Bug 1438484 - Running the command logon on the VM via the REST failed with the exception
Summary: Running the command logon on the VM via the REST failed with the exception
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: AAA
Version: 4.1.1.7
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ovirt-4.1.2
: 4.1.2
Assignee: Ravi Nori
QA Contact: Jiri Belka
URL:
Whiteboard:
Depends On:
Blocks: 1439611
TreeView+ depends on / blocked
 
Reported: 2017-04-03 13:58 UTC by Artyom
Modified: 2017-05-23 08:14 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-23 08:14:09 UTC
oVirt Team: Infra
Embargoed:
rule-engine: ovirt-4.1+

Attachments (Terms of Use)
engine log (2.07 MB, text/plain)
2017-04-03 13:58 UTC, Artyom 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1439611 0 medium CLOSED [z-stream clone - 4.1.2] Running the command logon on the VM via the REST failed with the exception 2021-02-22 00:41:40 UTC
oVirt gerrit 75236 0 master MERGED aaa: Running the command logon on the VM via the REST failed 2017-04-06 07:22:32 UTC
oVirt gerrit 75489 0 ovirt-engine-4.1 MERGED aaa: Running the command logon on the VM via the REST failed 2017-04-14 07:02:51 UTC

Internal Links: 1439611

Description Artyom 2017-04-03 13:58:06 UTC 
Created attachment 1268401 [details]
engine log

Description of problem:
Running the command logon on the VM via the REST failed with the exception:
22017-04-03 09:16:36,250-04 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-28) [] OAuthException invalid_scope: The requested scope '[ovirt-ext=token:password-access]' is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.
2017-04-03 09:16:36,251-04 ERROR [org.ovirt.engine.core.bll.VmLogonCommand] (default task-27) [966ba276-b110-46d0-abdc-f48f0d369cea] Command 'org.ovirt.engine.core.bll.VmLogonCommand' failed: invalid_scope: The requested scope '[ovirt-ext=token:password-access]' is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.
2017-04-03 09:16:36,251-04 ERROR [org.ovirt.engine.core.bll.VmLogonCommand] (default task-27) [966ba276-b110-46d0-abdc-f48f0d369cea] Exception: java.lang.RuntimeException: invalid_scope: The requested scope '[ovirt-ext=token:password-access]' is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.
    at org.ovirt.engine.core.aaa.filters.FiltersHelper.isStatusOk(FiltersHelper.java:64) [aaa.jar:]
    at org.ovirt.engine.core.aaa.SsoUtils.getPassword(SsoUtils.java:90) [aaa.jar:]
    at org.ovirt.engine.core.bll.VmLogonCommand.perform(VmLogonCommand.java:50) [bll.jar:]
    at org.ovirt.engine.core.bll.VmOperationCommandBase.executeVmCommand(VmOperationCommandBase.java:29) [bll.jar:]
    at org.ovirt.engine.core.bll.VmCommand.executeCommand(VmCommand.java:120) [bll.jar:]

Version-Release number of selected component (if applicable):
rhevm-4.1.1.7-0.1.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Create VM and configure it for SSO
2. Run logon command via REST as admin@internal user with the body:
<action/>
3.

Actual results:
Command failed with the response
<action>
<fault>
<detail>[Internal Engine Error]</detail>
<reason>Operation Failed</reason>
 </fault>
<status>failed</status>
 </action>


Expected results:
Command must succeed, admin@internal has SuperUser permissions, so it does not fail because insufficient permissions.

Additional info:
I tried also to login with other user, but the result is the same
Comment 1 Tomas Jelinek 2017-04-05 08:41:43 UTC 
The root cause is that the:

final String password = SsoUtils.getPassword(                sessionDataContainer.getSsoAccessToken(getParameters().getSessionId()));

throws an exception. It is a consequence of migrating to the new SSO and Im not really sure if this even can be solved. Moving to infra do investigate.
Comment 3 Jiri Belka 2017-05-10 21:41:56 UTC 
ok, same as https://bugzilla.redhat.com/show_bug.cgi?id=1439611#c7
Note You need to log in before you can comment on or make changes to this bug.