Bug 1463634 - Running the command logon on the VM via the REST failed
Running the command logon on the VM via the REST failed
Status: CLOSED CURRENTRELEASE
Product: ovirt-engine
Classification: oVirt
Component: AAA (Show other bugs)
4.1.2.2
Unspecified Unspecified
unspecified Severity high (vote)
: ovirt-4.2.0
: 4.2.0
Assigned To: Ravi Nori
Gonza
: Regression
: 1464457 (view as bug list)
Depends On:
Blocks: 1463698
  Show dependency treegraph
 
Reported: 2017-06-21 07:43 EDT by Miguel Martin
Modified: 2017-12-20 06:33 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1463698 (view as bug list)
Environment:
Last Closed: 2017-12-20 06:33:20 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑4.2+
rule-engine: blocker+


Attachments (Terms of Use)
Python reproducer (537 bytes, text/x-python)
2017-06-21 07:43 EDT, Miguel Martin
no flags Details
Ruby reproducer (413 bytes, application/x-ruby)
2017-06-21 07:44 EDT, Miguel Martin
no flags Details
Java reproducer (857 bytes, text/plain)
2017-06-21 07:45 EDT, Miguel Martin
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 78533 master MERGED aaa: Running the command logon on the VM via the REST failed 2017-06-23 15:27 EDT

  None (edit)
Description Miguel Martin 2017-06-21 07:43:30 EDT
Created attachment 1290026 [details]
Python reproducer

Description of problem:

Logon REST API calls don't work. It doesn't matter what sdk client implementation is used. It looks like 'VmLogonVDSCommandParameters' doesn't contain the actual user password.
 
Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
1. Call logon REST API Operation with any sdk implementation.

Actual results:
No logon is performed in VM Spice console

Expected results:
Logon performed in VM Spice console


Additional info:

The following logs can be seen when running any of the attached reproducers: 

~~~
[root@rhvm-41 ~]# 2017-06-21 13:06:05,214+02 INFO  [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-27) [] User user@example.com successfully logged in with scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access
2017-06-21 13:06:05,333+02 INFO  [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-26) [774525c2] Running command: CreateUserSessionCommand internal: false.
2017-06-21 13:06:05,362+02 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-26) [774525c2] EVENT_ID: USER_VDC_LOGIN(30), Correlation ID: 774525c2, Call Stack: null, Custom Event ID: -1, Message: User user@example.com@example.com logged in.
2017-06-21 13:06:05,481+02 INFO  [org.ovirt.engine.core.bll.VmLogonCommand] (default task-26) [ce585e69-02c0-418a-adba-bdfcc0bd4cb1] Running command: VmLogonCommand internal: false. Entities affected :  ID: 15678820-2ddd-4351-9f7e-57693dde1b93 Type: VMAction group CONNECT_TO_VM with role type USER
2017-06-21 13:06:05,529+02 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-26) [ce585e69-02c0-418a-adba-bdfcc0bd4cb1] START, VmLogonVDSCommand(HostName = rhvh-41-1, VmLogonVDSCommandParameters:{runAsync='true', hostId='ba2a9daf-9be8-408e-ae7a-6f806c3ded68', vmId='15678820-2ddd-4351-9f7e-57693dde1b93', domain='example.com', password='null', userName='user@example.com@example.com'}), log id: 6c3c98e7
2017-06-21 13:06:05,673+02 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-26) [ce585e69-02c0-418a-adba-bdfcc0bd4cb1] FINISH, VmLogonVDSCommand, log id: 6c3c98e7
~~~

The following logs can be seen when performing auto login from user portal:

~~~
2017-06-21 13:31:46,361+02 INFO  [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-22) [] User user@example.com successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access
2017-06-21 13:31:46,478+02 INFO  [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-24) [502349ff] Running command: CreateUserSessionCommand internal: false.
2017-06-21 13:31:46,487+02 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-24) [502349ff] EVENT_ID: USER_VDC_LOGIN(30), Correlation ID: 502349ff, Call Stack: null, Custom Event ID: -1, Message: User user@example.com@example.com logged in.
2017-06-21 13:31:49,278+02 INFO  [org.ovirt.engine.core.bll.VmLogonCommand] (default task-16) [ee9749df-1afb-49cb-b770-d33a50960d8b] Running command: VmLogonCommand internal: false. Entities affected :  ID: 15678820-2ddd-4351-9f7e-57693dde1b93 Type: VMAction group CONNECT_TO_VM with role type USER
2017-06-21 13:31:49,322+02 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-16) [ee9749df-1afb-49cb-b770-d33a50960d8b] START, VmLogonVDSCommand(HostName = rhvh-41-1, VmLogonVDSCommandParameters:{runAsync='true', hostId='ba2a9daf-9be8-408e-ae7a-6f806c3ded68', vmId='15678820-2ddd-4351-9f7e-57693dde1b93', domain='win2008AD.mamux.org', password='***', userName='user@example.com@example.com'}), log id: 339d652f
2017-06-21 13:31:50,327+02 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-16) [ee9749df-1afb-49cb-b770-d33a50960d8b] FINISH, VmLogonVDSCommand, log id: 339d652f
~~~
Comment 1 Miguel Martin 2017-06-21 07:44 EDT
Created attachment 1290027 [details]
Ruby reproducer
Comment 2 Miguel Martin 2017-06-21 07:45 EDT
Created attachment 1290028 [details]
Java reproducer
Comment 3 Juan Hernández 2017-06-21 09:39:13 EDT
Apparently the SSO service doesn't store the user password in the SSO session when called from the API, this the password isn't available when invoking the 'logon' command.

The password isn't stored because the SSL session doesn't contain a 'clientId'. From 'SSOUtils.java':

      public static void persistUserPassword(
            HttpServletRequest request,
            SsoSession ssoSession,
            String password) {
        try {
            if (ssoSession.getScopeAsList().contains("ovirt-ext=token:password-access") &&
                    password != null &&
                    StringUtils.isNotEmpty(ssoSession.getClientId())) {
                ssoSession.setPassword(encrypt(request.getServletContext(), ssoSession.getClientId(), password));
            }
        } catch (Exception ex) {
            log.error("Unable to encrypt password: {}", ex.getMessage());
            log.debug("Exception", ex);
        }
    }

I am moving the bug to the AAA components, as I think there is nothing that can be done to fix this in the API.
Comment 5 Red Hat Bugzilla Rules Engine 2017-06-22 09:23:12 EDT
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Comment 6 Juan Hernández 2017-06-23 09:27:51 EDT
*** Bug 1464457 has been marked as a duplicate of this bug. ***
Comment 7 Juan Hernández 2017-06-23 09:29:23 EDT
Martin would you consider re-targeting for 4.1.z? I think that it is serious enough to do it.
Comment 8 Martin Perina 2017-06-23 15:22:02 EDT
(In reply to Juan Hernández from comment #7)
> Martin would you consider re-targeting for 4.1.z? I think that it is serious
> enough to do it.

I know, there is also downstream clone BZ1463698 of this bug, which is targeted to 4.1.4, so that's why I targeted upstream to 4.2
Comment 9 Gonza 2017-09-12 05:17:06 EDT
Verified with:
ovirt-engine-4.2.0-0.0.master.20170906185835.gitcee3e58.el7.centos.noarch

# curl -X POST -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Authorization: Bearer qUOO_j_hEEWkSVcs8SjHnmwEWOUX-iFxPrnBwHIJaCgHAC7hY890CopoZ5ERqX5UhkJfX0yES8dSJplRlXuDXQ" --cacert ca.pem -d "<action/>" https://engine.com/ovirt-engine/api/vms/6b3b3157-4068-4e14-b396-04db62f5398a/logon
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<action>
    <job href="/ovirt-engine/api/jobs/b9da5d7a-09bb-4ccc-b050-80c3cfe3d53b" id="b9da5d7a-09bb-4ccc-b050-80c3cfe3d53b"/>
    <status>complete</status>
    <vm href="/ovirt-engine/api/vms/6b3b3157-4068-4e14-b396-04db62f5398a" id="6b3b3157-4068-4e14-b396-04db62f5398a">
....
    </vm>
</action>

from engine.log:
2017-09-12 12:14:46,045+03 INFO  [org.ovirt.engine.core.bll.VmLogonCommand] (default task-5) [23adb453-a191-452a-9a6f-f57e2bfeda8d] Running command: VmLogonCommand internal: false. Entities affected :  ID: 6b3b3157-4068-4e14-b396-04db62f5398a Type: VMAction group CONNECT_TO_VM with role type USER
2017-09-12 12:14:46,086+03 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-5) [23adb453-a191-452a-9a6f-f57e2bfeda8d] START, VmLogonVDSCommand(HostName = host_mixed_1, VmLogonVDSCommandParameters:{hostId='5201c168-340a-4314-a216-c02035e76b85', vmId='6b3b3157-4068-4e14-b396-04db62f5398a', domain='internal-authz', password='***', userName='admin@internal-authz'}), log id: 59637de9
2017-09-12 12:14:46,095+03 INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-5) [23adb453-a191-452a-9a6f-f57e2bfeda8d] FINISH, VmLogonVDSCommand, log id: 59637de9
Comment 10 Sandro Bonazzola 2017-12-20 06:33:20 EST
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.