Created attachment 1290026 [details] Python reproducer Description of problem: Logon REST API calls don't work. It doesn't matter what sdk client implementation is used. It looks like 'VmLogonVDSCommandParameters' doesn't contain the actual user password. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Call logon REST API Operation with any sdk implementation. Actual results: No logon is performed in VM Spice console Expected results: Logon performed in VM Spice console Additional info: The following logs can be seen when running any of the attached reproducers: ~~~ [root@rhvm-41 ~]# 2017-06-21 13:06:05,214+02 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-27) [] User user successfully logged in with scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2017-06-21 13:06:05,333+02 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-26) [774525c2] Running command: CreateUserSessionCommand internal: false. 2017-06-21 13:06:05,362+02 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-26) [774525c2] EVENT_ID: USER_VDC_LOGIN(30), Correlation ID: 774525c2, Call Stack: null, Custom Event ID: -1, Message: User user@example.com logged in. 2017-06-21 13:06:05,481+02 INFO [org.ovirt.engine.core.bll.VmLogonCommand] (default task-26) [ce585e69-02c0-418a-adba-bdfcc0bd4cb1] Running command: VmLogonCommand internal: false. Entities affected : ID: 15678820-2ddd-4351-9f7e-57693dde1b93 Type: VMAction group CONNECT_TO_VM with role type USER 2017-06-21 13:06:05,529+02 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-26) [ce585e69-02c0-418a-adba-bdfcc0bd4cb1] START, VmLogonVDSCommand(HostName = rhvh-41-1, VmLogonVDSCommandParameters:{runAsync='true', hostId='ba2a9daf-9be8-408e-ae7a-6f806c3ded68', vmId='15678820-2ddd-4351-9f7e-57693dde1b93', domain='example.com', password='null', userName='user@example.com'}), log id: 6c3c98e7 2017-06-21 13:06:05,673+02 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-26) [ce585e69-02c0-418a-adba-bdfcc0bd4cb1] FINISH, VmLogonVDSCommand, log id: 6c3c98e7 ~~~ The following logs can be seen when performing auto login from user portal: ~~~ 2017-06-21 13:31:46,361+02 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-22) [] User user successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2017-06-21 13:31:46,478+02 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-24) [502349ff] Running command: CreateUserSessionCommand internal: false. 2017-06-21 13:31:46,487+02 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-24) [502349ff] EVENT_ID: USER_VDC_LOGIN(30), Correlation ID: 502349ff, Call Stack: null, Custom Event ID: -1, Message: User user@example.com logged in. 2017-06-21 13:31:49,278+02 INFO [org.ovirt.engine.core.bll.VmLogonCommand] (default task-16) [ee9749df-1afb-49cb-b770-d33a50960d8b] Running command: VmLogonCommand internal: false. Entities affected : ID: 15678820-2ddd-4351-9f7e-57693dde1b93 Type: VMAction group CONNECT_TO_VM with role type USER 2017-06-21 13:31:49,322+02 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-16) [ee9749df-1afb-49cb-b770-d33a50960d8b] START, VmLogonVDSCommand(HostName = rhvh-41-1, VmLogonVDSCommandParameters:{runAsync='true', hostId='ba2a9daf-9be8-408e-ae7a-6f806c3ded68', vmId='15678820-2ddd-4351-9f7e-57693dde1b93', domain='win2008AD.mamux.org', password='***', userName='user@example.com'}), log id: 339d652f 2017-06-21 13:31:50,327+02 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-16) [ee9749df-1afb-49cb-b770-d33a50960d8b] FINISH, VmLogonVDSCommand, log id: 339d652f ~~~
Created attachment 1290027 [details] Ruby reproducer
Created attachment 1290028 [details] Java reproducer
Apparently the SSO service doesn't store the user password in the SSO session when called from the API, this the password isn't available when invoking the 'logon' command. The password isn't stored because the SSL session doesn't contain a 'clientId'. From 'SSOUtils.java': public static void persistUserPassword( HttpServletRequest request, SsoSession ssoSession, String password) { try { if (ssoSession.getScopeAsList().contains("ovirt-ext=token:password-access") && password != null && StringUtils.isNotEmpty(ssoSession.getClientId())) { ssoSession.setPassword(encrypt(request.getServletContext(), ssoSession.getClientId(), password)); } } catch (Exception ex) { log.error("Unable to encrypt password: {}", ex.getMessage()); log.debug("Exception", ex); } } I am moving the bug to the AAA components, as I think there is nothing that can be done to fix this in the API.
This bug report has Keywords: Regression or TestBlocker. Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
*** Bug 1464457 has been marked as a duplicate of this bug. ***
Martin would you consider re-targeting for 4.1.z? I think that it is serious enough to do it.
(In reply to Juan Hernández from comment #7) > Martin would you consider re-targeting for 4.1.z? I think that it is serious > enough to do it. I know, there is also downstream clone BZ1463698 of this bug, which is targeted to 4.1.4, so that's why I targeted upstream to 4.2
Verified with: ovirt-engine-4.2.0-0.0.master.20170906185835.gitcee3e58.el7.centos.noarch # curl -X POST -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Authorization: Bearer qUOO_j_hEEWkSVcs8SjHnmwEWOUX-iFxPrnBwHIJaCgHAC7hY890CopoZ5ERqX5UhkJfX0yES8dSJplRlXuDXQ" --cacert ca.pem -d "<action/>" https://engine.com/ovirt-engine/api/vms/6b3b3157-4068-4e14-b396-04db62f5398a/logon <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <action> <job href="/ovirt-engine/api/jobs/b9da5d7a-09bb-4ccc-b050-80c3cfe3d53b" id="b9da5d7a-09bb-4ccc-b050-80c3cfe3d53b"/> <status>complete</status> <vm href="/ovirt-engine/api/vms/6b3b3157-4068-4e14-b396-04db62f5398a" id="6b3b3157-4068-4e14-b396-04db62f5398a"> .... </vm> </action> from engine.log: 2017-09-12 12:14:46,045+03 INFO [org.ovirt.engine.core.bll.VmLogonCommand] (default task-5) [23adb453-a191-452a-9a6f-f57e2bfeda8d] Running command: VmLogonCommand internal: false. Entities affected : ID: 6b3b3157-4068-4e14-b396-04db62f5398a Type: VMAction group CONNECT_TO_VM with role type USER 2017-09-12 12:14:46,086+03 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-5) [23adb453-a191-452a-9a6f-f57e2bfeda8d] START, VmLogonVDSCommand(HostName = host_mixed_1, VmLogonVDSCommandParameters:{hostId='5201c168-340a-4314-a216-c02035e76b85', vmId='6b3b3157-4068-4e14-b396-04db62f5398a', domain='internal-authz', password='***', userName='admin@internal-authz'}), log id: 59637de9 2017-09-12 12:14:46,095+03 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-5) [23adb453-a191-452a-9a6f-f57e2bfeda8d] FINISH, VmLogonVDSCommand, log id: 59637de9
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017. Since the problem described in this bug report should be resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.