Bug 1102333

Summary:	Registration from subscription-manager GUI is broken
Product:	Red Hat Satellite	Reporter:	Eric Helms <ehelms>
Component:	Content Management	Assignee:	Eric Helms <ehelms>
Status:	CLOSED CURRENTRELEASE	QA Contact:	sthirugn <sthirugn>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	6.0.3	CC:	cwelton, jmontleo, mmccune, sthirugn
Target Milestone:	Unspecified	Keywords:	Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
URL:	http://projects.theforeman.org/issues/5938
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-07-02 14:08:19 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Eric Helms 2014-05-28 19:06:20 UTC

Recent changes to permissions in Katello seem to have broken subscription manager's registration functionality in the GUI.

The failure occurs when subman attempts to update the system's package profile during its registration process and is due to a permissions error.

Currently subscription manager expects that the package profile can be updated via basic auth (admin user) and consumer auth (oauth), and it appears that an admin via basic auth is no longer able to make this call.

Registration via the subman CLI is different (and working) because it creates a new connection using the newly aquired consumer id cert and uses it to update the package profile. We can fix this in subamn, but it will still be broken for old subman clients. We have to support both.

Generally in subscription manager, most 'consumer' related API calls are made via consumer id cert, however, many of them can be made via basic auth (a user who has permissions).

The following should be checked to ensure that the API can be called via basic auth.

<pre>
Basic Auth (User)
---------------------------
GET /
GET /users/{user_uuid}/owners
GET /owners/{owner_key}/environments
POST /environments/{environment}/consumers (registration)
PUT /consumers/{consumer_uuid}/packages

POST /consumers/{consumer_uuid} (force regen of identity certificate)
GET /owners/{org_id}/servicelevels
PUT /hypervisors
</pre>


Exception details:
<pre>
[DEBUG 2014-05-27 10:18:38 cp_proxy] Checking  params  for katello/api/v1/candlepin_proxies/upload_package_profile
  Katello::System Load (0.6ms)  SELECT "katello_systems".* FROM "katello_systems" WHERE "katello_systems"."uuid" = '0b7712ee-42ad-4ed4-9141-b61cd3ba6116' LIMIT 1
  Rendered api/v1/errors/access_denied.json.rabl (1.4ms)
Filter chain halted as :authorize_client rendered or redirected
Completed 403 Forbidden in 37.4ms (Views: 30.7ms | ActiveRecord: 0.6ms)
With body: {"message":"Access denied","details":null}
</pre>

Comment 1 Eric Helms 2014-05-28 19:06:22 UTC

Created from redmine issue http://projects.theforeman.org/issues/5938

Comment 2 Eric Helms 2014-05-28 19:06:26 UTC

Upstream bug assigned to ehelms

Comment 4 Eric Helms 2014-06-03 20:36:07 UTC

https://github.com/Katello/katello/pull/4158

Comment 6 sthirugn@redhat.com 2014-06-06 21:12:38 UTC

Failed.

Verification Steps:
1. Launch subscription-manager-gui
2. Go to System -> Register
3. Register with: sat6host:443/katello/api. Click Next
4. Enter credentials: admin/changeme. click Next
5. UI error message: User admin is not able to register with any orgs

Note: registration via cli worked fine

Version Tested:
* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.9.7-1.el6_5.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.9.7-1.el6_5.noarch
* candlepin-tomcat6-0.9.7-1.el6_5.noarch
* elasticsearch-0.90.10-4.el6sat.noarch
* foreman-1.6.0.14-1.el6sat.noarch
* foreman-compute-1.6.0.14-1.el6sat.noarch
* foreman-gce-1.6.0.14-1.el6sat.noarch
* foreman-libvirt-1.6.0.14-1.el6sat.noarch
* foreman-ovirt-1.6.0.14-1.el6sat.noarch
* foreman-postgresql-1.6.0.14-1.el6sat.noarch
* foreman-proxy-1.6.0.6-1.el6sat.noarch
* foreman-selinux-1.6.0-4.el6sat.noarch
* foreman-vmware-1.6.0.14-1.el6sat.noarch
* katello-1.5.0-25.el6sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.5-1.el6sat.noarch
* katello-installer-0.0.45-1.el6sat.noarch
* openldap-2.4.23-32.el6_4.1.x86_64
* pulp-katello-0.3-3.el6sat.noarch
* pulp-nodes-common-2.4.0-0.18.beta.el6sat.noarch
* pulp-nodes-parent-2.4.0-0.18.beta.el6sat.noarch
* pulp-puppet-plugins-2.4.0-0.18.beta.el6sat.noarch
* pulp-puppet-tools-2.4.0-0.18.beta.el6sat.noarch
* pulp-rpm-plugins-2.4.0-0.18.beta.el6sat.noarch
* pulp-selinux-2.4.0-0.18.beta.el6sat.noarch
* pulp-server-2.4.0-0.18.beta.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch

Comment 7 sthirugn@redhat.com 2014-06-10 13:32:37 UTC

The above test was performed with subscription-manager-gui-1.9.11-1.el6.x86_64.

Comment 8 Eric Helms 2014-06-10 14:16:55 UTC

Please re-test with snap9 as there are number of changes that have gone in since the last one.

Comment 10 sthirugn@redhat.com 2014-06-13 19:39:04 UTC

Verified.

Now I am able to register/subscribe a content-host to sat6:
1. using activation key - PASS
2. using env/cv - FAIL (Another bug https://bugzilla.redhat.com/show_bug.cgi?id=1109380 is written to track this)

Note: Also retrieving active subscriptions failed which is tracked in a new bug https://bugzilla.redhat.com/show_bug.cgi?id=1109398

Version Tested:
* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.9.19-1.el6_5.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.9.19-1.el6_5.noarch
* candlepin-tomcat6-0.9.19-1.el6_5.noarch
* elasticsearch-0.90.10-4.el6sat.noarch
* foreman-1.6.0.17-1.el6sat.noarch
* foreman-compute-1.6.0.17-1.el6sat.noarch
* foreman-gce-1.6.0.17-1.el6sat.noarch
* foreman-libvirt-1.6.0.17-1.el6sat.noarch
* foreman-ovirt-1.6.0.17-1.el6sat.noarch
* foreman-postgresql-1.6.0.17-1.el6sat.noarch
* foreman-proxy-1.6.0.7-1.el6sat.noarch
* foreman-selinux-1.6.0-4.el6sat.noarch
* foreman-vmware-1.6.0.17-1.el6sat.noarch
* katello-1.5.0-26.el6sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.5-1.el6sat.noarch
* katello-installer-0.0.48-1.el6sat.noarch
* openldap-2.4.23-31.el6.x86_64
* pulp-katello-0.3-3.el6sat.noarch
* pulp-nodes-common-2.4.0-0.20.beta.el6sat.noarch
* pulp-nodes-parent-2.4.0-0.20.beta.el6sat.noarch
* pulp-puppet-plugins-2.4.0-0.20.beta.el6sat.noarch
* pulp-puppet-tools-2.4.0-0.20.beta.el6sat.noarch
* pulp-rpm-plugins-2.4.0-0.20.beta.el6sat.noarch
* pulp-selinux-2.4.0-0.20.beta.el6sat.noarch
* pulp-server-2.4.0-0.20.beta.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch

Comment 11 Bryan Kearney 2014-07-02 14:08:19 UTC

This was delivered with 6.0.3, which is the Satellite 6 Beta.

Comment 12 Bryan Kearney 2014-07-02 14:09:38 UTC

This was delivered in 6.0.3, the Beta version of Satellite 6.0