Bug 1268076 - Can't login to Admin portal after engine-manage-domains command
Summary: Can't login to Admin portal after engine-manage-domains command
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: AAA
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ovirt-3.6.1
: 3.6.1
Assignee: Martin Perina
QA Contact: Ondra Machacek
URL:
Whiteboard: infra
Depends On:
Blocks: 1275043
TreeView+ depends on / blocked
 
Reported: 2015-10-01 18:38 UTC by Bill Sanford
Modified: 2016-02-10 19:14 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Option --add-permissions in engine-manage-domains allowed to add SuperUser permission for the LDAP user specified in --user option, but this user should be used only to access LDAP server internally and not as an oVirt administrator. The --add-permissions option was removed from oVirt 3.6, so oVirt administrator will need to login to webadmin as admin@internal and assign proper permissions to LDAP users using webadmin UI. Consequence: Fix: Result:
Clone Of:
: 1275043 (view as bug list)
Environment:
Last Closed: 2015-12-16 12:21:32 UTC
oVirt Team: Infra
Embargoed:
oourfali: ovirt-3.6.z?
rule-engine: planning_ack?
masayag: devel_ack+
rule-engine: testing_ack+

Attachments (Terms of Use)
Screenshot of error message. (213.72 KB, image/png)
2015-10-01 18:39 UTC, Bill Sanford 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 47617 0 ovirt-engine-3.6 MERGED tools: Fix issue with adding permission for manage-domains user Never
oVirt gerrit 47621 0 ovirt-engine-3.5 MERGED tools: Fix issue with adding permission for manage-domains user Never

Description Bill Sanford 2015-10-01 18:38:28 UTC 
Description of problem:
Can't login to Admin portal after engine-manage-domains command. The error on the AP screen is: "User is not authorized to perform this action."

Version-Release number of selected component (if applicable):
rhevm-3.6.0-0.18.el6

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

[root@rhevm ~]# engine-manage-domains add --domain=spice.ml2.eng.bos.redhat.com --provider=IPA --user=rhevadmin --add-permissions
Enter password:
Successfully added domain spice.ml2.eng.bos.redhat.com. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart).
Manage Domains completed successfully
[root@rhevm ~]# service ovirt-engine restart
Stopping oVirt Engine:                                     [  OK  ]
Starting oVirt Engine:                                     [  OK  ]
[root@rhevm ~]#
Comment 1 Bill Sanford 2015-10-01 18:39:45 UTC 
Created attachment 1079225 [details]
Screenshot of error message.
Comment 2 Bill Sanford 2015-10-02 14:30:02 UTC 
I just logged into the "Internal" domain with the "Admin" user and got in without issue.
Comment 3 Bill Sanford 2015-10-06 13:20:54 UTC 
We need to document the correct way to use engine-manage-domains in the Mojo setup page: https://mojo.redhat.com/docs/DOC-1035018
Comment 4 Martin Perina 2015-10-07 09:37:00 UTC 
Hi,

could you please attach server.log and engine.log?

And also please be aware that engine-manage-domains are deprecated in RHEVM 3.6.0, you should use ovirt-engine-extension-aaa-ldap instead, more info can be found at:

http://www.ovirt.org/Features/AAA
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
Comment 5 Bill Sanford 2015-10-13 12:55:09 UTC 
The install didn't last long and don't have the server or engine logs from the install.
Comment 6 Oved Ourfali 2015-10-13 13:09:54 UTC 
Does it still happen?
If not, and no logs, we can't proceed further with this bug.
Comment 7 Ondra Machacek 2015-10-21 09:10:00 UTC 
Successfully reproduced on latest 3.6.
The user is not added at all. Command to add user is called correctly.
But user is not in DB.

2015-10-21 11:05:45,669 INFO    [org.ovirt.engine.extensions.aaa.builtin.tools.ManageDomainsDaoImpl updatePermissionsTable] uuid: cd698101-25ec-11e3-88ec-ca833d391095 username: vdcadmin domain: brq-ldap.rhev.lab.eng.brq.redhat.com
Comment 8 Alon Bar-Lev 2015-10-21 20:56:39 UTC 
engine-manage-domain is depreciated since 3.5, please use ovirt-engine-extension-aaa-ldap[1][2]

[1] http://www.ovirt.org/Features/AAA
[2] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
Comment 9 Alon Bar-Lev 2015-10-21 21:02:35 UTC 
Thanks for Ondra, I discovered that the --add-permissions adds the SEARCH user as ADMIN of engine, while STORING the password of that user within the database of engine.

This is a security issue, the search user should be used only for lookup of users, nothing else, it should be dedicated application (service) user, must not be used interactively or for any other purpose.

I am glad it does not work.

We should remove the --add-permissions option.
Comment 10 Red Hat Bugzilla Rules Engine 2015-10-21 21:08:07 UTC 
This bug is not marked for z-stream, yet the milestone is for a z-stream version, therefore the milestone has been reset.
Please set the correct milestone or add the z-stream flag.
Comment 11 Red Hat Bugzilla Rules Engine 2015-10-21 21:09:52 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 12 Martin Perina 2015-10-21 22:34:42 UTC 
(In reply to Alon Bar-Lev from comment #9)
> Thanks for Ondra, I discovered that the --add-permissions adds the SEARCH
> user as ADMIN of engine, while STORING the password of that user within the
> database of engine.
> 
> This is a security issue, the search user should be used only for lookup of
> users, nothing else, it should be dedicated application (service) user, must
> not be used interactively or for any other purpose.
> 
> I am glad it does not work.
> 
> We should remove the --add-permissions option.

--add-permission was always used and worked fine from the beginning. Even when engine-manage-domains is deprecated in 3.5+, we cannot break its functionality until it's removed in 4.0.

Attached patch fixes the changes made to attach_user_to_role function for 3.6, after it's merged we also need it to backport to 3.5.
Comment 13 Alon Bar-Lev 2015-10-21 22:50:18 UTC 
(In reply to Martin Perina from comment #12)
> (In reply to Alon Bar-Lev from comment #9)
> > Thanks for Ondra, I discovered that the --add-permissions adds the SEARCH
> > user as ADMIN of engine, while STORING the password of that user within the
> > database of engine.
> > 
> > This is a security issue, the search user should be used only for lookup of
> > users, nothing else, it should be dedicated application (service) user, must
> > not be used interactively or for any other purpose.
> > 
> > I am glad it does not work.
> > 
> > We should remove the --add-permissions option.
> 
> --add-permission was always used and worked fine from the beginning. Even
> when engine-manage-domains is deprecated in 3.5+, we cannot break its
> functionality until it's removed in 4.0.
> 
> Attached patch fixes the changes made to attach_user_to_role function for
> 3.6, after it's merged we also need it to backport to 3.5.

yes we can if it is a security issue, please remove this in 3.6.
Comment 14 Oved Ourfali 2015-10-22 04:22:31 UTC 
I agree with Martin here. This should be fixed.
Comment 15 Martin Perina 2015-10-22 09:57:15 UTC 
So here's the solution:

1. In oVirt 3.6 we will remove --add-permissions option from engine-manage-domains, so the user specified in --user option in engine-manage-domains will be used only to access LDAP server. If administrator wants to add permissions to LDAP users, he needs to login to webadmin as admin@internal and assign permissions using webadmin UI.

2. In oVirt 3.5 we fixed --add-permissions behaviour, so it works as described in documentation

I think this change should be part of oVurt 3.6.0 and not 3.6.1.
Comment 16 Bill Sanford 2015-10-27 14:47:55 UTC 
Oved, when using this command, should there be some text that the command has changed so that the admin@internal needs to change permission? Maybe then in 3.6.1 needs to say it was deprecated?
Comment 17 Oved Ourfali 2015-10-27 15:23:47 UTC 
The doc text covers that.
Comment 18 Martin Perina 2015-10-27 17:35:25 UTC 
(In reply to Bill Sanford from comment #16)
> Oved, when using this command, should there be some text that the command
> has changed so that the admin@internal needs to change permission? Maybe
> then in 3.6.1 needs to say it was deprecated?

When you execute "engine-manage-domains add ..." in 3.6 following info is displayed to the user:

  The domain XXX has been added to the engine as an authentication source but no 
  users from that domain have been granted permissions within the oVirt Manager.
  Users from this domain can be granted permissions from the Web administration  
  interface logging in as admin@internal user.

So user is notified that he has to assign permissions to LDAP users in webadmin portal.

And also doc text attached to this bug describes the change.
Comment 19 Ondra Machacek 2015-11-26 09:20:47 UTC 
[root@om-ovirt36 ~]# rpm -q rhevm-backend
rhevm-backend-3.6.1-0.2.el6.noarch

[root@om-ovirt36 ~]# engine-manage-domains add --domain=ldap-domain --provider=rhds --user=admin --add-permissions
Error parsing arguments. Details: java.lang.IllegalArgumentException: Invalid argument '--add-permissions'
Comment 20 Sandro Bonazzola 2015-12-16 12:21:32 UTC 
According to verification status and target milestone this issue should be fixed in oVirt 3.6.1. Closing current release.
Note You need to log in before you can comment on or make changes to this bug.