Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1095420 - admin@internal can not log in to the Web admin portal if another admin user exists in an external directory
Summary: admin@internal can not log in to the Web admin portal if another admin user e...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 3.4.0
Assignee: Yair Zaslavsky
QA Contact: Ondra Machacek
URL:
Whiteboard: infra
Depends On:
Blocks: 1057368
TreeView+ depends on / blocked
 
Reported: 2014-05-07 16:30 UTC by Gil Klein
Modified: 2016-02-10 19:43 UTC (History)
15 users (show)

Fixed In Version: org.ovirt.engine-root-3.4.0-19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)
engine.log (deleted)
2014-05-11 08:52 UTC, Ilanit Stein
no flags Details
engine log from the 3.3->3.4RC upgrade (deleted)
2014-05-11 10:47 UTC, Gil Klein
no flags Details


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 27574 ovirt-engine-3.4 MERGED core: Fix admin@internal login Never
oVirt gerrit 27575 ovirt-engine-3.4.1 MERGED core: Fix admin@internal login Never
oVirt gerrit 27576 ovirt-engine-3.4 MERGED core: Use configuration to represent internal domain Never

Description Gil Klein 2014-05-07 16:30:54 UTC
Description of problem:

After an upgrade 3.3->3.4 admin@internal can not log in to the Web admin portal 

Version-Release number of selected component (if applicable):
Upgrade to AV8.1


How reproducible:
Specific to the RHEVM QE instance


Steps to Reproduce:
1. Upgrade the engine 3.3.2 -> 3.4RC1 (AV8.1)


Actual results:
admin@internal can not log in to the Web admin portal 

Expected results:
admin@internal should be able to login


Additional info: 

While admin@internal tries to login it fails with the following error in the engine.log

2014-05-07 19:21:44,374 ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-18) Data access error during CanDoActionFailure.: org.springframework.dao.DuplicateKeyException: CallableStatementCallback; SQL [{call insertuser(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)}]; ERROR: duplicate key value violates unique constraint "pk_users"
  Where: SQL statement "INSERT INTO users(department, domain, email, groups, name, note, role, active, surname, user_id, username, group_ids, external_id) VALUES( $1 ,  $2 ,  $3 ,  $4 ,  $5 ,  $6 ,  $7 ,  $8 ,  $9 ,  $10 ,  $11 ,  $12 ,  $13 )"
PL/pgSQL function "insertuser" line 2 at SQL statement; nested exception is org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "pk_users"
  Where: SQL statement "INSERT INTO users(department, domain, email, groups, name, note, role, active, surname, user_id, username, group_ids, external_id) VALUES( $1 ,  $2 ,  $3 ,  $4 ,  $5 ,  $6 ,  $7 ,  $8 ,  $9 ,  $10 ,  $11 ,  $12 ,  $13 )"
PL/pgSQL function "insertuser" line 2 at SQL statement
	at org.springframework.jdbc.support.SQLErrorCodeSQLExceptionTranslator.doTranslate(SQLErrorCodeSQLExceptionTranslator.java:241) [spring-jdbc.jar:3.1.1.RELEASE]
	at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:72) [spring-jdbc.jar:3.1.1.RELEASE]
	at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:1030) [spring-jdbc.jar:3.1.1.RELEASE]
	at org.springframework.jdbc.core.JdbcTemplate.call(JdbcTemplate.java:1064) [spring-jdbc.jar:3.1.1.RELEASE]
	at org.springframework.jdbc.core.simple.AbstractJdbcCall.executeCallInternal(AbstractJdbcCall.java:388) [spring-jdbc.jar:3.1.1.RELEASE]
	at org.springframework.jdbc.core.simple.AbstractJdbcCall.doExecute(AbstractJdbcCall.java:351) [spring-jdbc.jar:3.1.1.RELEASE]
	at org.springframework.jdbc.core.simple.SimpleJdbcCall.execute(SimpleJdbcCall.java:181) [spring-jdbc.jar:3.1.1.RELEASE]
	at org.ovirt.engine.core.dao.DbUserDAODbFacadeImpl.save(DbUserDAODbFacadeImpl.java:155) [dal.jar:]
	at org.ovirt.engine.core.bll.LoginBaseCommand.isUserCanBeAuthenticated(LoginBaseCommand.java:177) [bll.jar:]
	at org.ovirt.engine.core.bll.LoginAdminUserCommand.canDoAction(LoginAdminUserCommand.java:14) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.internalCanDoAction(CommandBase.java:739) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.executeAction(CommandBase.java:345) [bll.jar:]
	at org.ovirt.engine.core.bll.Backend.login(Backend.java:594) [bll.jar:]
	at sun.reflect.GeneratedMethodAccessor131.invoke(Unknown Source) [:1.7.0_55]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_55]
	at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_55]
	at org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52) [jboss-as-ee.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63) [jboss-as-ee.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:374) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.ovirt.engine.core.bll.interceptors.ThreadLocalSessionCleanerInterceptor.injectWebContextToThreadLocal(ThreadLocalSessionCleanerInterceptor.java:13) [bll.jar:]
	at sun.reflect.GeneratedMethodAccessor98.invoke(Unknown Source) [:1.7.0_55]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_55]
	at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_55]
	at org.jboss.as.ee.component.ManagedReferenceLifecycleMethodInterceptor.processInvocation(ManagedReferenceLifecycleMethodInterceptor.java:89) [jboss-as-ee.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63) [jboss-as-ee.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43) [jboss-as-ejb3.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) [jboss-as-ee.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.singleton.SingletonComponentInstanceAssociationInterceptor.processInvocation(SingletonComponentInstanceAssociationInterceptor.java:52) [jboss-as-ejb3.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:259) [jboss-as-ejb3.jar:7.4.0.Final-redhat-10]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:398) [jboss-as-ejb3.jar:7.4.0.Final-redhat-10]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:242) [jboss-as-ejb3.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [jboss-as-ejb3.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [jboss-as-ejb3.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185) [jboss-as-ee.jar:7.4.0.Final-redhat-10]
	at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182) [jboss-as-ee.jar:7.4.0.Final-redhat-10]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73) [jboss-as-ee.jar:7.4.0.Final-redhat-10]
	at org.ovirt.engine.core.common.interfaces.BackendLocal$$$view9.login(Unknown Source) [common.jar:]
	at org.ovirt.engine.ui.frontend.server.gwt.GenericApiGWTServiceImpl.Login(GenericApiGWTServiceImpl.java:184)
	at sun.reflect.GeneratedMethodAccessor138.invoke(Unknown Source) [:1.7.0_55]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_55]
	at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_55]
	at com.google.gwt.rpc.server.RPC.invokeAndStreamResponse(RPC.java:196)
	at com.google.gwt.rpc.server.RpcServlet.processCall(RpcServlet.java:172)
	at com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:233)
	at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec.jar:1.0.2.Final-redhat-1]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec.jar:1.0.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.ovirt.engine.ui.frontend.server.gwt.GwtCachingFilter.doFilter(GwtCachingFilter.java:132)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:72)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:64) [utils.jar:]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.ovirt.engine.core.bll.AutomaticLoginFilter.doFilter(AutomaticLoginFilter.java:58) [bll.jar:]
	at org.ovirt.engine.core.bll.AutomaticLoginFilter.doFilter(AutomaticLoginFilter.java:49) [bll.jar:]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.ovirt.engine.core.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:80) [common.jar:]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:512)
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
	at org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:340)
	at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
	at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
	at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_55]
Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "pk_users"
  Where: SQL statement "INSERT INTO users(department, domain, email, groups, name, note, role, active, surname, user_id, username, group_ids, external_id) VALUES( $1 ,  $2 ,  $3 ,  $4 ,  $5 ,  $6 ,  $7 ,  $8 ,  $9 ,  $10 ,  $11 ,  $12 ,  $13 )"
PL/pgSQL function "insertuser" line 2 at SQL statement
	at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2101)
	at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1834)
	at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:255)
	at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:510)
	at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:386)
	at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:379)
	at org.jboss.jca.adapters.jdbc.CachedPreparedStatement.execute(CachedPreparedStatement.java:297)
	at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.execute(WrappedPreparedStatement.java:404)
	at org.springframework.jdbc.core.JdbcTemplate$6.doInCallableStatement(JdbcTemplate.java:1066) [spring-jdbc.jar:3.1.1.RELEASE]
	at org.springframework.jdbc.core.JdbcTemplate$6.doInCallableStatement(JdbcTemplate.java:1) [spring-jdbc.jar:3.1.1.RELEASE]
	at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:1014) [spring-jdbc.jar:3.1.1.RELEASE]
	... 99 more

Comment 5 Ilanit Stein 2014-05-11 08:43:03 UTC
In my setup (rhevm 3.4 av8.1), I had same problem as well with 2 admin users.
It is not clear from where the second admin users came from.
here's my users table: 

engine=# select name , domain from users ;
   name   |        domain         
----------+-----------------------
 vdcadmin | qa.lab.tlv.redhat.com
 admin    | qa.lab.tlv.redhat.com
 admin    | internal
(3 rows)

engine=# select * from users ;
               user_id                |   name   | surname |        domain         | username |                                                                                                                                              
      groups                                                                                                                                                     | department | role | email | note | last_admin_check_status |              
                                                                                             group_ids                                                                                                           |                    externa
l_id                    | active 
--------------------------------------+----------+---------+-----------------------+----------+----------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------+-------+------+-------------------------+--------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------
------------------------+--------
 9b9002d1-ec33-4083-8a7b-31f6b8931648 | vdcadmin |         | qa.lab.tlv.redhat.com | vdcadmin | qa.lab.tlv.redhat.com/QA-All-Users/testGroup,qa.lab.tlv.redhat.com/frodo1-id-21324444,dc.eng.lab.tlv.redhat.com/Users/universe,qa.lab.tlv.red
hat.com/Builtin/Administrators                                                                                                                                   |            |      |       |      | t                       | 00000000-0000
-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000                                                                           | \233\220\002\321\3543@\203
\212{1\366\270\223\026H | t
 62e8f0a0-c375-403a-a402-3daa2c384fc5 | admin    |         | qa.lab.tlv.redhat.com | admin    | qa.lab.tlv.redhat.com/QA-All-Users/RDP-Group,qa.lab.tlv.redhat.com/QA-All-Users/LocalAdmins-Group,qa.lab.tlv.redhat.com/QA-All-Users/BlueUser
s,qa.lab.tlv.redhat.com/Builtin/Administrators,qa.lab.tlv.redhat.com/QA-All-Users/QA-Members/QA_Gluster_users,qa.lab.tlv.redhat.com/QA-All-Users/QA-MembersGroup |            |      |       |      | f                       | 00000000-0000
-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 | b\350\360\240\303u@:\244\0
02=\252,8O\305          | t
 fdfc627c-d875-11e0-90f0-83df133b58cc | admin    |         | internal              | admin    |                                                                                                                                              
                                                                                                                                                                 |            |      |       |      | t                       |              
                                                                                                                                                                                                                 | \375\374b|\330u\021\340\22
0\360\203\337\023;X\314 | t
(3 rows)

Comment 6 Oved Ourfali 2014-05-11 08:45:27 UTC
(In reply to Ilanit Stein from comment #5)
> In my setup (rhevm 3.4 av8.1), I had same problem as well with 2 admin users.
> It is not clear from where the second admin users came from.
> here's my users table: 
> 
> engine=# select name , domain from users ;
>    name   |        domain         
> ----------+-----------------------
>  vdcadmin | qa.lab.tlv.redhat.com
>  admin    | qa.lab.tlv.redhat.com
>  admin    | internal

I see nothing wrong here, as one user is in the "internal" domain, and the other is in the qa.lab.tlv.redhat.com domain.


> (3 rows)
> 
> engine=# select * from users ;
>                user_id                |   name   | surname |        domain  
> | username |                                                                
> 
>       groups                                                                
> | department | role | email | note | last_admin_check_status |              
>                                                                             
> group_ids                                                                   
> |                    externa
> l_id                    | active 
> --------------------------------------+----------+---------+-----------------
> ------+----------+-----------------------------------------------------------
> -----------------------------------------------------------------------------
> ------
> -----------------------------------------------------------------------------
> -----------------------------------------------------------------------------
> -------+------------+------+-------+------+-------------------------+--------
> ------
> -----------------------------------------------------------------------------
> -----------------------------------------------------------------------------
> -------------------------------------------------------+---------------------
> ------
> ------------------------+--------
>  9b9002d1-ec33-4083-8a7b-31f6b8931648 | vdcadmin |         |
> qa.lab.tlv.redhat.com | vdcadmin |
> qa.lab.tlv.redhat.com/QA-All-Users/testGroup,qa.lab.tlv.redhat.com/frodo1-id-
> 21324444,dc.eng.lab.tlv.redhat.com/Users/universe,qa.lab.tlv.red
> hat.com/Builtin/Administrators                                              
> |            |      |       |      | t                       | 00000000-0000
> -0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-
> 0000-0000-000000000000,00000000-0000-0000-0000-000000000000                 
> | \233\220\002\321\3543@\203
> \212{1\366\270\223\026H | t
>  62e8f0a0-c375-403a-a402-3daa2c384fc5 | admin    |         |
> qa.lab.tlv.redhat.com | admin    |
> qa.lab.tlv.redhat.com/QA-All-Users/RDP-Group,qa.lab.tlv.redhat.com/QA-All-
> Users/LocalAdmins-Group,qa.lab.tlv.redhat.com/QA-All-Users/BlueUser
> s,qa.lab.tlv.redhat.com/Builtin/Administrators,qa.lab.tlv.redhat.com/QA-All-
> Users/QA-Members/QA_Gluster_users,qa.lab.tlv.redhat.com/QA-All-Users/QA-
> MembersGroup |            |      |       |      | f                       |
> 00000000-0000
> -0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-
> 0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-
> 0000-0000-000000000000,00000000-0000-0000-0000-000000000000 |
> b\350\360\240\303u@:\244\0
> 02=\252,8O\305          | t
>  fdfc627c-d875-11e0-90f0-83df133b58cc | admin    |         | internal       
> | admin    |                                                                
> 
>                                                                             
> |            |      |       |      | t                       |              
>                                                                             
> | \375\374b|\330u\021\340\22
> 0\360\203\337\023;X\314 | t
> (3 rows)

Comment 7 Ilanit Stein 2014-05-11 08:52:26 UTC
Created attachment 894384 [details]
engine.log

Comment 8 Oved Ourfali 2014-05-11 10:30:32 UTC
Gil - can you dump the DB so that Yair and Eli will be able to examine it?

Comment 9 Gil Klein 2014-05-11 10:34:24 UTC
engine=# select user_id, username, external_id from users where username ilike '%admin%';
               user_id                |  username   |                    externa
l_id                    
--------------------------------------+-------------+---------------------------
------------------------
 21d9ca24-bb82-11e0-a1c1-00145e832c40 | admin       | !\331\312$\273\202\021\340
\241\301\000\024^\203,@
 fdfc627c-d875-11e0-90f0-83df133b58cc | admin       | \375\374b|\330u\021\340\22
0\360\203\337\023;X\314
 a5c2b244-80dc-4277-b288-842779950749 | ykadmin     | \245\302\262D\200\334Bw\26
2\210\204'y\225\007I
 97223de4-45c4-11e1-a6f6-001a4a169753 | admin       | \227"=\344E\304\021\341\24
6\366\000\032J\026\227S
 9b9002d1-ec33-4083-8a7b-31f6b8931648 | vdcadmin    | \233\220\002\321\3543@\203
\212{1\366\270\223\026H
 62e8f0a0-c375-403a-a402-3daa2c384fc5 | admin       | b\350\360\240\303u@:\244\0
02=\252,8O\305
 647f6b4f-d3b4-419d-8f80-427048f02c4b | masterAdmin | d\177kO\323\264A\235\217\2
00BpH\360,K
(7 rows)

Comment 11 Gil Klein 2014-05-11 10:47:57 UTC
Created attachment 894413 [details]
engine log from the 3.3->3.4RC upgrade

engine log from the 3.3->3.4RC upgrade

Comment 12 Vered Volansky 2014-05-11 11:05:55 UTC
I got an error that I'm not authorised to perdorm the action (login).

engine=> select * from users;
               user_id                | name | surname |  domain  | username | groups | department | role | email | note | last_admin_check_status | group_ids |             external_id              | active 
--------------------------------------+------+---------+----------+----------+--------+------------+------+-------+------+-------------------------+-----------+--------------------------------------+--------
 fdfc627c-d875-11e0-90f0-83df133b58cc |      |         | internal | admin    |        |            |      |       |      | t                       |           | [B@44f595c3                          | f
 26f94ea1-a384-4fb2-a65c-9b6d3aabb33a |      |         | internal | admin    |        |            |      |       |      | f                       |           | fdfc627c-d875-11e0-90f0-83df133b58cc | t
(2 rows)


Note both are internal, external_is for the first is not a GUID and looks like an obect serialization.

What fixed it for me was deleting the second line and updating the remaining extrnal_id to the user_id:
delete from users where user_id='26f94ea1-a384-4fb2-a65c-9b6d3aabb33a';
update users set external_id=user_id;

After this change I've managed to log in.

Comment 13 Yair Zaslavsky 2014-05-11 11:24:35 UTC
(In reply to Vered Volansky from comment #12)
> I got an error that I'm not authorised to perdorm the action (login).
> 
> engine=> select * from users;
>                user_id                | name | surname |  domain  | username
> | groups | department | role | email | note | last_admin_check_status |
> group_ids |             external_id              | active 
> --------------------------------------+------+---------+----------+----------
> +--------+------------+------+-------+------+-------------------------+------
> -----+--------------------------------------+--------
>  fdfc627c-d875-11e0-90f0-83df133b58cc |      |         | internal | admin   
> |        |            |      |       |      | t                       |     
> | [B@44f595c3                          | f
>  26f94ea1-a384-4fb2-a65c-9b6d3aabb33a |      |         | internal | admin   
> |        |            |      |       |      | f                       |     
> | fdfc627c-d875-11e0-90f0-83df133b58cc | t
> (2 rows)
> 
> 
> Note both are internal, external_is for the first is not a GUID and looks
> like an obect serialization.
> 
> What fixed it for me was deleting the second line and updating the remaining
> extrnal_id to the user_id:
> delete from users where user_id='26f94ea1-a384-4fb2-a65c-9b6d3aabb33a';
> update users set external_id=user_id;
> 
> After this change I've managed to log in.

Thanks Vered,
However this is not the issue with the QA production environment.

Comment 14 Tal Nisan 2014-05-11 12:25:42 UTC
Yair, this was the same issue that happened to me, even if it's not the same as the issue as in this bug it still have to be addressed since it seems to happen to other people as well

Comment 15 Yair Zaslavsky 2014-05-11 12:37:23 UTC
The bug is due to the following:
1. The environment has several users with username 'internal' in differnet domains.

2.
the following code:
InternalBrokerUtils.getUserByUPN is called by both the authentication part (authenticateUser) and the authorization part (getUserByName).

Unfortunately, getUserByUPN checks only the user name, and not the domain - thus a wrong user is checked.

This does occur in 3.5/upstream due to the following:
Internal*Command were removed , the Internal authn and authz are properly used (in 3.4 although the classes exist, they were not used).

Suggested fix:
InternalBrokerUtils.getUserByUPN will receive not just the user name, but also the domain  - then we will check the db by both parameters (user name + domain) - this will ensure we will get the proper user.

In order to test the fix (once issued) please add using an ldap domain a user named 'admin'.

Comment 16 Yair Zaslavsky 2014-05-11 12:39:53 UTC
(In reply to Tal Nisan from comment #14)
> Yair, this was the same issue that happened to me, even if it's not the same
> as the issue as in this bug it still have to be addressed since it seems to
> happen to other people as well

Tal -
a. Please correct me if I'm wrong - You're working on upstream, not downstream.
b. As I said - different reason. If needed - please open a different bug for that and I will take care. As you can see in my detailed explanation - the code that caused the issue no longer exists at master , so the issue you and Vered saw has to do with some other stuff.

Comment 17 Yair Zaslavsky 2014-05-11 12:49:48 UTC
(In reply to Yair Zaslavsky from comment #15)
> The bug is due to the following:
> 1. The environment has several users with username 'internal' in differnet
> domains.
> 
> 2.
> the following code:
> InternalBrokerUtils.getUserByUPN is called by both the authentication part
> (authenticateUser) and the authorization part (getUserByName).
> 
> Unfortunately, getUserByUPN checks only the user name, and not the domain -
> thus a wrong user is checked.
> 
> This does occur in 3.5/upstream due to the following:
> Internal*Command were removed , the Internal authn and authz are properly
> used (in 3.4 although the classes exist, they were not used).
> 
> Suggested fix:
> InternalBrokerUtils.getUserByUPN will receive not just the user name, but
> also the domain  - then we will check the db by both parameters (user name +
> domain) - this will ensure we will get the proper user.
> 
> In order to test the fix (once issued) please add using an ldap domain a
> user named 'admin'.

Correction to myself:

This does occur in 3.5/upstream due to the following: should be
"This doesn't occur".

Comment 19 Ilanit Stein 2014-05-13 06:38:23 UTC
Additional information:
Removing the additional user, carrying the same name, from users table in DB, resolve the problem.

engine=# select name, domain, user_id from users ;
   name   |        domain         |               user_id                
----------+-----------------------+--------------------------------------
 admin    | internal              | fdfc627c-d875-11e0-90f0-83df133b58cc
 vdcadmin | qa.lab.tlv.redhat.com | 9b9002d1-ec33-4083-8a7b-31f6b8931648
 admin    | qa.lab.tlv.redhat.com | 62e8f0a0-c375-403a-a402-3daa2c384fc5
(3 rows)
engine=# DELETE FROM users where user_id='62e8f0a0-c375-403a-a402-3daa2c384fc5';
DELETE 1

engine=# select name, domain, user_id from users ;
   name   |        domain         |               user_id                
----------+-----------------------+--------------------------------------
 admin    | internal              | fdfc627c-d875-11e0-90f0-83df133b58cc
 vdcadmin | qa.lab.tlv.redhat.com | 9b9002d1-ec33-4083-8a7b-31f6b8931648
(2 rows)

Comment 20 Ondra Machacek 2014-05-14 11:30:01 UTC
Upgrade succeeded.

I had one admin@domain user and one admin@internal.

#select user_id, name, domain from users;
               user_id                | name  |             domain              
--------------------------------------+-------+---------------------------------
 2f7e212f-744c-4836-87a4-340652e3edb1 | admin | ad2.rhev.lab.eng.brq.redhat.com
 fdfc627c-d875-11e0-90f0-83df133b58cc | admin | internal


after upgrade I am able to login with both users. Moving to verified.

rhevm-3.4.0-0.20.el6ev.noarch

Comment 21 Itamar Heim 2014-06-12 14:08:54 UTC
Closing as part of 3.4.0


Note You need to log in before you can comment on or make changes to this bug.