Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1568413

Summary: admin account constantly gets locked after password changed
Product: [oVirt] ovirt-engine Reporter: Dominik Holler <dholler>
Component: BLL.NetworkAssignee: Dominik Holler <dholler>
Status: CLOSED CURRENTRELEASE QA Contact: Michael Burman <mburman>
Severity: high Docs Contact:
Priority: high    
Version: 4.2.2CC: bugs, danken, mburman
Target Milestone: ovirt-4.2.3Flags: rule-engine: ovirt-4.2+
rule-engine: blocker+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-10 06:27:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1511823    

Description Dominik Holler 2018-04-17 12:58:38 UTC 
Description of problem:
If the password of the user account which is used to authenticate oVirt
Engine to the ovirt-provider-ovn is changed, but the password is not
updated in Engine's provider configuration, Engine continues to
use the old password to access the provider. This behavior results in
locking the user account, because of the high number failed
authentication tries.

For a number of reasons, this is especially annoying:
* In the default configuration the user account is admin@internal.
* The user might not notice, that the password is stored in Engine's
  provider configuration, because it is created automatically.
* The user might not be aware that AutoSync is using the provider in the
  background.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1. Enable the ovirt-provider-ovn during engine-setup
2. Change password of admin@internal
3. Wait longer than 5 allowed attempts * 5 minutes auto_sync cycle = 25 minutes

Actual results:
admin@internal is locked


Expected results:
admin@internal is not locked

Additional info:
Comment 1 Michael Burman 2018-04-30 04:50:47 UTC 
Now, after admin@internal password is changed and the authentication credentials are invalid, autoSync is disabled for the provider to prevent further invalid authentication attempts which may result in Engine locks the user account.

After the password is changed, there only one attempt to autoSync which is failed 
"
Failed to synchronize networks of Provider ovirt-provider-ovn, because the authentication information of the provider is invalid. Automatic synchronization is deactivated for this Provider."

After 25 minutes(default autoSync) i'm able to login with the new new password and user admin@internal doesn't get locked. 

Verified on - 4.2.3.3-0.1.el7
Comment 2 Sandro Bonazzola 2018-05-10 06:27:59 UTC 
This bugzilla is included in oVirt 4.2.3 release, published on May 4th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.3 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.