Bug 624063
Summary: | Runtime Error thrown when unregistering a "person" consumer while one of his "system"'s is registered and consuming RHEL Personal Bits | ||
---|---|---|---|
Product: | [Community] Candlepin | Reporter: | John Sefler <jsefler> |
Component: | candlepin | Assignee: | Devan Goodwin <dgoodwin> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | John Sefler <jsefler> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 0.5 | CC: | dgoodwin, whayutin |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-09-24 14:17:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Sefler
2010-08-13 14:43:14 UTC
*** Bug 621557 has been marked as a duplicate of this bug. *** I believe this is working as designed, the issue is a security violation. During the cleanup, we need to delete the sub-pool and thus revoke the sub-pool's entitlements. Because we're operating as the "person" consumer, our security system will (correctly) not let us modify the entitlements of the system consumer. If you attempt to unregister this person consumer by authenticating as a user or super admin, the unregister will work fine. You can work around this very easily by doing the unregister as an owner admin: curl -k -u username:password -X delete https://candlepinurl/consumers/{uuid} Essentially this is because we're using RHSM to behave as a "person" consumer. This is not how this would normally be done as RHSM is designed for system consumers, but being used here as it's just the most convenient way to test this right now. Eventually personal consumers would be managed by a GUI which would be creating/deleting that consumer when authenticated as an owner admin. So by and large I would propose that we leave this behavior be, and instead modify the code to get a better error message out? Sound ok? Hey Devan, Using the curl command should be fine for RH-Personal on premises. We'll be looking for the RH-Personal Webui for hosted candlepin testing. Thanks!!! fixed in 6b8121cf54296e27ecd2b376da700b0129e6a002 You should now get a standard ForbiddenException if you try to unbind or unregister a person consumer (as that consumer), if systems are still bound to the sub-pool. Admin unbind/unregister will still work. ON FIRST CLIENT... [root@jsefler-rhel6-client01 ~]# rpm -q subscription-manager subscription-manager-0.75-1.git.29.c3b1d88.fc12.i386 Following the scenario in problem description, the unregister call on the first person consumer client no longer throws a Runtime Exception. Instead here's what we get: [root@jsefler-rhel6-client01 ~]# subscription-manager-cli unregister Cannot unregister due to outstanding entitlement: 9 ^^^ VERIFIED no more Runtime Exception, and on the candlepin server a ForbiddenException is thrown... ON PREMISES CANDLEPIN SERVER... [root@jsefler-f12-candlepin ruby]# git show-ref HEAD fdfdd379ed7a55960573e9d02a63bbd013b2b3d8 refs/remotes/origin/HEAD VERIFIED tail -f /var/log/tomcat6/catalina.out CONTAINS THE ForbiddenException: Sep 07 17:26:51 [http-8443-1] ERROR org.fedoraproject.candlepin.exceptions.CandlepinExceptionMapper - Runtime exception: org.jboss.resteasy.spi.ApplicationException: org.fedoraproject.candlepin.exceptions.ForbiddenException at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:154) at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:248) at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:216) at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:205) <SNIP> Moving to VERIFIED Group move of VERIFIED Candlepin component bugs to RELEASE_PENDING |