Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1568413 - admin account constantly gets locked after password changed
Summary: admin account constantly gets locked after password changed
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Network
Version: 4.2.2
Hardware: Unspecified
OS: Unspecified
high vote
Target Milestone: ovirt-4.2.3
: ---
Assignee: Dominik Holler
QA Contact: Michael Burman
Depends On:
Blocks: 1511823
TreeView+ depends on / blocked
Reported: 2018-04-17 12:58 UTC by Dominik Holler
Modified: 2018-05-10 06:27 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-05-10 06:27:59 UTC
oVirt Team: Network
rule-engine: ovirt-4.2+
rule-engine: blocker+

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
oVirt gerrit 90408 master MERGED backend: Deactivate autoSync on authentication failure 2018-04-23 16:15:38 UTC
oVirt gerrit 90547 ovirt-engine-4.2 MERGED backend: Deactivate autoSync on authentication failure 2018-04-24 09:58:18 UTC

Description Dominik Holler 2018-04-17 12:58:38 UTC
Description of problem:
If the password of the user account which is used to authenticate oVirt
Engine to the ovirt-provider-ovn is changed, but the password is not
updated in Engine's provider configuration, Engine continues to
use the old password to access the provider. This behavior results in
locking the user account, because of the high number failed
authentication tries.

For a number of reasons, this is especially annoying:
* In the default configuration the user account is admin@internal.
* The user might not notice, that the password is stored in Engine's
  provider configuration, because it is created automatically.
* The user might not be aware that AutoSync is using the provider in the

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Enable the ovirt-provider-ovn during engine-setup
2. Change password of admin@internal
3. Wait longer than 5 allowed attempts * 5 minutes auto_sync cycle = 25 minutes

Actual results:
admin@internal is locked

Expected results:
admin@internal is not locked

Additional info:

Comment 1 Michael Burman 2018-04-30 04:50:47 UTC
Now, after admin@internal password is changed and the authentication credentials are invalid, autoSync is disabled for the provider to prevent further invalid authentication attempts which may result in Engine locks the user account.

After the password is changed, there only one attempt to autoSync which is failed 
Failed to synchronize networks of Provider ovirt-provider-ovn, because the authentication information of the provider is invalid. Automatic synchronization is deactivated for this Provider."

After 25 minutes(default autoSync) i'm able to login with the new new password and user admin@internal doesn't get locked. 

Verified on -

Comment 2 Sandro Bonazzola 2018-05-10 06:27:59 UTC
This bugzilla is included in oVirt 4.2.3 release, published on May 4th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.3 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.