Bug 1459342 - Documentation for adding database access to RHV for C&U doesn't seem to provide sufficient access
Summary: Documentation for adding database access to RHV for C&U doesn't seem to provi...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Documentation
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: GA
: 5.8.5
Assignee: Suyog Sainkar
QA Contact: Red Hat CloudForms Documentation
URL:
Whiteboard:
: 1485425 (view as bug list)
Depends On:
Blocks: 1572700
TreeView+ depends on / blocked
 
Reported: 2017-06-06 21:07 UTC by Jeffrey Cutter
Modified: 2021-09-09 12:21 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-08-21 03:54:30 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:
istein: needinfo+

Attachments (Terms of Use)

Description Jeffrey Cutter 2017-06-06 21:07:32 UTC 
Document URL: 

https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html-single/deployment_planning_guide/#data_collection_for_rhev_33_34

Section Number and Name: 

3.4. Data Collection for Red Hat Enterprise Virtualization

Describe the issue: 

The following command does not seem to provide adequate access for C&U to work:

SELECT 'GRANT SELECT ON ' || relname || ' TO cfme;' FROM pg_class JOIN pg_namespace ON pg_namespace.oid = pg_class.relnamespace WHERE nspname = 'public' AND relkind IN ('r', 'v', 'S');

Suggestions for improvement: 



Additional information: 

These ERRORS were found in the evm.log:

[----] E, [2017-06-06T15:56:19.772477 #32222:85f138] ERROR -- : MIQ(ManageIQ::Providers::Redhat::InfraManager::MetricsCapture#perf_collect_metrics) [realtime] for: [ManageIQ::Providers::Redhat::InfraManager::Host], [1000000000004], [rhvh4.hemlockhill.org] Unhandled exception during perf data collection: [PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.772619 #32222:85f138] ERROR -- : MIQ(ManageIQ::Providers::Redhat::InfraManager::MetricsCapture#perf_collect_metrics) [realtime] for: [ManageIQ::Providers::Redhat::InfraManager::Host], [1000000000004], [rhvh4.hemlockhill.org]   Timings at time of error: {:heartbeat=>0.009977340698242188, :server_dequeue=>0.002617359161376953, :capture_state=>1.542311429977417, :rhevm_connect=>0.20496630668640137, :collect_data=>0.5079753398895264, :total_time=>2.6751344203948975, :db_find_storage_files=>0.007214546203613281, :init_attrs=>0.02312016487121582, :db_find_prev_perfs=>0.12758803367614746, :process_perfs=>0.1566321849822998, :process_perfs_tag=>0.003917217254638672, :process_bottleneck=>0.0706169605255127}
[----] E, [2017-06-06T15:56:19.772785 #32222:85f138] ERROR -- : [ActiveRecord::StatementInvalid]: PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.772839 #32222:85f138] ERROR -- : /opt/rh/cfme-gemset/gems/ovirt_metrics-1.4.1/lib/active_record/connection_adapters/ovirt_legacy_postgresql_adapter.rb:619:in `exec_prepared'
[----] E, [2017-06-06T15:56:19.772992 #32222:85f138] ERROR -- : MIQ(MiqQueue#deliver) Message id: [1000000002685], Error: [PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.773198 #32222:85f138] ERROR -- : [ActiveRecord::StatementInvalid]: PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.773247 #32222:85f138] ERROR -- : /opt/rh/cfme-gemset/gems/ovirt_metrics-1.4.1/lib/active_record/connection_adapters/ovirt_legacy_postgresql_adapter.rb:619:in `exec_prepared'
[----] I, [2017-06-06T15:56:19.775190 #32222:85f138]  INFO -- : MIQ(MiqQueue#m_callback) Message id: [1000000002685], Invoking Callback with args: [[1000000000020], "error", "PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration\n: SELECT \"host_interface_configuration\".* FROM \"host_interface_configuration\" WHERE \"host_interface_configuration\".\"host_id\" = $1", "nil"]
[----] E, [2017-06-06T15:56:19.835284 #32222:85f138] ERROR -- : MIQ(ManageIQ::Providers::Redhat::InfraManager::MetricsCapture#perf_collect_metrics) [realtime] for: [ManageIQ::Providers::Redhat::InfraManager::Host], [1000000000003], [rhvh3.hemlockhill.org] Unhandled exception during perf data collection: [PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.835433 #32222:85f138] ERROR -- : MIQ(ManageIQ::Providers::Redhat::InfraManager::MetricsCapture#perf_collect_metrics) [realtime] for: [ManageIQ::Providers::Redhat::InfraManager::Host], [1000000000003], [rhvh3.hemlockhill.org]   Timings at time of error: {:heartbeat=>0.009977340698242188, :server_dequeue=>0.002617359161376953, :capture_state=>1.5438523292541504, :rhevm_connect=>0.21329116821289062, :collect_data=>0.5320491790771484, :total_time=>2.7087433338165283, :db_find_storage_files=>0.007214546203613281, :init_attrs=>0.02312016487121582, :db_find_prev_perfs=>0.12758803367614746, :process_perfs=>0.1566321849822998, :process_perfs_tag=>0.003917217254638672, :process_bottleneck=>0.0706169605255127}
[----] E, [2017-06-06T15:56:19.835588 #32222:85f138] ERROR -- : [ActiveRecord::StatementInvalid]: PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.835639 #32222:85f138] ERROR -- : /opt/rh/cfme-gemset/gems/ovirt_metrics-1.4.1/lib/active_record/connection_adapters/ovirt_legacy_postgresql_adapter.rb:619:in `exec_prepared'
[----] E, [2017-06-06T15:56:19.835808 #32222:85f138] ERROR -- : MIQ(MiqQueue#deliver) Message id: [1000000002686], Error: [PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.835929 #32222:85f138] ERROR -- : [ActiveRecord::StatementInvalid]: PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.835971 #32222:85f138] ERROR -- : /opt/rh/cfme-gemset/gems/ovirt_metrics-1.4.1/lib/active_record/connection_adapters/ovirt_legacy_postgresql_adapter.rb:619:in `exec_prepared'
[----] I, [2017-06-06T15:56:19.838079 #32222:85f138]  INFO -- : MIQ(MiqQueue#m_callback) Message id: [1000000002686], Invoking Callback with args: [[1000000000020], "error", "PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration\n: SELECT \"host_interface_configuration\".* FROM \"host_interface_configuration\" WHERE \"host_interface_configuration\".\"host_id\" = $1", "nil"]
[----] E, [2017-06-06T15:56:19.906673 #32222:85f138] ERROR -- : MIQ(ManageIQ::Providers::Redhat::InfraManager::MetricsCapture#perf_collect_metrics) [realtime] for: [ManageIQ::Providers::Redhat::InfraManager::Host], [1000000000002], [rhvh2.hemlockhill.org] Unhandled exception during perf data collection: [PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.906812 #32222:85f138] ERROR -- : MIQ(ManageIQ::Providers::Redhat::InfraManager::MetricsCapture#perf_collect_metrics) [realtime] for: [ManageIQ::Providers::Redhat::InfraManager::Host], [1000000000002], [rhvh2.hemlockhill.org]   Timings at time of error: {:heartbeat=>0.009977340698242188, :server_dequeue=>0.002617359161376953, :capture_state=>1.5452525615692139, :rhevm_connect=>0.21822834014892578, :collect_data=>0.5578477382659912, :total_time=>2.7433385848999023, :db_find_storage_files=>0.007214546203613281, :init_attrs=>0.02312016487121582, :db_find_prev_perfs=>0.12758803367614746, :process_perfs=>0.1566321849822998, :process_perfs_tag=>0.003917217254638672, :process_bottleneck=>0.0706169605255127}
[----] E, [2017-06-06T15:56:19.906941 #32222:85f138] ERROR -- : [ActiveRecord::StatementInvalid]: PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.906990 #32222:85f138] ERROR -- : /opt/rh/cfme-gemset/gems/ovirt_metrics-1.4.1/lib/active_record/connection_adapters/ovirt_legacy_postgresql_adapter.rb:619:in `exec_prepared'
[----] E, [2017-06-06T15:56:19.907197 #32222:85f138] ERROR -- : MIQ(MiqQueue#deliver) Message id: [1000000002687], Error: [PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.907313 #32222:85f138] ERROR -- : [ActiveRecord::StatementInvalid]: PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.907359 #32222:85f138] ERROR -- : /opt/rh/cfme-gemset/gems/ovirt_metrics-1.4.1/lib/active_record/connection_adapters/ovirt_legacy_postgresql_adapter.rb:619:in `exec_prepared'
[----] I, [2017-06-06T15:56:19.909173 #32222:85f138]  INFO -- : MIQ(MiqQueue#m_callback) Message id: [1000000002687], Invoking Callback with args: [[1000000000021], "error", "PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration\n: SELECT \"host_interface_configuration\".* FROM \"host_interface_configuration\" WHERE \"host_interface_configuration\".\"host_id\" = $1", "nil"]
[----] E, [2017-06-06T15:56:19.963320 #32222:85f138] ERROR -- : MIQ(ManageIQ::Providers::Redhat::InfraManager::MetricsCapture#perf_collect_metrics) [realtime] for: [ManageIQ::Providers::Redhat::InfraManager::Host], [1000000000001], [rhvh1.hemlockhill.org] Unhandled exception during perf data collection: [PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.963450 #32222:85f138] ERROR -- : MIQ(ManageIQ::Providers::Redhat::InfraManager::MetricsCapture#perf_collect_metrics) [realtime] for: [ManageIQ::Providers::Redhat::InfraManager::Host], [1000000000001], [rhvh1.hemlockhill.org]   Timings at time of error: {:heartbeat=>0.009977340698242188, :server_dequeue=>0.002617359161376953, :capture_state=>1.5465283393859863, :rhevm_connect=>0.22281622886657715, :collect_data=>0.5807433128356934, :total_time=>2.776047945022583, :db_find_storage_files=>0.007214546203613281, :init_attrs=>0.02312016487121582, :db_find_prev_perfs=>0.12758803367614746, :process_perfs=>0.1566321849822998, :process_perfs_tag=>0.003917217254638672, :process_bottleneck=>0.0706169605255127}
[----] E, [2017-06-06T15:56:19.963585 #32222:85f138] ERROR -- : [ActiveRecord::StatementInvalid]: PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.963644 #32222:85f138] ERROR -- : /opt/rh/cfme-gemset/gems/ovirt_metrics-1.4.1/lib/active_record/connection_adapters/ovirt_legacy_postgresql_adapter.rb:619:in `exec_prepared'
[----] E, [2017-06-06T15:56:19.963818 #32222:85f138] ERROR -- : MIQ(MiqQueue#deliver) Message id: [1000000002688], Error: [PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.963919 #32222:85f138] ERROR -- : [ActiveRecord::StatementInvalid]: PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration
[----] E, [2017-06-06T15:56:19.963961 #32222:85f138] ERROR -- : /opt/rh/cfme-gemset/gems/ovirt_metrics-1.4.1/lib/active_record/connection_adapters/ovirt_legacy_postgresql_adapter.rb:619:in `exec_prepared'
[----] I, [2017-06-06T15:56:19.965776 #32222:85f138]  INFO -- : MIQ(MiqQueue#m_callback) Message id: [1000000002688], Invoking Callback with args: [[1000000000021], "error", "PG::InsufficientPrivilege: ERROR:  permission denied for relation host_interface_configuration\n: SELECT \"host_interface_configuration\".* FROM \"host_interface_configuration\" WHERE \"host_interface_configuration\".\"host_id\" = $1", "nil"]
[----] E, [2017-06-06T15:56:20.027154 #32222:85f138] ERROR -- : MIQ(ManageIQ::Providers::Redhat::InfraManager::MetricsCapture#perf_collect_metrics) [realtime] for: [ManageIQ::Providers::Redhat::InfraManager::Vm], [1000000000003], [test1] Unhandled exception during perf data collection: [PG::InsufficientPrivilege: ERROR:  permission denied for relation vm_device_history
[----] E, [2017-06-06T15:56:20.027297 #32222:85f138] ERROR -- : MIQ(ManageIQ::Providers::Redhat::InfraManager::MetricsCapture#perf_collect_metrics) [realtime] for: [ManageIQ::Providers::Redhat::InfraManager::Vm], [1000000000003], [test1]   Timings at time of error: {:heartbeat=>0.009977340698242188, :server_dequeue=>0.002617359161376953, :capture_state=>1.5479896068572998, :rhevm_connect=>0.22765064239501953, :collect_data=>0.6031968593597412, :total_time=>2.8053743839263916, :db_find_storage_files=>0.007214546203613281, :init_attrs=>0.02312016487121582, :db_find_prev_perfs=>0.12758803367614746, :process_perfs=>0.1566321849822998, :process_perfs_tag=>0.003917217254638672, :process_bottleneck=>0.0706169605255127}
[----] E, [2017-06-06T15:56:20.027413 #32222:85f138] ERROR -- : [ActiveRecord::StatementInvalid]: PG::InsufficientPrivilege: ERROR:  permission denied for relation vm_device_history
[----] E, [2017-06-06T15:56:20.027470 #32222:85f138] ERROR -- : /opt/rh/cfme-gemset/gems/ovirt_metrics-1.4.1/lib/active_record/connection_adapters/ovirt_legacy_postgresql_adapter.rb:611:in `async_exec'
[----] E, [2017-06-06T15:56:20.027635 #32222:85f138] ERROR -- : MIQ(MiqQueue#deliver) Message id: [1000000002689], Error: [PG::InsufficientPrivilege: ERROR:  permission denied for relation vm_device_history
[----] E, [2017-06-06T15:56:20.027743 #32222:85f138] ERROR -- : [ActiveRecord::StatementInvalid]: PG::InsufficientPrivilege: ERROR:  permission denied for relation vm_device_history
[----] E, [2017-06-06T15:56:20.027784 #32222:85f138] ERROR -- : /opt/rh/cfme-gemset/gems/ovirt_metrics-1.4.1/lib/active_record/connection_adapters/ovirt_legacy_postgresql_adapter.rb:611:in `async_exec'

Altering the role to SUPERUSER allows C&U to work, but this is not ideal:

ALTER ROLE cfme SUPERUSER;
Comment 2 Dustin Scott 2017-06-16 13:57:40 UTC 
+1 for this BZ.  Out of the box documentation does not yield the ability for CloudForms (4.2) to successfully pull metrics from RHV (4.0).  Granting SUPERUSER does.

Request that a proper role with proper permissions are identified, other than SUPERUSER.

Additionally, the pg_hba.conf file should probably look like this for the configured user:

# TYPE  DATABASE              USER     ADDRESS    METHOD
host    ovirt_engine_history  cfme     0.0.0.0/0  md5

The above will limit the cmfe user to the ovirt_engine_history database, rather than allowing all users to connect to all databases.  The above is much more secure.  Also confirmed at my current customer site that the above is a valid configuration.
Comment 3 Felix Dewaleyne 2017-09-12 11:27:41 UTC 
*** Bug 1485425 has been marked as a duplicate of this bug. ***
Comment 4 Frank DeLorey 2018-03-21 17:04:47 UTC 
What are the correct changes required for CFME to have the proper access to the history DB?

Regards,

Frank
Comment 5 Martin Perina 2018-03-22 13:39:18 UTC 
I'd suggest to align CFME documentation with RHV documentation, we have quite detailed description how to configure read only access to DWH database:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/data_warehouse_guide/allowing_read_only_access_to_the_history_database
Note You need to log in before you can comment on or make changes to this bug.