[ovirt-users] roles for foreman integration user
Hi, Quick question, which foreman roles does the foreman integration user require in the foreman. I've tried a couple of permission settings but can only get the test to work when the use has role admin. Met vriendelijke groet, With kind regards, Jorick Astrego Netbulae Virtualization Experts Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3A KvK 08198180 Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] roles for foreman integration user
Have a look at the prerequisites section in http://www.ovirt.org/Features/ForemanIntegration#Bare-Metal_Provisioning It specifies what you must be able to do in Foreman for the integration to work. (currently we require proper permissions to view relevant bare-metal hosts, host groups, compute resources and execute provision request - which is a request to add a host). It is not the complete set of specific roles in Foreman, but it can help do the mapping. CC-ing also Ohad from the Foreman team, which can help if the information in the wiki isn't enough. Thanks, Oved - Original Message - > From: "Jorick Astrego" > To: users@ovirt.org > Sent: Thursday, January 22, 2015 2:48:34 PM > Subject: [ovirt-users] roles for foreman integration user > > Hi, > > Quick question, which foreman roles does the foreman integration user > require in the foreman. > > I've tried a couple of permission settings but can only get the test to > work when the use has role admin. > > > > > > Met vriendelijke groet, With kind regards, > > Jorick Astrego > > Netbulae Virtualization Experts > > Tel: 053 20 30 270i...@netbulae.euStaalsteden 4-3AKvK > 08198180 > Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede > BTW NL821234584B01 > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] roles for foreman integration user
I will check, but I now also have the problem in reverse. The compute resource in foreman 1.6 will only work with admin@internal. Gave the external user the superuser role to test but still permission denied. I also cannot login to the api with this user manually, do I have to configure external authentication for api access somewhere else? Thanks for all the help! Jorick On 01/22/2015 01:58 PM, Oved Ourfali wrote: > Have a look at the prerequisites section in > http://www.ovirt.org/Features/ForemanIntegration#Bare-Metal_Provisioning > It specifies what you must be able to do in Foreman for the integration to > work. > (currently we require proper permissions to view relevant bare-metal hosts, > host groups, compute resources and execute provision request - which is a > request to add a host). > > It is not the complete set of specific roles in Foreman, but it can help do > the mapping. > > CC-ing also Ohad from the Foreman team, which can help if the information in > the wiki isn't enough. > > Thanks, > Oved > > - Original Message - >> From: "Jorick Astrego" >> To: users@ovirt.org >> Sent: Thursday, January 22, 2015 2:48:34 PM >> Subject: [ovirt-users] roles for foreman integration user >> >> Hi, >> >> Quick question, which foreman roles does the foreman integration user >> require in the foreman. >> >> I've tried a couple of permission settings but can only get the test to >> work when the use has role admin. >> >> >> >> >> >> Met vriendelijke groet, With kind regards, >> >> Jorick Astrego >> >> Netbulae Virtualization Experts >> >> Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3AKvK >> 08198180 >> Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede >> BTW NL821234584B01 >> >> >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> Met vriendelijke groet, With kind regards, Jorick Astrego Netbulae Virtualization Experts Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3A KvK 08198180 Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] roles for foreman integration user
You need to share the logs on both ends (ovirt+foreman) for us to understand it. Thanks, Oved - Original Message - > From: "Jorick Astrego" > To: "Oved Ourfali" > Cc: users@ovirt.org > Sent: Thursday, January 22, 2015 3:25:51 PM > Subject: Re: [ovirt-users] roles for foreman integration user > > I will check, but I now also have the problem in reverse. The compute > resource in foreman 1.6 will only work with admin@internal. Gave the > external user the superuser role to test but still permission denied. > > I also cannot login to the api with this user manually, do I have to > configure external authentication for api access somewhere else? > > Thanks for all the help! > > Jorick > > On 01/22/2015 01:58 PM, Oved Ourfali wrote: > > Have a look at the prerequisites section in > > http://www.ovirt.org/Features/ForemanIntegration#Bare-Metal_Provisioning > > It specifies what you must be able to do in Foreman for the integration to > > work. > > (currently we require proper permissions to view relevant bare-metal hosts, > > host groups, compute resources and execute provision request - which is a > > request to add a host). > > > > It is not the complete set of specific roles in Foreman, but it can help do > > the mapping. > > > > CC-ing also Ohad from the Foreman team, which can help if the information > > in the wiki isn't enough. > > > > Thanks, > > Oved > > > > ----- Original Message - > >> From: "Jorick Astrego" > >> To: users@ ovirt.org > >> Sent: Thursday, January 22, 2015 2:48:34 PM > >> Subject: [ovirt-users] roles for foreman integration user > >> > >> Hi, > >> > >> Quick question, which foreman roles does the foreman integration user > >> require in the foreman. > >> > >> I've tried a couple of permission settings but can only get the test to > >> work when the use has role admin. > >> > >> > >> > >> > >> > >> Met vriendelijke groet, With kind regards, > >> > >> Jorick Astrego > >> > >> Netbulae Virtualization Experts > >> > >> Tel: 053 20 30 270 info@ netbulae.eu Staalsteden 4-3A KvK 08198180 > >> Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01 > >> > >> > >> > >> ___ > >> Users mailing list > >> Users@ ovirt.org > >> http://lists.ovirt.org/mailman/listinfo/users > >> > > > > > Met vriendelijke groet, With kind regards, > > Jorick Astrego > > Netbulae Virtualization Experts > > Tel: 053 20 30 270i...@netbulae.euStaalsteden 4-3AKvK > 08198180 > Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede > BTW NL821234584B01 > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] roles for foreman integration user
Ah sorry, could have checked myself. Trying to get 3.5.1 running for DEV
in a hurry ;-)
Processing by ComputeResourcesController#test_connection as */*
Parameters: {"utf8"=>"✓",
"authenticity_token"=>"D/PZVxVpow1glpUBkxcD90WsMJjAxilbdWgXClgf7C8=",
"compute_resource"=>{"name"=>"engineen",
"provider"=>"Ovirt", "description"=>"",
"url"=>"https://ovirt-engine.netbulae.test/api";,
"user"=>"test-ad...@netbulae.test", "password"=>"[FILTERED]",
"location_ids"=>["", "2"], "organization_ids"=>["", "1"]},
"cr_id"=>"null"}
CR_ID IS null
String does not start with the prefix 'encrypted-', so
Foreman::Model::Ovirt engineen was not decrypted
String does not start with the prefix 'encrypted-', so
Foreman::Model::Ovirt engineen was not decrypted
String does not start with the prefix 'encrypted-', so
Foreman::Model::Ovirt engineen was not decrypted
String does not start with the prefix 'encrypted-', so
Foreman::Model::Ovirt engineen was not decrypted
String does not start with the prefix 'encrypted-', so
Foreman::Model::Ovirt engineen was not decrypted
String does not start with the prefix 'encrypted-', so
Foreman::Model::Ovirt engineen was not decrypted
And the other side:
2015-01-22 13:59:20,034 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-8-thread-8) [1414b745] Correlation ID:
1414b745, Call Stack: null, Custom Event ID: -1, Message: User/Group
test- was granted permission for Role DataCenterAdmin on System by
2015-01-22 14:00:21,674 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-1) User test-admin authentication failed.
profile is netbulae.mgmt. Invocation Result code is 0. Authn result
code is CREDENTIALS_EXPIRED
2015-01-22 14:00:21,763 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-6) User test-admin authentication failed.
profile is netbulae.mgmt. Invocation Result code is 0. Authn result
code is CREDENTIALS_EXPIRED
2015-01-22 14:00:21,849 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-5) User test-admin authentication failed.
profile is netbulae.mgmt. Invocation Result code is 0. Authn result
code is CREDENTIALS_EXPIRED
2015-01-22 14:09:39,982 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-1) User test-admin authentication failed.
profile is netbulae.mgmt. Invocation Result code is 0. Authn result
code is CREDENTIALS_EXPIRED
2015-01-22 14:09:40,071 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-8) User test-adminauthentication failed.
profile is netbulae.mgmt. Invocation Result code is 0. Authn result
code is CREDENTIALS_EXPIRED
2015-01-22 14:09:40,203 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-2) User test-admin authentication failed.
profile is netbulae.mgmt. Invocation Result code is 0. Authn result
code is CREDENTIALS_EXPIRED
Cheers, Jorick
On 01/22/2015 02:29 PM, Oved Ourfali wrote:
> You need to share the logs on both ends (ovirt+foreman) for us to understand
> it.
>
> Thanks,
> Oved
>
> - Original Message -
>> From: "Jorick Astrego"
>> To: "Oved Ourfali"
>> Cc: users@ovirt.org
>> Sent: Thursday, January 22, 2015 3:25:51 PM
>> Subject: Re: [ovirt-users] roles for foreman integration user
>>
>> I will check, but I now also have the problem in reverse. The compute
>> resource in foreman 1.6 will only work with admin@internal. Gave the
>> external user the superuser role to test but still permission denied.
>>
>> I also cannot login to the api with this user manually, do I have to
>> configure external authentication for api access somewhere else?
>>
>> Thanks for all the help!
>>
>> Jorick
>>
>> On 01/22/2015 01:58 PM, Oved Ourfali wrote:
>>> Have a look at the prerequisites section in
>>> http://www.ovirt.org/Features/ForemanIntegration#Bare-Metal_Provisioning
>>> It specifies what you must be able to do in Foreman for the integration to
>>> work.
>>> (currently we require proper permissions to view relevant bare-metal hosts,
>>> host groups, compute resources and execute provision request - which is a
>>> r
Re: [ovirt-users] roles for foreman integration user
are you able to login with these credentials to oVirt directly?
- Original Message -
> From: "Jorick Astrego"
> To: "Oved Ourfali"
> Cc: "Ohad Levy" , users@ovirt.org
> Sent: Thursday, January 22, 2015 3:48:45 PM
> Subject: Re: [ovirt-users] roles for foreman integration user
>
> Ah sorry, could have checked myself. Trying to get 3.5.1 running for DEV in a
> hurry ;-)
>
>
>
> Processing by ComputeResourcesController#test_connection as */*
> Parameters: {"utf8"=>"✓",
> "authenticity_token"=>"D/PZVxVpow1glpUBkxcD90WsMJjAxilbdWgXClgf7C8=",
> "compute_resource"=>{"name"=>"engineen", "provider"=>"Ovirt",
> "description"=>"", "url"=> "https://ovirt-engine.netbulae.test/api"; ,
> "user"=> "test-ad...@netbulae.test" , "password"=>"[FILTERED]",
> "location_ids"=>["", "2"], "organization_ids"=>["", "1"]}, "cr_id"=>"null"}
> CR_ID IS null
> String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
> engineen was not decrypted
> String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
> engineen was not decrypted
> String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
> engineen was not decrypted
> String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
> engineen was not decrypted
> String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
> engineen was not decrypted
> String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
> engineen was not decrypted
>
> And the other side:
>
>
>
> 2015-01-22 13:59:20,034 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (org.ovirt.thread.pool-8-thread-8) [1414b745] Correlation ID: 1414b745, Call
> Stack: null, Custom Event ID: -1, Message: User/Group test- was granted
> permission for Role DataCenterAdmin on System by
> 2015-01-22 14:00:21,674 ERROR
> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
> (ajp--127.0.0.1-8702-1) User test-admin authentication failed. profile is
> netbulae.mgmt. Invocation Result code is 0. Authn result code is
> CREDENTIALS_EXPIRED
> 2015-01-22 14:00:21,763 ERROR
> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
> (ajp--127.0.0.1-8702-6) User test-admin authentication failed. profile is
> netbulae.mgmt. Invocation Result code is 0. Authn result code is
> CREDENTIALS_EXPIRED
> 2015-01-22 14:00:21,849 ERROR
> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
> (ajp--127.0.0.1-8702-5) User test-admin authentication failed. profile is
> netbulae.mgmt. Invocation Result code is 0. Authn result code is
> CREDENTIALS_EXPIRED
> 2015-01-22 14:09:39,982 ERROR
> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
> (ajp--127.0.0.1-8702-1) User test-admin authentication failed. profile is
> netbulae.mgmt. Invocation Result code is 0. Authn result code is
> CREDENTIALS_EXPIRED
> 2015-01-22 14:09:40,071 ERROR
> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
> (ajp--127.0.0.1-8702-8) User test-adminauthentication failed. profile is
> netbulae.mgmt. Invocation Result code is 0. Authn result code is
> CREDENTIALS_EXPIRED
> 2015-01-22 14:09:40,203 ERROR
> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
> (ajp--127.0.0.1-8702-2) User test-admin authentication failed. profile is
> netbulae.mgmt. Invocation Result code is 0. Authn result code is
> CREDENTIALS_EXPIRED
> Cheers, Jorick
>
>
> On 01/22/2015 02:29 PM, Oved Ourfali wrote:
>
>
>
> You need to share the logs on both ends (ovirt+foreman) for us to understand
> it.
>
> Thanks,
> Oved
>
> - Original Message -
>
>
>
> From: "Jorick Astrego" To: "Oved Ourfali"
> Cc: users@ovirt.org Sent: Thursday, January 22, 2015
> 3:25:51 PM
> Subject: Re: [ovirt-users] roles for foreman integration user
>
> I will check, but I now also have the problem in reverse. The compute
> resource in foreman 1.6 will only work with admin@internal. Gave the
> external user the superuser role to test but still permission denied.
>
> I also cannot login to the api with this user manually, do I have to
> configure external authentication for api access somewhere else?
>
> Thanks for all the help!
>
> Jorick
>
> On 01/22/2015 01:58 PM, Oved Ourfali wrote:
>
>
>
Re: [ovirt-users] roles for foreman integration user
Nope, I just reset the password twice in FreeIPA. Once with a random
password and next with a very simple password
2015-01-22 15:31:09,344 INFO
[org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-5) Cant login user "test-admin" with
authentication profile "netbulae.test" because the authentication
failed.
2015-01-22 15:31:09,366 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-5) Correlation ID: null, Call Stack: null,
Custom Event ID: -1, Message: User test-ad...@netbulae.test failed
to log in.
2015-01-22 15:31:09,367 WARN
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-5) CanDoAction of action LoginAdminUser failed
for user test-ad...@netbulae.test. Reasons: USER_PASSWORD_EXPIRED
On the ipa side, I don't see any authentication attempts in de logs.
ldapsearch with the same account and password on the ipa works fine.
On 01/22/2015 02:55 PM, Oved Ourfali wrote:
> are you able to login with these credentials to oVirt directly?
>
> - Original Message -
>> From: "Jorick Astrego"
>> To: "Oved Ourfali"
>> Cc: "Ohad Levy" , users@ovirt.org
>> Sent: Thursday, January 22, 2015 3:48:45 PM
>> Subject: Re: [ovirt-users] roles for foreman integration user
>>
>> Ah sorry, could have checked myself. Trying to get 3.5.1 running for DEV in a
>> hurry ;-)
>>
>>
>>
>> Processing by ComputeResourcesController#test_connection as */*
>> Parameters: {"utf8"=>"✓",
>> "authenticity_token"=>"D/PZVxVpow1glpUBkxcD90WsMJjAxilbdWgXClgf7C8=",
>> "compute_resource"=>{"name"=>"engineen", "provider"=>"Ovirt",
>> "description"=>"", "url"=> "https://ovirt-engine.netbulae.test/api"; ,
>> "user"=> "test-ad...@netbulae.test" , "password"=>"[FILTERED]",
>> "location_ids"=>["", "2"], "organization_ids"=>["", "1"]}, "cr_id"=>"null"}
>> CR_ID IS null
>> String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
>> engineen was not decrypted
>> String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
>> engineen was not decrypted
>> String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
>> engineen was not decrypted
>> String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
>> engineen was not decrypted
>> String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
>> engineen was not decrypted
>> String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
>> engineen was not decrypted
>>
>> And the other side:
>>
>>
>>
>> 2015-01-22 13:59:20,034 INFO
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (org.ovirt.thread.pool-8-thread-8) [1414b745] Correlation ID: 1414b745, Call
>> Stack: null, Custom Event ID: -1, Message: User/Group test- was granted
>> permission for Role DataCenterAdmin on System by
>> 2015-01-22 14:00:21,674 ERROR
>> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
>> (ajp--127.0.0.1-8702-1) User test-admin authentication failed. profile is
>> netbulae.mgmt. Invocation Result code is 0. Authn result code is
>> CREDENTIALS_EXPIRED
>> 2015-01-22 14:00:21,763 ERROR
>> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
>> (ajp--127.0.0.1-8702-6) User test-admin authentication failed. profile is
>> netbulae.mgmt. Invocation Result code is 0. Authn result code is
>> CREDENTIALS_EXPIRED
>> 2015-01-22 14:00:21,849 ERROR
>> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
>> (ajp--127.0.0.1-8702-5) User test-admin authentication failed. profile is
>> netbulae.mgmt. Invocation Result code is 0. Authn result code is
>> CREDENTIALS_EXPIRED
>> 2015-01-22 14:09:39,982 ERROR
>> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
>> (ajp--127.0.0.1-8702-1) User test-admin authentication failed. profile is
>> netbulae.mgmt. Invocation Result code is 0. Authn result code is
>> CREDENTIALS_EXPIRED
>> 2015-01-22 14:09:40,071 ERROR
>> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
>> (ajp--127.0.0.1-8702-8) User test-adminauthentication failed. profile is
>> netbulae.mgmt. Invocation Result cod
