Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1638380

Summary: Document that ovirt.infra role needs to be executed on engine host if you want to add/modify users/groups with it
Product: [oVirt] ovirt-ansible-collection Reporter: Petr Kubica <pkubica>
Component: infraAssignee: Ondra Machacek <omachace>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Kubica <pkubica>
Severity: high Docs Contact:
Priority: unspecified    
Version: 1.1.9CC: bugs, mperina, omachace, ratamir
Target Milestone: ovirt-4.3.0Flags: rule-engine: ovirt-4.3+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-ansible-infra-1.1.11 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-13 07:43:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Kubica 2018-10-11 12:40:20 UTC 
Description of problem:

playbook:
...
    users:
      - name: john.doe
        authz_name: internal-authz
        password: 123456
        valid_to: "2020-01-01 00:00:00Z"
...


ASK [oVirt.infra/roles/oVirt.aaa-jdbc : Manage internal users] *****************************************
task path: /usr/share/ansible/roles/oVirt.infra/roles/oVirt.aaa-jdbc/tasks/main.yml:5
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: pkubica
<localhost> EXEC /bin/sh -c 'echo ~pkubica && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/pkubica/.ansible/tmp/ansible-tmp-1539260954.59-223638909789041 `" && echo ansible-tmp-1539260954.59-223638909789041="` echo /home/pkubica/.ansible/tmp/ansible-tmp-1539260954.59-223638909789041 `" ) && sleep 0'
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<localhost> PUT /home/pkubica/.ansible/tmp/ansible-local-6406gYcxoO/tmpdAdCOF TO /home/pkubica/.ansible/tmp/ansible-tmp-1539260954.59-223638909789041/AnsiballZ_command.py
<localhost> EXEC /bin/sh -c 'chmod u+x /home/pkubica/.ansible/tmp/ansible-tmp-1539260954.59-223638909789041/ /home/pkubica/.ansible/tmp/ansible-tmp-1539260954.59-223638909789041/AnsiballZ_command.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python /home/pkubica/.ansible/tmp/ansible-tmp-1539260954.59-223638909789041/AnsiballZ_command.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /home/pkubica/.ansible/tmp/ansible-tmp-1539260954.59-223638909789041/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
WARNING: The below traceback may *not* be related to the actual failure.
  File "/tmp/ansible_command_payload_yeAySR/ansible_command_payload.zip/ansible/module_utils/basic.py", line 2839, in run_command
    cmd = subprocess.Popen(args, **kwargs)
  File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__
    errread, errwrite)
  File "/usr/lib64/python2.7/subprocess.py", line 1327, in _execute_child
    raise child_exception

failed: [localhost] (item={u'password': 123456, u'authz_name': u'internal-authz', u'name': u'john.doe', u'valid_to': u'2018-01-01 00:00:00Z'}) => {
    "changed": true, 
    "cmd": "/usr/bin/ovirt-aaa-jdbc-tool user add john.doe", 
    "failed_when_result": true, 
    "invocation": {
        "module_args": {
            "_raw_params": "/usr/bin/ovirt-aaa-jdbc-tool user add john.doe", 
            "_uses_shell": false, 
            "argv": null, 
            "chdir": null, 
            "creates": null, 
            "executable": null, 
            "removes": null, 
            "stdin": null, 
            "warn": true
        }
    }, 
    "item": {
        "authz_name": "internal-authz", 
        "name": "john.doe", 
        "password": 123456, 
        "valid_to": "2018-01-01 00:00:00Z"
    }, 
    "msg": "[Errno 2] No such file or directory", 
    "rc": 2
}

Version-Release number of selected component (if applicable):
ovirt-ansible-infra-1.1.9-0.1.master.20181010120045.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. create users via infra role

Actual results:
can't add users via infra role
Comment 1 Ondra Machacek 2018-10-11 12:43:20 UTC 
You didn't execute this on engine obviously. So we must document this must be done one engine.
Comment 2 Red Hat Bugzilla Rules Engine 2018-10-12 08:54:44 UTC 
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Comment 3 Martin Perina 2018-12-13 13:51:43 UTC 
This is a documentation change only and it cannot be regression, because the role has been able to  create users/roles using aaa-jdbc when it was not executed on engine host
Comment 4 Petr Kubica 2018-12-19 12:00:13 UTC 
Fix isn't included in master 4.3 build
ovirt-ansible-infra-1.1.10-1.el7.noarch
Comment 5 Petr Kubica 2019-01-14 11:40:36 UTC 
Did you check also examples [1]? 

[1] https://github.com/oVirt/ovirt-ansible-infra/blob/d9b818927946d89bc2bb8740b4afb86611225bc5/examples/ovirt_infra.yml#L3
Comment 6 Ondra Machacek 2019-01-14 11:55:22 UTC 
The roles are meant to be executed on engine, and RPMs are shipped only there, so it means localhost, so examples are OK.
Currently if the machine don't have aaa-jdbc installed the role will fail to setup internal users/groups.
Comment 7 Petr Kubica 2019-01-29 14:06:47 UTC 
Verified in ovirt-ansible-infra-1.1.12-0.1.master.20190117095036.el7.noarch
Comment 8 Sandro Bonazzola 2019-02-13 07:43:41 UTC 
This bugzilla is included in oVirt 4.3.0 release, published on February 4th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.0 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.