Bug 1275043 - [z-stream clone 3.5.6] Can't login to Admin portal after engine-manage-domains command
[z-stream clone 3.5.6] Can't login to Admin portal after engine-manage-domain...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
3.5.5
Unspecified Unspecified
low Severity low
: ovirt-3.5.6
: 3.5.6
Assigned To: Martin Perina
Ondra Machacek
infra
: ZStream
Depends On: 1268076
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-25 07:39 EDT by Oved Ourfali
Modified: 2016-02-10 14:14 EST (History)
20 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1268076
Environment:
Last Closed: 2015-12-01 14:06:48 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 47617 None None None Never
oVirt gerrit 47621 ovirt-engine-3.5 MERGED tools: Fix issue with adding permission for manage-domains user Never

  None (edit)
Description Oved Ourfali 2015-10-25 07:39:40 EDT
+++ This bug was initially created as a clone of Bug #1268076 +++

Description of problem:
Can't login to Admin portal after engine-manage-domains command. The error on the AP screen is: "User is not authorized to perform this action."

Version-Release number of selected component (if applicable):
rhevm-3.6.0-0.18.el6

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

[root@rhevm ~]# engine-manage-domains add --domain=spice.ml2.eng.bos.redhat.com --provider=IPA --user=rhevadmin --add-permissions
Enter password:
Successfully added domain spice.ml2.eng.bos.redhat.com. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart).
Manage Domains completed successfully
[root@rhevm ~]# service ovirt-engine restart
Stopping oVirt Engine:                                     [  OK  ]
Starting oVirt Engine:                                     [  OK  ]
[root@rhevm ~]#

--- Additional comment from Bill Sanford on 2015-10-01 14:39 EDT ---



--- Additional comment from Bill Sanford on 2015-10-02 10:30:02 EDT ---

I just logged into the "Internal" domain with the "Admin" user and got in without issue.

--- Additional comment from Bill Sanford on 2015-10-06 09:20:54 EDT ---

We need to document the correct way to use engine-manage-domains in the Mojo setup page: https://mojo.redhat.com/docs/DOC-1035018

--- Additional comment from Martin Perina on 2015-10-07 05:37:00 EDT ---

Hi,

could you please attach server.log and engine.log?

And also please be aware that engine-manage-domains are deprecated in RHEVM 3.6.0, you should use ovirt-engine-extension-aaa-ldap instead, more info can be found at:

http://www.ovirt.org/Features/AAA
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0

--- Additional comment from Bill Sanford on 2015-10-13 08:55:09 EDT ---

The install didn't last long and don't have the server or engine logs from the install.

--- Additional comment from Oved Ourfali on 2015-10-13 09:09:54 EDT ---

Does it still happen?
If not, and no logs, we can't proceed further with this bug.

--- Additional comment from Ondra Machacek on 2015-10-21 05:10:00 EDT ---

Successfully reproduced on latest 3.6.
The user is not added at all. Command to add user is called correctly.
But user is not in DB.

2015-10-21 11:05:45,669 INFO    [org.ovirt.engine.extensions.aaa.builtin.tools.ManageDomainsDaoImpl updatePermissionsTable] uuid: cd698101-25ec-11e3-88ec-ca833d391095 username: vdcadmin domain: brq-ldap.rhev.lab.eng.brq.redhat.com

--- Additional comment from Alon Bar-Lev on 2015-10-21 16:56:39 EDT ---

engine-manage-domain is depreciated since 3.5, please use ovirt-engine-extension-aaa-ldap[1][2]

[1] http://www.ovirt.org/Features/AAA
[2] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD

--- Additional comment from Alon Bar-Lev on 2015-10-21 17:02:35 EDT ---

Thanks for Ondra, I discovered that the --add-permissions adds the SEARCH user as ADMIN of engine, while STORING the password of that user within the database of engine.

This is a security issue, the search user should be used only for lookup of users, nothing else, it should be dedicated application (service) user, must not be used interactively or for any other purpose.

I am glad it does not work.

We should remove the --add-permissions option.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-10-21 17:08:07 EDT ---

This bug is not marked for z-stream, yet the milestone is for a z-stream version, therefore the milestone has been reset.
Please set the correct milestone or add the z-stream flag.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-10-21 17:09:52 EDT ---

Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

--- Additional comment from Martin Perina on 2015-10-21 18:34:42 EDT ---

(In reply to Alon Bar-Lev from comment #9)
> Thanks for Ondra, I discovered that the --add-permissions adds the SEARCH
> user as ADMIN of engine, while STORING the password of that user within the
> database of engine.
> 
> This is a security issue, the search user should be used only for lookup of
> users, nothing else, it should be dedicated application (service) user, must
> not be used interactively or for any other purpose.
> 
> I am glad it does not work.
> 
> We should remove the --add-permissions option.

--add-permission was always used and worked fine from the beginning. Even when engine-manage-domains is deprecated in 3.5+, we cannot break its functionality until it's removed in 4.0.

Attached patch fixes the changes made to attach_user_to_role function for 3.6, after it's merged we also need it to backport to 3.5.

--- Additional comment from Alon Bar-Lev on 2015-10-21 18:50:18 EDT ---

(In reply to Martin Perina from comment #12)
> (In reply to Alon Bar-Lev from comment #9)
> > Thanks for Ondra, I discovered that the --add-permissions adds the SEARCH
> > user as ADMIN of engine, while STORING the password of that user within the
> > database of engine.
> > 
> > This is a security issue, the search user should be used only for lookup of
> > users, nothing else, it should be dedicated application (service) user, must
> > not be used interactively or for any other purpose.
> > 
> > I am glad it does not work.
> > 
> > We should remove the --add-permissions option.
> 
> --add-permission was always used and worked fine from the beginning. Even
> when engine-manage-domains is deprecated in 3.5+, we cannot break its
> functionality until it's removed in 4.0.
> 
> Attached patch fixes the changes made to attach_user_to_role function for
> 3.6, after it's merged we also need it to backport to 3.5.

yes we can if it is a security issue, please remove this in 3.6.

--- Additional comment from Oved Ourfali on 2015-10-22 00:22:31 EDT ---

I agree with Martin here. This should be fixed.

--- Additional comment from Martin Perina on 2015-10-22 05:57:15 EDT ---

So here's the solution:

1. In oVirt 3.6 we will remove --add-permissions option from engine-manage-domains, so the user specified in --user option in engine-manage-domains will be used only to access LDAP server. If administrator wants to add permissions to LDAP users, he needs to login to webadmin as admin@internal and assign permissions using webadmin UI.

2. In oVirt 3.5 we fixed --add-permissions behaviour, so it works as described in documentation

I think this change should be part of oVurt 3.6.0 and not 3.6.1.
Comment 2 Ondra Machacek 2015-11-02 07:59:46 EST
Ok in rhevm-backend-3.5.6.1-0.1.el6ev.noarch
Comment 4 errata-xmlrpc 2015-12-01 14:06:48 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2531.html

Note You need to log in before you can comment on or make changes to this bug.