Bug 1601762

Summary:	accessing subscription.rhn.redhat.com unexpectedly
Product:	Red Hat Satellite	Reporter:	Masatake YAMATO <yamato>
Component:	Subscription Management	Assignee:	Michael Johnson <micjohns>
Status:	CLOSED ERRATA	QA Contact:	jcallaha
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.3.1	CC:	cdonnell, jturel, micjohns, mshimura, pcreech
Target Milestone:	6.5.0	Keywords:	EasyFix, Patch, Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-05-14 12:37:37 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Masatake YAMATO 2018-07-17 08:04:53 UTC

Description of problem:

katello accesses subscription.rhn.redhat.com when refreshing manifest.
The host name is not listed in https://access.redhat.com/documentation/en-us/red_hat_satellite/6.3/html/installation_guide/installing_satellite_server#configuring_satellite_http_proxy.

As the result refreshing manifest fails always if an intermediate web proxy server allows only the sites listed in the document.


Version-Release number of selected component (if applicable):

tfm-rubygem-katello-3.4.5.64-1.el7sat.noarch

How reproducible:


Steps to Reproduce:
1. Setup a web proxy server allows only sites listed in the document,
2. Setup a satellite server that uses the web proxy,
3. Upload a manifest, and
4. Refresh the manifet with hammer like "hammer subscription refresh-manifest".

Actual results:

[root@foo setup]# hammer subscription refresh-manifest
[..........................................................] [100%]
Error: 403 "Forbidden"
[root@f00 setup]# echo $?
70

Expected results:
[root@foo setup]# hammer subscription refresh-manifest
[..........................................................] [100%]
[root@foo setup]# echo $?
0

Additional info:

In /theforeman/tfm/root/usr/share/gems/gems/katello-3.4.5.64/app/models/katello/glue/provider.rb of tfm-rubygem-katello-3.4.5.64-1.el7sat.noarch,
"subscription.rhn.redhat.com" is hardcoded.

I guess it should be: 
[root@foo setup]# diff -ruN /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.4.5.64/app/models/katello/glue/provider.rb /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.4.5.64/app/models/katello/glue/provider.rb.new 
--- /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.4.5.64/app/models/katello/glue/provider.rb	2018-07-13 16:42:12.732384769 +0900
+++ /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.4.5.64/app/models/katello/glue/provider.rb.new	2018-07-17 16:59:13.052732482 +0900
@@ -60,7 +60,7 @@
         end
 
         # Default to Red Hat
-        url = upstream['apiUrl'] || 'https://subscription.rhn.redhat.com/subscription/consumers/'
+        url = upstream['apiUrl'] || 'https://subscription.rhsm.redhat.com/subscription/consumers/'
 	Rails.logger.warn "XXX: #{url}"
 
         # TODO: wait until ca_path is supported
@@ -84,7 +84,7 @@
         end
 
         # Default to Red Hat
-        url = upstream['apiUrl'] || 'https://subscription.rhn.redhat.com/subscription/consumers/'
+        url = upstream['apiUrl'] || 'https://subscription.rhsm.redhat.com/subscription/consumers/'
 
         # TODO: wait until ca_path is supported
         #       https://github.com/L2G/rest-client-fork/pull/8


 
This one is applicable to https://github.com/Katello/katello/blob/master/app/models/katello/glue/provider.rb .

Comment 1 Craig Donnelly 2018-07-23 18:59:03 UTC

The docs here are correct on the addresses.

The code pointed out indeed is pointing at the older address for subscription data and should be updated to point at subscription.rhsm.redhat.com.

(Based on the patch in comment #0.)

Thanks.

Comment 4 Jonathon Turel 2018-08-15 19:12:48 UTC

Changing the URL in Katello is not the ultimate fix. As the code shows, we only fall back to the hard-coded value when we don't get one from the manifest (upstream['apiUrl']).

If the user has an older manifest - not downloaded from the Portal in the last few weeks (this was a recent change) - they will get the old URL (subscription.rhn.redhat.com) within the manifest.

Downloading a new manifest today will ensure the user gets the new url (subscription.rhsm.redhat.com) and they'll be in agreement with the documentation. That said - katello still needs to be fixed.

Comment 5 Michael Johnson 2018-08-21 17:15:28 UTC

Created redmine issue https://projects.theforeman.org/issues/24675 from this bug

Comment 6 Satellite Program 2018-08-27 22:11:47 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/24675 has been resolved.

Comment 8 jcallaha 2019-02-14 20:30:45 UTC

Verified in Satellite 6.5.0 Snap 15.

Followed the steps outlined in the description.

Uploaded a manifest from 2017 and the refresh completed without any issues.

-bash-4.2# hammer -v subscription refresh-manifest --organization-id 1
[.............................................................] [100%]
-bash-4.2# 

Additionally, I had no issues enabling and syncing repositories from the cdn.

Comment 11 errata-xmlrpc 2019-05-14 12:37:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:1222