Bug 661263
Summary: | Channels listed as private show up to non-trusted organizations created in RHN Satellite v5.4.0 | ||
---|---|---|---|
Product: | Red Hat Satellite 5 | Reporter: | Paresh Mutha <pmutha> |
Component: | Server | Assignee: | Jan Pazdziora <jpazdziora> |
Status: | CLOSED ERRATA | QA Contact: | Martin Minar <mminar> |
Severity: | urgent | Docs Contact: | |
Priority: | medium | ||
Version: | 540 | CC: | cperry, jsherril, mkoci, mminar, paji, xdmoon |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | spacewalk-java-1.2.39-35 | Doc Type: | Bug Fix |
Doc Text: |
Previously, non-trusted organizations had access to channels listed as private. With this update, this error has been resolved and private channels allow only trusted organizations access.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2010-12-16 15:45:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 646488 |
Description
Paresh Mutha
2010-12-08 11:13:10 UTC
The odd thing about about rhnuserchannel is that neither it nor any of the views it used changed between 5.3 and 5.4. At least according to my quick check of git. Paresh is however pointing to the right place to start looking. I've been looking at this bug with Partha and then Justin near end of day. It seems when you create a new Org you get: SQL> select * from rhnPrivateChannelFamily where org_id = '25'; CHANNEL_FAMILY_ID ORG_ID MAX_MEMBERS CURRENT_MEMBERS FVE_MAX_MEMBERS ----------------- ---------- ----------- --------------- --------------- FVE_CURRENT_MEMBERS CREATED MODIFIED ------------------- --------- --------- 1202 25 0 0 0 10-DEC-10 10-DEC-10 SQL> SQL> select id, org_id, label from rhnChannelFamily where org_id = '25'; ID ORG_ID ---------- ---------- LABEL -------------------------------------------------------------------------------- 1202 25 private-channel-family-25 SQL> When you add say Management entitlement - the same. If you then go to /rhn/admin/multiorg/OrgSoftwareSubscriptions.do and give the new org say 7 of something, we then have: SQL> select * from rhnPrivateChannelFamily where org_id = '25' and max_members is NULL; CHANNEL_FAMILY_ID ORG_ID MAX_MEMBERS CURRENT_MEMBERS FVE_MAX_MEMBERS ----------------- ---------- ----------- --------------- --------------- FVE_CURRENT_MEMBERS CREATED MODIFIED ------------------- --------- --------- 1000 25 0 0 0 10-DEC-10 10-DEC-10 1202 25 0 0 0 10-DEC-10 10-DEC-10 SQL> select * from rhnPrivateChannelFamily where org_id = '25' and max_members != '0'; CHANNEL_FAMILY_ID ORG_ID MAX_MEMBERS CURRENT_MEMBERS FVE_MAX_MEMBERS ----------------- ---------- ----------- --------------- --------------- FVE_CURRENT_MEMBERS CREATED MODIFIED ------------------- --------- --------- 1043 25 7 0 0 0 10-DEC-10 10-DEC-10 SQL> Basically *something* somewhere is setting Max_Members to unlimtied/Null for the Private Channel Family for the base org to other Orgs. This is why new orgs created can see channels from base org, even though they had not been granted permission to do so. Hopefully can continue looking Monday. In 5.3 code base : Create a new Org, no entitlements yet: SQL> select * from rhnPrivateChannelFamily where org_id = '43'; CHANNEL_FAMILY_ID ORG_ID MAX_MEMBERS CURRENT_MEMBERS CREATED MODIFIED ----------------- ---------- ----------- --------------- --------- --------- 1522 43 0 10-DEC-10 10-DEC-10 Then add entitlement for software channel for anything: SQL> / CHANNEL_FAMILY_ID ORG_ID MAX_MEMBERS CURRENT_MEMBERS CREATED MODIFIED ----------------- ---------- ----------- --------------- --------- --------- 1176 43 7 0 10-DEC-10 10-DEC-10 1522 43 0 10-DEC-10 10-DEC-10 SQL> Here, we do not copy/populate everything out of base org with values set to '0' and incorrect for the private-channel for base org. So, we can see the end result differences. Just to track down what/where something changed, if it was FlexGuest or other code changes. Cliff Looking when using Admin > Subscriptions > <specific channel entitlement> and set values for multiple orgs on that page: rhn/admin/multiorg/SoftwareEntitlementSubscriptions.do We do not exhibit this issue. While Admin > Oraganizations > <Org Name> > Subscriptions > Software Channel Subscriptions does insert a 'bad' private channel family entry to DB for org in Q. At least from the observed behavior from looking. Should be fixed here: c2e182b60ac124f2660471f56b48e90251357ab4 Basically when distributing entitlements to an org, extra channel families were being included which shouldn't have been. This patch will not fix existing orgs that have the issue, but will only fix newly created orgs. A query will need to be run manually to fix existing orgs. -Justin The fix was cherry picked to SATELLITE-5.4, a45b75ec627dec255861a2a06ab92d123dcb9ee1, sadly without -x. It was tagged as spacewalk-java-1.2.39-35. ack, sorry about missing the -x An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0991.html Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Previously, non-trusted organizations had access to channels listed as private. With this update, this error has been resolved and private channels allow only trusted organizations access. I believe another symptom has been fixed by this errata where under an activation key -> child channels, duplicate entries for custom/cloned channels are displayed and trying to update such activation key would result in traceback. |