Bug 1888067

Summary:	rhsm-migrate-classic-to-rhsm fails to prompt me for the destination credentials; instead I get HTTP error (401 - Unauthorized): Invalid user credentials
Product:	Red Hat Enterprise Linux 8	Reporter:	John Sefler <jsefler>
Component:	subscription-manager	Assignee:	candlepin-bugs
Status:	CLOSED NOTABUG	QA Contact:	Red Hat subscription-manager QE Team <rhsm-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.3	CC:	redakkan
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-10-20 13:41:55 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description John Sefler 2020-10-13 22:37:39 UTC

Description of problem:

When using rhn-migrate-classic-to-rhsm without explicitly declaring the --destination-url, I encounter a "HTTP error (401 - Unauthorized): Invalid user credentials" error.  I expected to be interactively prompted for the destination credentials.  The destination url information is already configured in rhsm.conf.  Hence the workaround is to pass --destination-url as shown in the Additional info section below.


Version-Release number of selected component (if applicable):
[root@kvm-06-guest36 ~]# rpm -q subscription-manager
subscription-manager-1.27.16-1.el8.x86_64


How reproducible:


Steps to Reproduce:


[root@kvm-06-guest36 ~]# rhnreg_ks --serverUrl=https://rhsm-sat58.usersys.redhat.com/XMLRPC --username=rhsm-client --password=REDACTED --profilename=rhsm-automation.kvm-06-guest36.hv2.lab.eng.bos.redhat.com --force --norhnsd --nohardware --nopackages --novirtinfo
[root@kvm-06-guest36 ~]# 
[root@kvm-06-guest36 ~]# subscription-manager config --server.hostname=subscription.rhsm.stage.redhat.com
[root@kvm-06-guest36 ~]# subscription-manager config --server.port=443
[root@kvm-06-guest36 ~]# subscription-manager config --server.prefix=/subscription
[root@kvm-06-guest36 ~]# 
[root@kvm-06-guest36 ~]# truncate --size=0 /var/log/rhsm/rhsm.log
[root@kvm-06-guest36 ~]# 
[root@kvm-06-guest36 ~]# rhn-migrate-classic-to-rhsm --force
Legacy username: rhsm-client
Legacy password: 
Unable to connect to certificate server: HTTP error (401 - Unauthorized): Invalid user credentials.  See /var/log/rhsm/rhsm.log for more details.
[root@kvm-06-guest36 ~]# 

BANG! DID NOT EXPECT THAT RESPONSE.  INSTEAD I EXPECTED TO BE PROMPTED FOR DESTINATION CREDENTIALS

[root@kvm-06-guest36 ~]# cat /var/log/rhsm/rhsm.log
2020-10-13 18:07:01,767 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @https.py:56 - Using standard libs to provide httplib and ssl
2020-10-13 18:07:19,630 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:169 - Environment variable NO_PROXY= will be used
2020-10-13 18:07:19,631 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:265 - Connection built: host=subscription.rhsm.stage.redhat.com port=443 handler=/subscription auth=basic username=rhsm-client
2020-10-13 18:07:19,631 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @identity.py:139 - Loading consumer info from identity certificates.
2020-10-13 18:07:19,631 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @identity.py:154 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2020-10-13 18:07:19,631 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:685 - Making request: GET /subscription/status
2020-10-13 18:07:19,633 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:570 - Loaded CA certificates from /etc/rhsm/ca/: rhsm-auto8-candlepin.pem, rhsm-auto8-gate-candlepin.pem, redhat-entitlement-authority.pem, redhat-uep.pem
2020-10-13 18:07:20,009 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:779 - Response time: 0.2996184825897217, Smoothed response time: 0.2996184825897217
2020-10-13 18:07:20,009 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:756 - Response: status=200, requestUuid=85df33b1-f225-4bf8-a753-53c115e0cec1, request="GET /subscription/status"
2020-10-13 18:07:20,165 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:685 - Making request: GET /subscription/users/rhsm-client/owners
2020-10-13 18:07:20,166 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:570 - Loaded CA certificates from /etc/rhsm/ca/: rhsm-auto8-candlepin.pem, rhsm-auto8-gate-candlepin.pem, redhat-entitlement-authority.pem, redhat-uep.pem
2020-10-13 18:07:20,732 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:779 - Response time: 0.298846960067749, Smoothed response time: 0.29954133033752445
2020-10-13 18:07:20,732 [DEBUG] rhn-migrate-classic-to-rhsm:981821:MainThread @connection.py:756 - Response: status=401, requestUuid=bb11a176-966e-446d-bb74-b4de5aa6cd3e, request="GET /subscription/users/rhsm-client/owners"
2020-10-13 18:07:20,732 [ERROR] rhn-migrate-classic-to-rhsm:981821:MainThread @migrate.py:299 - HTTP error (401 - Unauthorized): Invalid user credentials
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/subscription_manager/migrate/migrate.py", line 297, in get_org
    owner_list = self.cp.getOwnerList(username)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 1306, in getOwnerList
    return self.conn.request_get(method)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 880, in request_get
    return self._request("GET", method, headers=headers, cert_key_pairs=cert_key_pairs)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 906, in _request
    info=info, headers=headers, cert_key_pairs=cert_key_pairs)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 765, in _request
    self.validateResponse(result, request_type, handler)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 839, in validateResponse
    raise RestlibException(response['status'], error_msg, response.get('headers'))
rhsm.connection.RestlibException: HTTP error (401 - Unauthorized): Invalid user credentials

Actual results:
  above - Unable to connect to certificate server: HTTP error (401 - Unauthorized): Invalid user credentials.  See /var/log/rhsm/rhsm.log for more details.

Expected results:
  expected the rhn-migrate-classic-to-rhsm tool to prompt me for a destination username and destination password



Additional info:

Notice below that when I explicitly pass the destination url as an argument, then the tool interactively prompts me for destination credentials and migration is successful.  This is a workaround...

[root@kvm-06-guest36 ~]# rhn-migrate-classic-to-rhsm --force --destination-url=https://subscription.rhsm.stage.redhat.com:443/subscription
Legacy username: rhsm-client
Legacy password: 
Destination username: stage_auto_testuser
Destination password: 

Retrieving existing legacy subscription information...

+-----------------------------------------------------+
System is currently subscribed to these legacy channels:
+-----------------------------------------------------+
rhel-x86_64-baseos-8

+-----------------------------------------------------+
Installing product certificates for these legacy channels:
+-----------------------------------------------------+
rhel-x86_64-baseos-8

Product certificates installed successfully to /etc/pki/product.

Preparing to unregister system from legacy server...
System successfully unregistered from legacy server.
Stopping and disabling legacy services...

Attempting to register system to destination server...
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
The system has been registered with ID: 3a452eb6-e934-4656-8b04-1f41bfff851e
The registered system name is: kvm-06-guest36.hv2.lab.eng.bos.redhat.com
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64
Status:       Subscribed

System 'kvm-06-guest36.hv2.lab.eng.bos.redhat.com' successfully registered.

[root@kvm-06-guest36 ~]#

Comment 2 John Sefler 2020-10-14 00:50:13 UTC

As I think more about this test report and reflect on the original design for rhn-migrate-classic-to-rhsm, I believe this is working as designed and here is why... Since the server that is configured in the rhsm.conf file is a regex match for both hosted entitlement servers (subscription.rhsm(.stage).redhat.com), the assumption is that the user credentials that were used to register the system to the old hosted RHN would be the same credentials as used in the migration to the new RHSM. Therefore, it makes sense that the rhn-migrate-classic-to-rhsm did not prompt me for destination credentials in comment 0 because the assumption is that the migration from the old RHN to the new RHSM would use the same Red Hat account. That is why the rhsm.log file encounters a 401 Unauthorized on request="GET /subscription/users/rhsm-client/owners". In fact, the purpose for the --destination-url argument was intended to specify a non-hosted account, e.g. an onpremise satellite6 server.

This explains the behavior in comment 0 and comment 1 and is therefore working as has always been designed. So the question now is... why is this being reported now? The answer is because RHSMQE has test coverage for this scenario that has traditionally been executed as a tier3 test against a local onpremise candlepin whose url is not a match to subscription.rhsm(.stage).redhat.com. Due to recent initiatives by RHSMQE to start executing tier3 tests against stage, this test failure arose.

I vote to move this to CLOSED NOTABUG.

Comment 3 Rehana 2020-10-20 13:41:55 UTC

As per comment 2, closing this as not a bug.