Bug 736438

Summary:	Admin owner can not access api/organizations/list_owners
Product:	Red Hat Satellite	Reporter:	Bryan Kearney <bkearney>
Component:	API	Assignee:	Lukas Zapletal <lzap>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Jitendra Yejare <jyejare>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	6.0.0	CC:	lzap, omaciel
Target Milestone:	Unspecified
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-08-22 17:56:11 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	747354

Description Bryan Kearney 2011-09-07 17:14:38 UTC

When attempting to register against katello, subscription manager is failing when trying to get the owners for the user. To reproduce, please do the following:

[root@bkearney src]# curl -k -u "admin:admin" https://10.11.230.185:3000/api/users/admin/owners
Errors::SecurityViolation: User admin is not allowed to access api/organizations/list_owners
/usr/share/katello/lib/authorization_rules.rb:30:in `authorize'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:442:in `_run__101499026__process_action__1803004532__callbacks'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:220:in `_conditional_callback_around_1654'
/usr/share/katello/lib/util/threadsession.rb:77:in `thread_locals'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:219:in `_conditional_callback_around_1654'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:440:in `_run__101499026__process_action__1803004532__callbacks'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:409:in `send'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:409:in `_run_process_action_callbacks'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:93:in `send'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:93:in `run_callbacks'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/abstract_controller/callbacks.rb:17:in `process_action'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_controller/metal/instrumentation.rb:30:in `process_action'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/notifications.rb:52:in `instrument'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/notifications/instrumenter.rb:21:in `instrument'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/notifications.rb:52:in `instrument'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_controller/metal/instrumentation.rb:29:in `process_action'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_controller/metal/rescue.rb:17:in `process_action'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/abstract_controller/base.rb:119:in `process'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/abstract_controller/rendering.rb:41:in `process'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_controller/metal.rb:138:in `dispatch'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_controller/metal/rack_delegation.rb:14:in `dispatch'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_controller/metal.rb:178:in `action'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/routing/route_set.rb:62:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/routing/route_set.rb:62:in `dispatch'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/routing/route_set.rb:27:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.6.13/lib/rack/mount/route_set.rb:148:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.6.13/lib/rack/mount/code_generation.rb:93:in `recognize'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.6.13/lib/rack/mount/code_generation.rb:138:in `optimized_each'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.6.13/lib/rack/mount/code_generation.rb:92:in `recognize'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.6.13/lib/rack/mount/route_set.rb:139:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/routing/route_set.rb:492:in `call'
/usr/lib/ruby/gems/1.8/gems/warden-1.0.3/lib/warden/manager.rb:35:in `call'
/usr/lib/ruby/gems/1.8/gems/warden-1.0.3/lib/warden/manager.rb:34:in `catch'
/usr/lib/ruby/gems/1.8/gems/warden-1.0.3/lib/warden/manager.rb:34:in `call'
/usr/lib/ruby/gems/1.8/gems/sass-3.1.4/lib/sass/../sass/plugin/rack.rb:54:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/head.rb:14:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/methodoverride.rb:24:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/params_parser.rb:21:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/flash.rb:182:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/session/abstract_store.rb:149:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/cookies.rb:302:in `call'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.5/lib/active_record/query_cache.rb:32:in `call'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.5/lib/active_record/connection_adapters/abstract/query_cache.rb:28:in `cache'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.5/lib/active_record/query_cache.rb:12:in `cache'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.5/lib/active_record/query_cache.rb:31:in `call'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.5/lib/active_record/connection_adapters/abstract/connection_pool.rb:354:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/callbacks.rb:46:in `call'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:415:in `_run_call_callbacks'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/callbacks.rb:44:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/sendfile.rb:105:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/remote_ip.rb:48:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/show_exceptions.rb:47:in `call'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/rack/logger.rb:13:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/runtime.rb:17:in `call'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/cache/strategy/local_cache.rb:72:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/lock.rb:11:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/lock.rb:11:in `synchronize'
/usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/lock.rb:11:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/static.rb:30:in `call'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/application.rb:168:in `call'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/application.rb:77:in `send'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/application.rb:77:in `method_missing'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/rack/log_tailer.rb:14:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/content_length.rb:13:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/handler/webrick.rb:48:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
/usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/handler/webrick.rb:14:in `run'
/usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/server.rb:155:in `start'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/commands/server.rb:65:in `start'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/commands.rb:30
/usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/commands.rb:27:in `tap'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/commands.rb:27
/usr/share/katello/script/rails:81:in `require'
[root@bkearney src]#

Comment 1 Lukas Zapletal 2011-09-08 07:29:24 UTC

Ok I already fixed a quick workaround for the similar problem:

1634bdc 736384 - workaround for perm. denied for rhsm registration

but since this is blocker I am going to provide full solution. Taking.

Comment 2 Lukas Zapletal 2011-09-08 12:49:14 UTC

I wonder what the permission should look like.

RHSM is requesting list of owners for given user1, it is authorized as user2. So I am assuming the following:

a) user1 = user2
b) user1/2 can register system

I am going to implement both there permission rules and correct the behavior.

Comment 3 Lukas Zapletal 2011-09-08 17:01:40 UTC

6f6160e 736438 - implement permission check for list_owners

The code now checks if the user is the authenticated user. If not, access is denied.

Comment 4 Lukas Zapletal 2011-09-08 17:02:00 UTC

TODO: unit test

Comment 5 Bryan Kearney 2011-09-09 16:56:00 UTC

I still get this with katello-0.1.79-1.git.0.ff7921a.fc15.noarch
katello-cli-0.1.10-1.git.43.3d76463.fc15.noarch

Comment 6 Lukas Zapletal 2011-09-12 06:41:34 UTC

@Bryan - Sorry I fixed it last week, but forgot to do the push. I did it but it failed...

bed93c3 736438 - implement permission check for list_owners
311bf3b 736438 - move list_owners from orgs to users controller

Pushed.

Comment 7 Og Maciel 2012-01-24 15:40:23 UTC

# curl -k -u "admin:admin" https://rhel61-server.usersys.redhat.com/katello/api/users/admin/owners
[{"displayName":"ACME_Corporation","key":"ACME_Corporation"},{"displayName":"NY Data Center","key":"NY_Data_Center"}]

# curl -k -u "admin:adminghffusersys.redhat.com/katello/api/users/admin/owners
curl: (6) Couldn't resolve host 'rhel61-server.ghffusersys.redhat.com'

# curl -k -u "admin:adminn" https://rhel61-server.redhat.com/katello/api/users/admin/owners
curl: (6) Couldn't resolve host 'rhel61-server.redhat.com'

Comment 8 Og Maciel 2012-01-24 15:47:50 UTC

# curl -k -u "admin:adminn" https://rhel61-server.usersys.redhat.com/katello/api/users/admin/owners
{"errors":["Invalid credentials"],"displayMessage":"Invalid credentials"}

Comment 9 Og Maciel 2012-01-24 15:48:13 UTC

Verified on Katello Version: 0.1.194-1.el6