| Summary: | repo-auth fails to protect the the repo if certs are added added after repo bind | ||
|---|---|---|---|
| Product: | [Retired] Pulp | Reporter: | Preethi Thomas <pthomas> |
| Component: | z_other | Assignee: | Pradeep Kilambi <pkilambi> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Preethi Thomas <pthomas> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | jason.dobies |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-02-24 20:13:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Preethi Thomas
2011-04-11 20:29:43 UTC
commit d798f37a16d76319ab0e38424316fe024c8c9ccf tree e53c3e91d09af1a2f1adfd9aaafdbaf2a0c1e595 695483 - Need to pass in an empty bundle to trigger the files getting deleted on the server. src/pulp/client/core/repo.py Ok, here's what happened. When passing --remove_consumer_cert, the CLI was incorrectly doing the remove call. It wasn't passing in an empty bundle but rather just None. On the server, it expects an empty bundle and uses that bundle as the driver to cause the repo certs to be deleted. Since the bundle wasn't there, the certs weren't deleted. That's why /etc/pki/content/f13 still had certs in it. We'll come back to that later. What was successful on the server was removing the entry from pulp-protected-repos for f13. That means pulp's auth didn't think it was protected and didn't bother applying any validation. Hence, you got through. Getting back to the certs still existing in /etc/pki/content/f13, that's what the "Consumer Certs: Yes" used to determine if auth was enabled. So that's why it reported consumer auth was active even though it wasn't listed in pulp-protected-repos. So, to reproduce: - Configure a repo with individual auth. - Verify it's protected. - Remove the auth with --remove_consumer_cert - Verify it's unprotected. - Re-add the auth with repo update. - Verify it's protected. Fixed in build 0.163. verified [root@pulp-f15 ~]# rpm -q pulp pulp-0.0.229-1.fc15.noarch [root@pulp-f15 ~]# pulp-admin -u admin -p admin repo create --id=pulp --feed=http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64/ --consumer_ca=/root/certs/ca1.crt --consumer_cert=/root/certs/pulp-f14.crt --consumer_key=/root/certs/ca1.key Successfully created repository [ pulp ] [root@pulp-f15 ~]# pulp-admin repo list +------------------------------------------+ List of Available Repositories +------------------------------------------+ Id pulp Name pulp Feed URL http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64/ Feed Type remote Content Type yum Feed Certs CA:No Cert:No Consumer Certs CA:Yes Cert:Yes Architecture noarch Sync Schedule None Packages 0 Files 0 Distributions None Publish True Clones [] Groups None Filters [] Notes {} [root@pulp-f15 ~]# pulp-admin repo update --id=pulp --remove_consumer_cert Successfully updated repository [ pulp ] [root@pulp-f15 ~]# pulp-admin repo list +------------------------------------------+ List of Available Repositories +------------------------------------------+ Id pulp Name pulp Feed URL http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64/ Feed Type remote Content Type yum Feed Certs CA:No Cert:No Consumer Certs CA:No Cert:No Architecture noarch Sync Schedule None Packages 0 Files 0 Distributions None Publish True Clones [] Groups None Filters [] Notes {} [root@pulp-f15 ~]# pulp-admin -u admin -p admin repo update --id=pulp --consumer_ca=/root/certs/ca1.crt --consumer_cert=/root/certs/pulp-f14.crt --consumer_key=/root/certs/ca1.key Successfully updated repository [ pulp ] [root@pulp-f15 ~]# pulp-admin repo list +------------------------------------------+ List of Available Repositories +------------------------------------------+ Id pulp Name pulp Feed URL http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64/ Feed Type remote Content Type yum Feed Certs CA:No Cert:No Consumer Certs CA:Yes Cert:Yes Architecture noarch Sync Schedule None Packages 0 Files 0 Distributions None Publish True Clones [] Groups None Filters [] Notes {} [root@pulp-f15 ~]# pulp-admin -u admin -p admin repo update --id=pulp --consumer_ca=/root/certs/ca1.crt --consumer_cert=/root/certs/pulp-f14.crt --consumer_key=/root/certs/ca1.key Successfully updated repository [ pulp ] [root@pulp-f15 ~]# cat /etc/pki/content/pulp-protected-repos repos/pulp/pulp/fedora-14/x86_64,pulp [root@pulp-f15 ~]# [root@pulp-f15 ~]# [root@pulp-f15 ~]# [root@pulp-f15 ~]# pulp-admin repo update --id=pulp --remove_consumer_certSuccessfully updated repository [ pulp ] [root@pulp-f15 ~]# cat /etc/pki/content/pulp-protected-repos [root@pulp-f15 ~]# pulp-admin -u admin -p admin repo update --id=pulp --consumer_ca=/root/certs/ca1.crt --consumer_cert=/root/certs/pulp-f14.crt --consumer_key=/root/certs/ca1.key Successfully updated repository [ pulp ] [root@pulp-f15 ~]# cat /etc/pki/content/pulp-protected-repos repos/pulp/pulp/fedora-14/x86_64,pulp Pulp v1.0 is released Closed Current Release. |