal
.....
config.authz.user.name = admin
config.authz.user.id = fdfc627c-d875-11e0-90f0-83df133b58cc


Only after step 5) proper jdbc schema is created. With proper properties files. But in this step only admin user created, but it doesn't have correctly setup password.

Why there is that intermediate step and why the correct jdbc schema is not created in step 4? That seems to be the issue, unless it's needed for some reason.
Comment 8 Ondra Machacek 2015-09-10 07:45:05 EDT
Btw. you can resolve the issue if you install package 'ovirt-engine-extension-aaa-jdbc' just before upgrade, so I believe it's kind of duplicate of bug 1260573
Comment 9 Alon Bar-Lev 2015-09-10 07:52:43 EDT

*** This bug has been marked as a duplicate of bug 1260573 ***

Note You need to log in before you can comment on or make changes to this bug.