Description of problem: Can't login to Admin portal after engine-manage-domains command. The error on the AP screen is: "User is not authorized to perform this action." Version-Release number of selected component (if applicable): rhevm-3.6.0-0.18.el6 How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: [root@rhevm ~]# engine-manage-domains add --domain=spice.ml2.eng.bos.redhat.com --provider=IPA --user=rhevadmin --add-permissions Enter password: Successfully added domain spice.ml2.eng.bos.redhat.com. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully [root@rhevm ~]# service ovirt-engine restart Stopping oVirt Engine: [ OK ] Starting oVirt Engine: [ OK ] [root@rhevm ~]#
Created attachment 1079225 [details] Screenshot of error message.
I just logged into the "Internal" domain with the "Admin" user and got in without issue.
We need to document the correct way to use engine-manage-domains in the Mojo setup page: https://mojo.redhat.com/docs/DOC-1035018
Hi, could you please attach server.log and engine.log? And also please be aware that engine-manage-domains are deprecated in RHEVM 3.6.0, you should use ovirt-engine-extension-aaa-ldap instead, more info can be found at: http://www.ovirt.org/Features/AAA https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
The install didn't last long and don't have the server or engine logs from the install.
Does it still happen? If not, and no logs, we can't proceed further with this bug.
Successfully reproduced on latest 3.6. The user is not added at all. Command to add user is called correctly. But user is not in DB. 2015-10-21 11:05:45,669 INFO [org.ovirt.engine.extensions.aaa.builtin.tools.ManageDomainsDaoImpl updatePermissionsTable] uuid: cd698101-25ec-11e3-88ec-ca833d391095 username: vdcadmin domain: brq-ldap.rhev.lab.eng.brq.redhat.com
engine-manage-domain is depreciated since 3.5, please use ovirt-engine-extension-aaa-ldap[1][2] [1] http://www.ovirt.org/Features/AAA [2] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
Thanks for Ondra, I discovered that the --add-permissions adds the SEARCH user as ADMIN of engine, while STORING the password of that user within the database of engine. This is a security issue, the search user should be used only for lookup of users, nothing else, it should be dedicated application (service) user, must not be used interactively or for any other purpose. I am glad it does not work. We should remove the --add-permissions option.
This bug is not marked for z-stream, yet the milestone is for a z-stream version, therefore the milestone has been reset. Please set the correct milestone or add the z-stream flag.
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
(In reply to Alon Bar-Lev from comment #9) > Thanks for Ondra, I discovered that the --add-permissions adds the SEARCH > user as ADMIN of engine, while STORING the password of that user within the > database of engine. > > This is a security issue, the search user should be used only for lookup of > users, nothing else, it should be dedicated application (service) user, must > not be used interactively or for any other purpose. > > I am glad it does not work. > > We should remove the --add-permissions option. --add-permission was always used and worked fine from the beginning. Even when engine-manage-domains is deprecated in 3.5+, we cannot break its functionality until it's removed in 4.0. Attached patch fixes the changes made to attach_user_to_role function for 3.6, after it's merged we also need it to backport to 3.5.
(In reply to Martin Perina from comment #12) > (In reply to Alon Bar-Lev from comment #9) > > Thanks for Ondra, I discovered that the --add-permissions adds the SEARCH > > user as ADMIN of engine, while STORING the password of that user within the > > database of engine. > > > > This is a security issue, the search user should be used only for lookup of > > users, nothing else, it should be dedicated application (service) user, must > > not be used interactively or for any other purpose. > > > > I am glad it does not work. > > > > We should remove the --add-permissions option. > > --add-permission was always used and worked fine from the beginning. Even > when engine-manage-domains is deprecated in 3.5+, we cannot break its > functionality until it's removed in 4.0. > > Attached patch fixes the changes made to attach_user_to_role function for > 3.6, after it's merged we also need it to backport to 3.5. yes we can if it is a security issue, please remove this in 3.6.
I agree with Martin here. This should be fixed.
So here's the solution: 1. In oVirt 3.6 we will remove --add-permissions option from engine-manage-domains, so the user specified in --user option in engine-manage-domains will be used only to access LDAP server. If administrator wants to add permissions to LDAP users, he needs to login to webadmin as admin@internal and assign permissions using webadmin UI. 2. In oVirt 3.5 we fixed --add-permissions behaviour, so it works as described in documentation I think this change should be part of oVurt 3.6.0 and not 3.6.1.
Oved, when using this command, should there be some text that the command has changed so that the admin@internal needs to change permission? Maybe then in 3.6.1 needs to say it was deprecated?
The doc text covers that.
(In reply to Bill Sanford from comment #16) > Oved, when using this command, should there be some text that the command > has changed so that the admin@internal needs to change permission? Maybe > then in 3.6.1 needs to say it was deprecated? When you execute "engine-manage-domains add ..." in 3.6 following info is displayed to the user: The domain XXX has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager. Users from this domain can be granted permissions from the Web administration interface logging in as admin@internal user. So user is notified that he has to assign permissions to LDAP users in webadmin portal. And also doc text attached to this bug describes the change.
[root@om-ovirt36 ~]# rpm -q rhevm-backend rhevm-backend-3.6.1-0.2.el6.noarch [root@om-ovirt36 ~]# engine-manage-domains add --domain=ldap-domain --provider=rhds --user=admin --add-permissions Error parsing arguments. Details: java.lang.IllegalArgumentException: Invalid argument '--add-permissions'
According to verification status and target milestone this issue should be fixed in oVirt 3.6.1. Closing current release.