Bug 1273582

Summary: Permissions seem to be wrong
Product: Red Hat Certification Program Reporter: Glen Millard <gmillard>
Component: Certification Workflow EngineAssignee: MaoPeng <pmao>
Status: CLOSED CURRENTRELEASE QA Contact: Suprith Gangawar <sgangawa>
Severity: high Docs Contact:
Priority: urgent    
Version: 1.0CC: hrivero, pmao, rlandry, sguha, thong, tmctighe
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-24 00:14:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Error message
none
Error message when trying to create a cert for "Black Duck Hub" with account hrivero@redhat.com none

Description Glen Millard 2015-10-20 18:03:22 UTC
Created attachment 1084857 [details]
Error message

Description of problem:

I cannot create a new certification on the production CWE.
When I log in using my Red Hat SSO, I get a "you do not have permissions" message


Version-Release number of selected component (if applicable):


How reproducible:

Repoducible

Steps to Reproduce:
1.Log on to the prodcution CWE - access.redhat.com
2.Browse to a vendor/ISV page
3.Click on a product
4.Select an existing Software product.
5.Click on create new cert
6.See the error result

Actual results:

Permission denied message


Expected results:

Should be able to create a cert.


Additional info:

Comment 1 MaoPeng 2015-10-21 07:31:03 UTC
Hi Glen,

Can you verify if you are in the user list of the vendor which you want to create cert for ? 
Only the sso account who is in the user list of the vendor can create cert for it.

Traivs,

Any idea about this issue?
Is Glen have the proper right to access the HAProxy products?


Thanks,
Peng Mao

Comment 2 Travis McTighe 2015-10-21 14:32:38 UTC
Peng,

The access denied is occuring when Glen gets redirected to https://hardware.redhat.com/enter.cgi?product_nid=1471483&product_type=sw&vendor_nid=1466253

Comment 3 Glen Millard 2015-10-21 17:37:45 UTC
(In reply to MaoPeng from comment #1)
> Hi Glen,
> 
> Can you verify if you are in the user list of the vendor which you want to
> create cert for ? 
> Only the sso account who is in the user list of the vendor can create cert
> for it.
> 
> Traivs,
> 
> Any idea about this issue?
> Is Glen have the proper right to access the HAProxy products?
> 
> 
> Thanks,
> Peng Mao

Peng - this is HAProxy - it was the vendor that attempted to submit the cert. I had to use the 'vendor login' feature to be able to create the cert. Otherwise, I was getting a 'permission denied' message.

The catalogue is for HAProxy:

https://access.redhat.com/ecosystem/software/1471483

The user is using the 'haproxy' userid to submit a cert from the rhcert-backend tool.

He is getting the following:
+++++++++++++++++++

Hi Glen,

I'm getting the user access errors when trying to submit the image for
the certification process:

Error: could not submit the image
Error: The username or password you entered is not valid. (300)

I'm using the haproxy username with the corresponding password we've had
on our registry -- has that been changed? I've replicated step by step
on how we've been publishing the previous images..


Kind regards,
D.
+++++++++++++++++++++++

Comment 4 Hugo Rivero 2015-10-21 19:23:02 UTC
I tried this with my account as well. I attempted to create a certification for Black Duck Hub:
https://access.redhat.com/ecosystem/software/2018643

And got a permission error. I even tried to add myself to the list of "Certification Users" for that vendor. Didn't make any difference.

This means the certification workflow is broken and partners cannot submit a new certification. This is a P1, please treat is as such.

Comment 5 Hugo Rivero 2015-10-21 19:24:40 UTC
Created attachment 1085271 [details]
Error message when trying to create a cert for "Black Duck Hub" with account hrivero

Comment 7 Hong Tao 2015-10-22 02:19:54 UTC
Hi, Travis,

This problem is caused by that 'groupMembers' attribute of each vendor has disappear. When I try to use relative link to get IBM's vendor information, it shows like following:

<vendor>
  <title>IBM</title>
  <language>en</language>
  <id>918313</id>
  <tnid>0</tnid>
  <uri>https://api.access.redhat.com/rs/ecosystem/vendors/918313</uri>    
  <viewUri>https://access.redhat.com/ecosystem/vendors/918313</viewUri>
  <tsaNetMemberLevel>Premium</tsaNetMemberLevel>
  <displayTitle>IBM</displayTitle>
  <vendorType>Certified Hardware</vendorType>
  <vendorType>Certified Software</vendorType>
  <logoUrl>https://access.redhat.com/sites/default/files/ibm_small.jpg</logoUrl></vendor>

Obviously no 'groupMembers' attribute in the xml. The node for 'Black Duck Software, Inc.' are the same, no 'groupMembers' attribute in xml. From CWE, we can determine if a user can/cannot create a cert by and only by seeing the login name is in the 'groupMembers' or not. But now the 'groupMembers' attribute disappear, all login users are not in the 'groupMembers', so no one can create cert from CWE redirected from UCC. Would you please help us to take a look in this issue? This could be a blocking issue... Thanks a lot for your kindly help!

Best Regards,
Hong Tao

Comment 8 Hugo Rivero 2015-10-22 13:37:06 UTC
Are there any workarounds to allow a Red Hat person to create a cert ID? If so, will an external user be allowed to use that cert id to submit a certification via rhcert?

Comment 9 Glen Millard 2015-10-23 12:06:14 UTC
I'm now seeing a 'broken pipe' message at the command line. Errno 32 Broken Pipe.

I cancelled the operation and I tried again.

The upload seems to be 'stuck' - 40 minutes with no activity.

Glen

Comment 10 Glen Millard 2015-10-23 12:13:44 UTC
When I attempt to submit the second time, I see the following:

Red Hat Catalog User Name: gmillard
response: gmillard

Password: 
Error: could not ftp image file: [Errno 110] Connection timed out
FTP to dropbox.redhat.com
RHEL71Vbox [root@rhel7glenI openshift-haproxy

Comment 11 MaoPeng 2015-11-11 06:03:54 UTC
Please try again on web2 or partner site, we have fix that.

Comment 12 MaoPeng 2015-11-11 06:04:23 UTC
Please try again on web2 or partner site, we have fix that.

Comment 13 MaoPeng 2015-11-13 06:52:53 UTC
Partner site is fixed by workaround way, Live site need to be fixed by IT to change the configuration of idp.redhat.com which refuse connection request from hardware.redhat.com.

Comment 14 Suman Guha 2015-11-13 15:01:05 UTC
Hi folks,

This is may or may not be related but I logged into access.redhat.com with my sso account and then I tried logging to hardware.redhat.com and got this following error on live site. (useraccount I used: sguha)

Software error:

Insecure dependency in piped open while running with -T switch at Catalog/Strata/StrataClient.pm line 805.

For help, please send mail to the webmaster (bugzilla-owner), giving this error message and the time and date of the error. 

@Mao do you think this maybe because of idp.redhat.com issue ? But I tried logging on access.stage.redhat.com and cwe stage: https://partner-hwcert.redhat.com/ it worked perfectly there.