Bug 840421 - [RFE][AAA] rhevm-manage-domains should contain rollback procedure in case of unexpected error during add domain procedure
[RFE][AAA] rhevm-manage-domains should contain rollback procedure in case of ...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-config (Show other bugs)
3.1.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Yair Zaslavsky
Pavel Stehlik
infra
: FutureFeature, Reopened
Depends On:
Blocks: oVirt-AAA-LDAP
  Show dependency treegraph
 
Reported: 2012-07-16 06:32 EDT by Tomas Dosek
Modified: 2016-02-10 14:43 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-27 09:13:26 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
dyasny: Triaged+


Attachments (Terms of Use)
Engine.log (7.31 MB, text/x-log)
2012-07-16 06:32 EDT, Tomas Dosek
no flags Details
manage domains log (5.10 KB, text/x-log)
2012-07-19 05:54 EDT, Tomas Dosek
no flags Details
Dump of vdc_options table (22.78 KB, text/x-sql)
2012-07-19 06:06 EDT, Tomas Dosek
no flags Details

  None (edit)
Description Tomas Dosek 2012-07-16 06:32:50 EDT
Created attachment 598413 [details]
Engine.log

Description of problem:
In case user adds IPA to RHEV-M using rhevm-manage-domains and the IPA server fails to communicate during kerberos key exchange, all domains that were previously added to RHEV-M are unusable and search through these domains returns
null results.

Note that precise timing is the key to reproducing this bug.

Version-Release number of selected component (if applicable):
si10

How reproducible:
100 %

Steps to Reproduce:
1. Have a si10 RHEV-M setup with internal and some other domain (in my case Active Directory domain)
2. Prepare a command for adding IPA domain + prepare iptables command to block all communication to and from IPA server (in my case it was random reboot of server)
3. Run the rhevm-manage-domain -action=add -interactive -domain=<domain> -user=<user> -provider=IPA
4. Right after putting in password block all communication to IPA server
  
Actual results:
During operation NullPointer exception pops up in terminal (not even in log but in terminal of rhevm-manage-domains command), the operation seems to complete successfully.

After ovirt-engine restart and performing some search in rhevm no result is found - even though all the domains in RHEV-M have some users in db.

This can be fixed only by total cleanup and reinstallation of RHEV-M

Expected results:
IPA is either added to RHEV-M or a rollback operation arises and RHEV-M is in functional state.

None NPE is shown to user (it's written into log) in case of adding another domain fails. Some nice error message is shown to user and definitely not success message.

Additional info:
Attaching full rhev-m log
Comment 2 Roy Golan 2012-07-19 04:50:15 EDT
pls supply the engine-manage-domains.log and a dump of the vdc_options table
Comment 3 Tomas Dosek 2012-07-19 05:52:53 EDT
So the error I get during adding IPA domain:

[root@change-fqdn log]# rhevm-manage-domains -action=add -provider=IPA -domain=brq-ipa.rhev.lab.eng.brq.redhat.com -user=vdcadmin -interactive
Enter password:

Error:  exception message: java.lang.NullPointerException
	at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck$KerberosUtilCallbackHandler.handle(KerberosConfigCheck.java:85)
	at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:970)
	at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:967)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:966)
	at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:824)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:671)
	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:559)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:616)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
	at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkAuthentication(KerberosConfigCheck.java:225)
	at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.authenticate(KerberosConfigCheck.java:216)
	at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:155)
	at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144)
	at org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:634)
	at org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:784)
	at org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:452)
	at org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:250)
	at org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:175)

WARNING, domain: rhev.lab.eng.brq.redhat.com may not be functional: Failure while testing domain rhev.lab.eng.brq.redhat.com. Details: Kerberos error. Please check log for further details.
WARNING: No permissions were added to the Engine. Login either with the internal admin user or with another configured user.
Successfully added domain brq-ipa.rhev.lab.eng.brq.redhat.com. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart).
Manage Domains completed successfully

I'll also attach requested files - in next comment
Comment 4 Tomas Dosek 2012-07-19 05:54:26 EDT
Created attachment 599103 [details]
manage domains log
Comment 5 Tomas Dosek 2012-07-19 06:06:26 EDT
Created attachment 599106 [details]
Dump of vdc_options table
Comment 6 Roy Golan 2012-07-19 07:10:44 EDT
Your AdUserPassword record is empty and that's why domains can't be searched.

few bugs were introduced due to new flag added to manage-domains in si10 and have fixes for SI11:

https://bugzilla.redhat.com/839264

*** This bug has been marked as a duplicate of bug 839264 ***
Comment 7 Tomas Dosek 2012-07-19 07:19:38 EDT
Ok Roy, but you might miss this section of bug's description:

"Expected results:
IPA is either added to RHEV-M or a rollback operation arises and RHEV-M is in functional state.

None NPE is shown to user (it's written into log) in case of adding another domain fails. Some nice error message is shown to user and definitely not success message."

And I believe this really deserves a fix. I mean do we have some rollback procedure in case of unexpected exception? (as we can see on a bug that you mentioned - there's none). I'm reopening this as an RFE
Comment 9 Roy Golan 2012-07-19 07:41:56 EDT
(In reply to comment #7)
> Ok Roy, but you might miss this section of bug's description:
> 
> "Expected results:
> IPA is either added to RHEV-M or a rollback operation arises and RHEV-M is
> in functional state.
> 
> None NPE is shown to user (it's written into log) in case of adding another
> domain fails. Some nice error message is shown to user and definitely not
> success message."
> 
> And I believe this really deserves a fix. I mean do we have some rollback
> procedure in case of unexpected exception? (as we can see on a bug that you
> mentioned - there's none). I'm reopening this as an RFE

Generally speaking rollback is good in case you left the system in raw state. that's why the cloned bug will take care of that.

Just to make things clear manage-domains runs in few steps when adding a domain:

1. Kerberos auth
2. ldap query to get the user id
3. creates  krb5.conf file
4. test all domains by kerberos auth

If the tool failed with unexpected execption in stage 4 after all configuration have been gather succesfully then I don't see any reason for the rollback. your system is ready to go but you may have some network issues with your servers

if you failed in 1,2,3 you probably won't get a success message (I need to reassure this)
Comment 12 Yair Zaslavsky 2012-07-23 04:43:00 EDT
Regardless of the NPE - 
What we can implement is a rollback mechanism based on transactions -
rhevm- manage-domains calls 7 times rhevm-config (once for each key stored at db) using the rhevm-config shell script.

We can:
A. Call the rhevm-config directly (i.e - using the EngineConfigLogic class or other classes from its jar)
B. Create a transaction wrapping the 7 insert/update calls.
C. If an error occurs during the flow that is wrapped with transaction, a rollback will occur, and the db will be kept in consistent state.


However , such a change is in a scope which is too big for 3.1.
Suggesting this to future version.
Comment 13 Itamar Heim 2012-07-29 08:22:39 EDT
rolling back the db without rolling back the krb5.conf file won't help for operations of update/delete?
Comment 16 Alon Bar-Lev 2014-06-11 09:24:32 EDT
the new ldap provider does not have a utility, its configuration is based on files, so it is much easier to configure.

I am keeping this opened for now, although engine-manage-domain unlikely to be changed.
Comment 17 Alon Bar-Lev 2014-06-27 09:13:26 EDT
OK, closing as wontfix as manage-domains unlikely to be modified in future.

Note You need to log in before you can comment on or make changes to this bug.