Bug 719348

Summary: RHUI Installer needs to disable the kickstart httpd directive
Product: Red Hat Update Infrastructure for Cloud Providers Reporter: Jay Dobies <jason.dobies>
Component: ToolsAssignee: Jay Dobies <jason.dobies>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.0CC: kbidarka, sghai, tsanders
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-31 12:57:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jay Dobies 2011-07-06 14:41:55 UTC 
Pulp exposes any repo with a kickstart tree over HTTP due to limitations in anaconda. This causes a problem for RHUI since all accesses need to be done through authenticated HTTPS.

The easiest way to get around this for RHUI is to have the installer disable the HTTP serving of any repositories which is done by removing the directive for the /ks directory.
Comment 1 Jay Dobies 2011-07-06 15:11:48 UTC 
Note that this only affects the RHUA (Pulp server). The CDS instance HTTP configuration does not expose anything over HTTP. However this wouldn't prevent clients from going to the RHUA directly to access content (it's not simple, but still a security risk nonetheless).
Comment 2 Jay Dobies 2011-07-06 15:17:26 UTC 
commit 87a42cbd7815b25606febcf3682ac14cefb12981
Author: Jay Dobies <jason.dobies>
Date:   Wed Jul 6 11:14:34 2011 -0400

    719348 - Remove the kickstart directive entirely in the RHUA
    installation to prevent repositories with kickstart trees from being
    exposed over HTTP and thus not held to authentication requirements

rhui-2.0/tools/etc/rhui/templates/rh-rhua-config.spec



To verify:
- Sync a repository that has a kickstart tree (e.g. RHEL base channel)
- Attempt to access the repository on the RHUA directly over HTTP (which also implies not using an entitlement certificate); it shouldn't work

You might also want to just verify that repos aren't accessible over HTTP on the CDS, though I think you've already tested that.
Comment 3 Jay Dobies 2011-07-07 18:40:52 UTC 
Fixed in 2.0.35.

Note that the fix occurs in the RHUA configuration, so you'll have to generate a new RHUA config RPM from this version of RHUI Tools and install that.
Comment 5 Kedar Bidarkar 2011-07-13 12:38:37 UTC 
Me accessing via browser was a bad idea.

Checked by adding the below line, in rh-cloud.repo and without entitlement certs.

baseurl=http://dhcp201-137.englab.pnq.redhat.com/pulp/ks/content/dist/rhel/rhui/server-6/releases/$releasever/$basearch/os

No longer the conf file has the ks directive and we cannot access the repos with the above url.
Comment 6 wes hayutin 2011-08-01 21:40:33 UTC 
moving to release pending
Comment 7 wes hayutin 2012-05-31 12:57:11 UTC 
closing out, product released