Bug 1463634 - Running the command logon on the VM via the REST failed
Summary: Running the command logon on the VM via the REST failed
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: AAA
Version: 4.1.2.2
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ovirt-4.2.0
: 4.2.0
Assignee: Ravi Nori
QA Contact: Gonza
URL:
Whiteboard:
: 1464457 (view as bug list)
Depends On:
Blocks: 1463698
TreeView+ depends on / blocked
 
Reported: 2017-06-21 11:43 UTC by Miguel Martin
Modified: 2017-12-20 11:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1463698 (view as bug list)
Environment:
Last Closed: 2017-12-20 11:33:20 UTC
oVirt Team: Infra
Embargoed:
rule-engine: ovirt-4.2+
rule-engine: blocker+

Attachments (Terms of Use)
Python reproducer (537 bytes, text/x-python)
2017-06-21 11:43 UTC, Miguel Martin 		no flags Details
Ruby reproducer (413 bytes, application/x-ruby)
2017-06-21 11:44 UTC, Miguel Martin 		no flags Details
Java reproducer (857 bytes, text/plain)
2017-06-21 11:45 UTC, Miguel Martin 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 78533 0 master MERGED aaa: Running the command logon on the VM via the REST failed 2020-10-20 08:57:54 UTC

Description Miguel Martin 2017-06-21 11:43:30 UTC 
Created attachment 1290026 [details]
Python reproducer

Description of problem:

Logon REST API calls don't work. It doesn't matter what sdk client implementation is used. It looks like 'VmLogonVDSCommandParameters' doesn't contain the actual user password.
 
Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
1. Call logon REST API Operation with any sdk implementation.

Actual results:
No logon is performed in VM Spice console

Expected results:
Logon performed in VM Spice console


Additional info:

The following logs can be seen when running any of the attached reproducers: 

~~~
[root@rhvm-41 ~]# 2017-06-21 13:06:05,214+02 INFO  [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-27) [] User user successfully logged in with scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access
2017-06-21 13:06:05,333+02 INFO  [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-26) [774525c2] Running command: CreateUserSessionCommand internal: false.
2017-06-21 13:06:05,362+02 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-26) [774525c2] EVENT_ID: USER_VDC_LOGIN(30), Correlation ID: 774525c2, Call Stack: null, Custom Event ID: -1, Message: User user@example.com logged in.
2017-06-21 13:06:05,481+02 INFO  [org.ovirt.engine.core.bll.VmLogonCommand] (default task-26) [ce585e69-02c0-418a-adba-bdfcc0bd4cb1] Running command: VmLogonCommand internal: false. Entities affected :  ID: 15678820-2ddd-4351-9f7e-57693dde1b93 Type: VMAction group CONNECT_TO_VM with role type USER
2017-06-21 13:06:05,529+02 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-26) [ce585e69-02c0-418a-adba-bdfcc0bd4cb1] START, VmLogonVDSCommand(HostName = rhvh-41-1, VmLogonVDSCommandParameters:{runAsync='true', hostId='ba2a9daf-9be8-408e-ae7a-6f806c3ded68', vmId='15678820-2ddd-4351-9f7e-57693dde1b93', domain='example.com', password='null', userName='user@example.com'}), log id: 6c3c98e7
2017-06-21 13:06:05,673+02 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-26) [ce585e69-02c0-418a-adba-bdfcc0bd4cb1] FINISH, VmLogonVDSCommand, log id: 6c3c98e7
~~~

The following logs can be seen when performing auto login from user portal:

~~~
2017-06-21 13:31:46,361+02 INFO  [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-22) [] User user successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access
2017-06-21 13:31:46,478+02 INFO  [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-24) [502349ff] Running command: CreateUserSessionCommand internal: false.
2017-06-21 13:31:46,487+02 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-24) [502349ff] EVENT_ID: USER_VDC_LOGIN(30), Correlation ID: 502349ff, Call Stack: null, Custom Event ID: -1, Message: User user@example.com logged in.
2017-06-21 13:31:49,278+02 INFO  [org.ovirt.engine.core.bll.VmLogonCommand] (default task-16) [ee9749df-1afb-49cb-b770-d33a50960d8b] Running command: VmLogonCommand internal: false. Entities affected :  ID: 15678820-2ddd-4351-9f7e-57693dde1b93 Type: VMAction group CONNECT_TO_VM with role type USER
2017-06-21 13:31:49,322+02 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-16) [ee9749df-1afb-49cb-b770-d33a50960d8b] START, VmLogonVDSCommand(HostName = rhvh-41-1, VmLogonVDSCommandParameters:{runAsync='true', hostId='ba2a9daf-9be8-408e-ae7a-6f806c3ded68', vmId='15678820-2ddd-4351-9f7e-57693dde1b93', domain='win2008AD.mamux.org', password='***', userName='user@example.com'}), log id: 339d652f
2017-06-21 13:31:50,327+02 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-16) [ee9749df-1afb-49cb-b770-d33a50960d8b] FINISH, VmLogonVDSCommand, log id: 339d652f
~~~
Comment 1 Miguel Martin 2017-06-21 11:44:29 UTC 
Created attachment 1290027 [details]
Ruby reproducer
Comment 2 Miguel Martin 2017-06-21 11:45:37 UTC 
Created attachment 1290028 [details]
Java reproducer
Comment 3 Juan Hernández 2017-06-21 13:39:13 UTC 
Apparently the SSO service doesn't store the user password in the SSO session when called from the API, this the password isn't available when invoking the 'logon' command.

The password isn't stored because the SSL session doesn't contain a 'clientId'. From 'SSOUtils.java':

      public static void persistUserPassword(
            HttpServletRequest request,
            SsoSession ssoSession,
            String password) {
        try {
            if (ssoSession.getScopeAsList().contains("ovirt-ext=token:password-access") &&
                    password != null &&
                    StringUtils.isNotEmpty(ssoSession.getClientId())) {
                ssoSession.setPassword(encrypt(request.getServletContext(), ssoSession.getClientId(), password));
            }
        } catch (Exception ex) {
            log.error("Unable to encrypt password: {}", ex.getMessage());
            log.debug("Exception", ex);
        }
    }

I am moving the bug to the AAA components, as I think there is nothing that can be done to fix this in the API.
Comment 5 Red Hat Bugzilla Rules Engine 2017-06-22 13:23:12 UTC 
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Comment 6 Juan Hernández 2017-06-23 13:27:51 UTC 
*** Bug 1464457 has been marked as a duplicate of this bug. ***
Comment 7 Juan Hernández 2017-06-23 13:29:23 UTC 
Martin would you consider re-targeting for 4.1.z? I think that it is serious enough to do it.
Comment 8 Martin Perina 2017-06-23 19:22:02 UTC 
(In reply to Juan Hernández from comment #7)
> Martin would you consider re-targeting for 4.1.z? I think that it is serious
> enough to do it.

I know, there is also downstream clone BZ1463698 of this bug, which is targeted to 4.1.4, so that's why I targeted upstream to 4.2
Comment 9 Gonza 2017-09-12 09:17:06 UTC 
Verified with:
ovirt-engine-4.2.0-0.0.master.20170906185835.gitcee3e58.el7.centos.noarch

# curl -X POST -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Authorization: Bearer qUOO_j_hEEWkSVcs8SjHnmwEWOUX-iFxPrnBwHIJaCgHAC7hY890CopoZ5ERqX5UhkJfX0yES8dSJplRlXuDXQ" --cacert ca.pem -d "<action/>" https://engine.com/ovirt-engine/api/vms/6b3b3157-4068-4e14-b396-04db62f5398a/logon
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<action>
    <job href="/ovirt-engine/api/jobs/b9da5d7a-09bb-4ccc-b050-80c3cfe3d53b" id="b9da5d7a-09bb-4ccc-b050-80c3cfe3d53b"/>
    <status>complete</status>
    <vm href="/ovirt-engine/api/vms/6b3b3157-4068-4e14-b396-04db62f5398a" id="6b3b3157-4068-4e14-b396-04db62f5398a">
....
    </vm>
</action>

from engine.log:
2017-09-12 12:14:46,045+03 INFO  [org.ovirt.engine.core.bll.VmLogonCommand] (default task-5) [23adb453-a191-452a-9a6f-f57e2bfeda8d] Running command: VmLogonCommand internal: false. Entities affected :  ID: 6b3b3157-4068-4e14-b396-04db62f5398a Type: VMAction group CONNECT_TO_VM with role type USER
2017-09-12 12:14:46,086+03 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-5) [23adb453-a191-452a-9a6f-f57e2bfeda8d] START, VmLogonVDSCommand(HostName = host_mixed_1, VmLogonVDSCommandParameters:{hostId='5201c168-340a-4314-a216-c02035e76b85', vmId='6b3b3157-4068-4e14-b396-04db62f5398a', domain='internal-authz', password='***', userName='admin@internal-authz'}), log id: 59637de9
2017-09-12 12:14:46,095+03 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-5) [23adb453-a191-452a-9a6f-f57e2bfeda8d] FINISH, VmLogonVDSCommand, log id: 59637de9
Comment 10 Sandro Bonazzola 2017-12-20 11:33:20 UTC 
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.