Created attachment 1268401 [details] engine log Description of problem: Running the command logon on the VM via the REST failed with the exception: 22017-04-03 09:16:36,250-04 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-28) [] OAuthException invalid_scope: The requested scope '[ovirt-ext=token:password-access]' is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. 2017-04-03 09:16:36,251-04 ERROR [org.ovirt.engine.core.bll.VmLogonCommand] (default task-27) [966ba276-b110-46d0-abdc-f48f0d369cea] Command 'org.ovirt.engine.core.bll.VmLogonCommand' failed: invalid_scope: The requested scope '[ovirt-ext=token:password-access]' is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. 2017-04-03 09:16:36,251-04 ERROR [org.ovirt.engine.core.bll.VmLogonCommand] (default task-27) [966ba276-b110-46d0-abdc-f48f0d369cea] Exception: java.lang.RuntimeException: invalid_scope: The requested scope '[ovirt-ext=token:password-access]' is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. at org.ovirt.engine.core.aaa.filters.FiltersHelper.isStatusOk(FiltersHelper.java:64) [aaa.jar:] at org.ovirt.engine.core.aaa.SsoUtils.getPassword(SsoUtils.java:90) [aaa.jar:] at org.ovirt.engine.core.bll.VmLogonCommand.perform(VmLogonCommand.java:50) [bll.jar:] at org.ovirt.engine.core.bll.VmOperationCommandBase.executeVmCommand(VmOperationCommandBase.java:29) [bll.jar:] at org.ovirt.engine.core.bll.VmCommand.executeCommand(VmCommand.java:120) [bll.jar:] Version-Release number of selected component (if applicable): rhevm-4.1.1.7-0.1.el7.noarch How reproducible: Always Steps to Reproduce: 1. Create VM and configure it for SSO 2. Run logon command via REST as admin@internal user with the body: <action/> 3. Actual results: Command failed with the response <action> <fault> <detail>[Internal Engine Error]</detail> <reason>Operation Failed</reason> </fault> <status>failed</status> </action> Expected results: Command must succeed, admin@internal has SuperUser permissions, so it does not fail because insufficient permissions. Additional info: I tried also to login with other user, but the result is the same
The root cause is that the: final String password = SsoUtils.getPassword( sessionDataContainer.getSsoAccessToken(getParameters().getSessionId())); throws an exception. It is a consequence of migrating to the new SSO and Im not really sure if this even can be solved. Moving to infra do investigate.
ok, same as https://bugzilla.redhat.com/show_bug.cgi?id=1439611#c7