1

I have a new Eucalyptus installation and new Eucaconsole installation. I have created users with login profiles and passwords assigned and verified them as not expired and enabled.

No matter what account/user/pass I log into the console with (even invalid accounts) I am delivered to a password reset page. The password reset appears to work but when I then click on any other part of the console or the generate keys button I am logged out and the whole problem starts again. The freshly changed password is asked to be changed again. I'm seeing errors nowhere in my logs. I see this in the eucaconsole_nginx_access.log each time this occurs.

10.0.0.7 - - [09/Nov/2018:13:14:58 -0500] "POST /login? 
login_type=Eucalyptus HTTP/1.1" 302 256 "https://cloud/" "Mozilla/5.0 
(Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0"

10.0.0.7 - - [09/Nov/2018:13:14:58 -0500] "GET /managecredentials? 
came_from=&expired=true&account=console&username=admin HTTP/1.1" 200 
4447 "https://cloud/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; 
rv:63.0) Gecko/20100101 Firefox/63.0"

10.0.0.7 - - [09/Nov/2018:13:14:59 -0500] "GET 
/static/4.4.4/html/help/console_manage_credentials.html HTTP/1.1" 304 0 
"https://cloud/managecredentials? 
came_from=&expired=true&account=console&username=admin" "Mozilla/5.0 
(Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0"

Did I miss an important piece in my setup or is this some kind of bug. The fact that it happens even for invalid credentials and nonsense users that don't exist is an interesting detail but I haven't been able to make sense of it in a useful way.

FINAL: I abandoned this and rebuilt after the 4.4.5 release and all is working.

D N
  • 51
  • 5

2 Answers2

0

For admin users in an account, setting a password (e.g. euare-usermodloginprofile or euare-useraddloginprofile) should be sufficient to allow console access.

When you add non-admin users to an account they will not have permission to perform any actions until you grant access via iam policy. Using the console you can access the details for a user and use ADD ACCESS POLICY under GENERAL / PERMISSIONS. You can pick a predefined policy such as User access or Monitor access to get started.

http://docs.eucalyptus.cloud/eucalyptus/4.4.4/index.html#shared/console_user_detail_general.html

Steve Jones
  • 243
  • 1
  • 3
  • `euare-useraddloginprofile: error (EntityAlreadyExists): User admin already has a login profile` I'm also getting these errors in the `cloud-requests.log` that I think are coincident to these failed console logins `simpleworkflow SimpleWorkflowErrorResponse [400 WorkflowExecutionAlreadyStartedFault]` – D N Nov 12 '18 at 16:35
  • It is expected that you will see a failure from `euare-useraddloginprofile` if the user already has a login profile, in that case you would use `euare-usermodloginprofile` which is why I mentioned both commands. Any errors from simpleworkflow are not directly related to the console login issue. It sounds like you are now having a general issue where no users are able to log in rather than an error with only some users. If this is the case then the basic items to check are that services are up `euserv-describe-services` that all systems have the correct time/date. – Steve Jones Nov 13 '18 at 18:06
0

Piggybacking on Steve's response, this is what I do for the admin group of the account. Save the file as admin-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Then import the policy for the group. For example, my accounting group is isp-services and my admin group is isp-services-admins. Be sure your user it part of the group.

euare-groupuploadpolicy --as-account "isp-services" -g isp-services-admins -p AccountAdminAccessPolicy-isp-services-admins -f admin-policy.json
Nunes
  • 113
  • 1
  • 1
  • 7
  • I think both replies might be jumping too far ahead of where my problem leaves me. The admin user on any account already has these security profiles by default and only need to have a login profile assigned according to the docs: https://docs.eucalyptus.cloud/eucalyptus/4.4.4/index.html#shared/console_config_account_credentials.html – D N Nov 12 '18 at 19:23
  • I feel like some of the detail about the console behavior I've noted is being ignored. For instance should I expect even non-existent and known invalid users and bad passwords to be prompted for password change? I'm fudging in nonsensical info for all fields and getting prompted for password change. That is the behavior I'm seeing for my account admin users as well which tells me the console is not operating properly. – D N Nov 12 '18 at 19:29