Hi Wei,

I am no sure it is a bug,

I looked at the logs, and on secure.log I saw:

Aug 22 11:35:40 test useradd[10834]: new group: name=linda, GID=1002
Aug 22 11:35:40 test useradd[10834]: new user: name=linda, UID=1001, GID=1002, home=/home/linda, shell=/bin/bash
Aug 22 11:35:47 test cockpit-session: pam_unix(cockpit:session): session closed for user root
Aug 22 11:36:07 test cockpit-session: pam_unix(cockpit:session): session opened for user linda by (uid=0)
Aug 22 11:36:07 test polkitd[1595]: Registered Authentication Agent for unix-session:7 (system bus name :1.78 [cockpit-bridge], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Aug 22 11:36:08 test polkitd[1595]: Operator of unix-session:7 FAILED to authenticate to gain authorization for action org.cockpit-project.cockpit.root-bridge for unix-process:10856:112313 [cockpit-bridge] (owned by unix-user:linda)
Aug 22 11:36:08 test pkexec[10884]: linda: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/run/user/1001] [COMMAND=/usr/bin/cockpit-bridge --privileged]
Aug 22 11:36:08 test sudo: pam_unix(sudo:auth): authentication failure; logname=linda uid=1001 euid=0 tty= ruser=linda rhost=  user=linda
Aug 22 11:36:15 test sudo:   linda : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1001 ; USER=root ; COMMAND=/bin/cockpit-bridge --privileged


My guess is that you have added a user that just didn't have permissions to log into cockpit virtualization plugin.
From the cockpit doc:
"When a user is logged into Cockpit, they are logged into a normal session that has exactly the same privileges as if they logged in via SSH or on the console."
meaning you probably could see the standard dashboard like a normal user would see it, but got an error when trying to log into the virtualization page as an unprivileged user would.

I don't think that we support the use case of performing hosted engine installation as a non-root user, but since that is possible to log into cockpit with an unprivileged user maybe we should add a better error message.

Can you please:

- add screenshots of:
1. the page that is opened when you first log into cockpit as linda.
2. the error message that you get when trying to go to the Virtualization page.

- try adding linda to wheel group and see what happens.

- Consider lowering the Severity it that is indeed the case

(In reply to Gal Zaidman from comment #1)
> Hi Wei,
> 
> I am no sure it is a bug,
> 
> I looked at the logs, and on secure.log I saw:
> 
> Aug 22 11:35:40 test useradd[10834]: new group: name=linda, GID=1002
> Aug 22 11:35:40 test useradd[10834]: new user: name=linda, UID=1001,
> GID=1002, home=/home/linda, shell=/bin/bash
> Aug 22 11:35:47 test cockpit-session: pam_unix(cockpit:session): session
> closed for user root
> Aug 22 11:36:07 test cockpit-session: pam_unix(cockpit:session): session
> opened for user linda by (uid=0)
> Aug 22 11:36:07 test polkitd[1595]: Registered Authentication Agent for
> unix-session:7 (system bus name :1.78 [cockpit-bridge], object path
> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> Aug 22 11:36:08 test polkitd[1595]: Operator of unix-session:7 FAILED to
> authenticate to gain authorization for action
> org.cockpit-project.cockpit.root-bridge for unix-process:10856:112313
> [cockpit-bridge] (owned by unix-user:linda)
> Aug 22 11:36:08 test pkexec[10884]: linda: Error executing command as
> another user: Not authorized [USER=root] [TTY=unknown] [CWD=/run/user/1001]
> [COMMAND=/usr/bin/cockpit-bridge --privileged]
> Aug 22 11:36:08 test sudo: pam_unix(sudo:auth): authentication failure;
> logname=linda uid=1001 euid=0 tty= ruser=linda rhost=  user=linda
> Aug 22 11:36:15 test sudo:   linda : user NOT in sudoers ; TTY=unknown ;
> PWD=/run/user/1001 ; USER=root ; COMMAND=/bin/cockpit-bridge --privileged
> 
> 
> My guess is that you have added a user that just didn't have permissions to
> log into cockpit virtualization plugin.
> From the cockpit doc:
> "When a user is logged into Cockpit, they are logged into a normal session
> that has exactly the same privileges as if they logged in via SSH or on the
> console."
> meaning you probably could see the standard dashboard like a normal user
> would see it, but got an error when trying to log into the virtualization
> page as an unprivileged user would.
> 
> I don't think that we support the use case of performing hosted engine
> installation as a non-root user, but since that is possible to log into
> cockpit with an unprivileged user maybe we should add a better error message.

Yes, I agree. But this bug is reported since the Virtualization page is blank accessed by an unprivileged user, and Ooop! error will displays at the up-right corner. 
I think the node status should display as invalid and a better error message, the other content displays normal since their access are not need privileged.
> 
> Can you please:
> 
> - add screenshots of:
> 1. the page that is opened when you first log into cockpit as linda.
pic_1 in attachment
> 2. the error message that you get when trying to go to the Virtualization
> page.
pic_2 and pic_3 in attachment.
> 
> - try adding linda to wheel group and see what happens.
Displays same with the bug
> 
> - Consider lowering the Severity it that is indeed the case
The early build displays as "the node status should display as invalid and a better error message, the other content displays normal since their access are not need privileged." so it is really an regression bug.

Created attachment 1608372 [details]
pic_1

Created attachment 1608373 [details]
pic_2

Created attachment 1608374 [details]
pic_3

If this affects the hosted engine deployment page we should either be able to work with a custom user with sudo permission or display a message that root user is needed.

(In reply to Wei Wang from comment #2)
> (In reply to Gal Zaidman from comment #1)
> > Hi Wei,
> > 
> > I am no sure it is a bug,
> > 
> > I looked at the logs, and on secure.log I saw:
> > 
> > Aug 22 11:35:40 test useradd[10834]: new group: name=linda, GID=1002
> > Aug 22 11:35:40 test useradd[10834]: new user: name=linda, UID=1001,
> > GID=1002, home=/home/linda, shell=/bin/bash
> > Aug 22 11:35:47 test cockpit-session: pam_unix(cockpit:session): session
> > closed for user root
> > Aug 22 11:36:07 test cockpit-session: pam_unix(cockpit:session): session
> > opened for user linda by (uid=0)
> > Aug 22 11:36:07 test polkitd[1595]: Registered Authentication Agent for
> > unix-session:7 (system bus name :1.78 [cockpit-bridge], object path
> > /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> > Aug 22 11:36:08 test polkitd[1595]: Operator of unix-session:7 FAILED to
> > authenticate to gain authorization for action
> > org.cockpit-project.cockpit.root-bridge for unix-process:10856:112313
> > [cockpit-bridge] (owned by unix-user:linda)
> > Aug 22 11:36:08 test pkexec[10884]: linda: Error executing command as
> > another user: Not authorized [USER=root] [TTY=unknown] [CWD=/run/user/1001]
> > [COMMAND=/usr/bin/cockpit-bridge --privileged]
> > Aug 22 11:36:08 test sudo: pam_unix(sudo:auth): authentication failure;
> > logname=linda uid=1001 euid=0 tty= ruser=linda rhost=  user=linda
> > Aug 22 11:36:15 test sudo:   linda : user NOT in sudoers ; TTY=unknown ;
> > PWD=/run/user/1001 ; USER=root ; COMMAND=/bin/cockpit-bridge --privileged
> > 
> > 
> > My guess is that you have added a user that just didn't have permissions to
> > log into cockpit virtualization plugin.
> > From the cockpit doc:
> > "When a user is logged into Cockpit, they are logged into a normal session
> > that has exactly the same privileges as if they logged in via SSH or on the
> > console."
> > meaning you probably could see the standard dashboard like a normal user
> > would see it, but got an error when trying to log into the virtualization
> > page as an unprivileged user would.
> > 
> > I don't think that we support the use case of performing hosted engine
> > installation as a non-root user, but since that is possible to log into
> > cockpit with an unprivileged user maybe we should add a better error message.
> 
> Yes, I agree. But this bug is reported since the Virtualization page is
> blank accessed by an unprivileged user, and Ooop! error will displays at the
> up-right corner. 
> I think the node status should display as invalid and a better error
> message, the other content displays normal since their access are not need
> privileged.
> >

I agree that a better error message is required but I think that it can be tracked in a different bug
since that is not what this bug is saying.

> > Can you please:
> > 
> > - add screenshots of:
> > 1. the page that is opened when you first log into cockpit as linda.
> pic_1 in attachment
> > 2. the error message that you get when trying to go to the Virtualization
> > page.
> pic_2 and pic_3 in attachment.
> > 
> > - try adding linda to wheel group and see what happens.
> Displays same with the bug
> > 
> > - Consider lowering the Severity it that is indeed the case
> The early build displays as "the node status should display as invalid and a
> better error message, the other content displays normal since their access
> are not need privileged." so it is really an regression bug.

Sorry but I didn't understand how this is a regression bug, are you are saying that we
had a build of cockpit-ovirt that prevented entering the Virtualization page and had
a better error message?

Can you add screenshots of the flow that broke from previous builds and the last version that you are aware of in which worked?

(In reply to Gal Zaidman from comment #7)
> (In reply to Wei Wang from comment #2)
> > (In reply to Gal Zaidman from comment #1)
> > > Hi Wei,
> > > 
> > > I am no sure it is a bug,
> > > 
> > > I looked at the logs, and on secure.log I saw:
> > > 
> > > Aug 22 11:35:40 test useradd[10834]: new group: name=linda, GID=1002
> > > Aug 22 11:35:40 test useradd[10834]: new user: name=linda, UID=1001,
> > > GID=1002, home=/home/linda, shell=/bin/bash
> > > Aug 22 11:35:47 test cockpit-session: pam_unix(cockpit:session): session
> > > closed for user root
> > > Aug 22 11:36:07 test cockpit-session: pam_unix(cockpit:session): session
> > > opened for user linda by (uid=0)
> > > Aug 22 11:36:07 test polkitd[1595]: Registered Authentication Agent for
> > > unix-session:7 (system bus name :1.78 [cockpit-bridge], object path
> > > /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> > > Aug 22 11:36:08 test polkitd[1595]: Operator of unix-session:7 FAILED to
> > > authenticate to gain authorization for action
> > > org.cockpit-project.cockpit.root-bridge for unix-process:10856:112313
> > > [cockpit-bridge] (owned by unix-user:linda)
> > > Aug 22 11:36:08 test pkexec[10884]: linda: Error executing command as
> > > another user: Not authorized [USER=root] [TTY=unknown] [CWD=/run/user/1001]
> > > [COMMAND=/usr/bin/cockpit-bridge --privileged]
> > > Aug 22 11:36:08 test sudo: pam_unix(sudo:auth): authentication failure;
> > > logname=linda uid=1001 euid=0 tty= ruser=linda rhost=  user=linda
> > > Aug 22 11:36:15 test sudo:   linda : user NOT in sudoers ; TTY=unknown ;
> > > PWD=/run/user/1001 ; USER=root ; COMMAND=/bin/cockpit-bridge --privileged
> > > 
> > > 
> > > My guess is that you have added a user that just didn't have permissions to
> > > log into cockpit virtualization plugin.
> > > From the cockpit doc:
> > > "When a user is logged into Cockpit, they are logged into a normal session
> > > that has exactly the same privileges as if they logged in via SSH or on the
> > > console."
> > > meaning you probably could see the standard dashboard like a normal user
> > > would see it, but got an error when trying to log into the virtualization
> > > page as an unprivileged user would.
> > > 
> > > I don't think that we support the use case of performing hosted engine
> > > installation as a non-root user, but since that is possible to log into
> > > cockpit with an unprivileged user maybe we should add a better error message.
> > 
> > Yes, I agree. But this bug is reported since the Virtualization page is
> > blank accessed by an unprivileged user, and Ooop! error will displays at the
> > up-right corner. 
> > I think the node status should display as invalid and a better error
> > message, the other content displays normal since their access are not need
> > privileged.
> > >
> 
> I agree that a better error message is required but I think that it can be
> tracked in a different bug
> since that is not what this bug is saying.
> 
> > > Can you please:
> > > 
> > > - add screenshots of:
> > > 1. the page that is opened when you first log into cockpit as linda.
> > pic_1 in attachment
> > > 2. the error message that you get when trying to go to the Virtualization
> > > page.
> > pic_2 and pic_3 in attachment.
> > > 
> > > - try adding linda to wheel group and see what happens.
> > Displays same with the bug
> > > 
> > > - Consider lowering the Severity it that is indeed the case
> > The early build displays as "the node status should display as invalid and a
> > better error message, the other content displays normal since their access
> > are not need privileged." so it is really an regression bug.
> 
> Sorry but I didn't understand how this is a regression bug, are you are
> saying that we
> had a build of cockpit-ovirt that prevented entering the Virtualization page
> and had
> a better error message?
No prevent entering the Virtualization page. As I remembered it displays content with non-root privileged, and displays error message which need unprivileged.
> 
> Can you add screenshots of the flow that broke from previous builds and the
> last version that you are aware of in which worked?
I cannot remember it clearly, maybe 4.1 or 4.2 build

Given that cockpit functionality for checking the status of the host as unprivileged user still works and the only pages not working are related to the virt page I wouldn't consider this a blocker for 4.3.6.
Proposing this for 4.3.7. Please provide latest version where this flow was reported working so we can compare and see what can possibly be the cause.
Looks like a possible regression in cockpit itself rather than a cockpit-ovirt regression.

(In reply to Sandro Bonazzola from comment #9)
> Given that cockpit functionality for checking the status of the host as
> unprivileged user still works and the only pages not working are related to
> the virt page I wouldn't consider this a blocker for 4.3.6.
> Proposing this for 4.3.7. Please provide latest version where this flow was
> reported working so we can compare and see what can possibly be the cause.

Do you mean the worked build? The build display rightly?
> Looks like a possible regression in cockpit itself rather than a
> cockpit-ovirt regression.

The problem was on cockpit originally, they probably fixed it in a new version since I can no longer reproduce this issue.
I moved this to MODIFIED because I want QE to check that this is fixed.
for reference, I had this commit which disabled getting into the dashboard as a non-root user: https://gerrit.ovirt.org/#/c/103061/

Marking this TestOnly and moving to QE.

Test Version:
RHVH-4.3-20200128.0-RHVH-x86_64-dvd1.iso
cockpit-storaged-195-1.el7.noarch
cockpit-system-195-1.el7.noarch
cockpit-195-1.el7.x86_64
cockpit-ovirt-dashboard-0.13.9-1.el7ev.noarch
cockpit-bridge-195-1.el7.x86_64
cockpit-ws-195-1.el7.x86_64
cockpit-machines-ovirt-195-1.el7.noarch
cockpit-dashboard-195-1.el7.x86_64

Test Steps:
According to comment 0

Result:
Bug can still be reproduced. Ooop! occur and Virtualization page displays blank


Waiting for 4.3.9 to re-test it.

I still can't reproduce the issue, and I'm working with the same versions

Pending on new RHVH build, move back to modified firstly.
QE will verify this bug after new RHVH 4.3.9 build is available.

This bugzilla is included in oVirt 4.3.9 release, published on March 20th 2020.

Since the problem described in this bug report should be
resolved in oVirt 4.3.9 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.