| Summary: | All newly created repos are incorrectly being flagged as protected | ||
|---|---|---|---|
| Product: | [Retired] Pulp | Reporter: | Jay Dobies <jason.dobies> |
| Component: | user-experience | Assignee: | Pradeep Kilambi <pkilambi> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Preethi Thomas <pthomas> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 1.0.0 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
The change in the CLI looks to have occurred on 5/17/11:
consumer_cert_data = {"ca": cons_cacert_tmp,
"cert": cons_cert_tmp,
"key": cons_key_tmp}
It's building the dictionary regardless of whether or not the consumer certificate was passed in.
This was probably not noticed since by default repo auth is disabled. I suspect if repo auth was turned on, we'd lose the ability to create an unprotected repository.
commit 8706abf59c52047ce9bd7cf87eb7b899890aa76a
Author: Jay Dobies <jason.dobies>
Date: Tue Dec 6 16:27:58 2011 -0500
760745 - The CLI should pass None for consumer client bundle if no
entries are present.
src/pulp/client/admin/plugins/repo.py
build: 0.255 [root@pulp-f16 ~]# rpm -q pulp pulp-0.0.255-1.fc16.noarch [root@pulp-f16 ~]# [root@pulp-f16 ~]# pulp-admin -u admin -p admin repo create --preserve_metadata --id=protected_test_repo --feed=https://cdn.redhat.com/content/dist/rhel/rhui/server/6/6Server/i386/rhui/2.0/os --consumer_ca=/root/cdn_certs/rhui-rhqe/cdn.redhat.com-chain.crt --consumer_cert=/root/cdn_certs/rhui-rhqe/rhui-rhqe-20110803.crt --consumer_key=/root/cdn_certs/rhui-rhqe/rhui-rhqe-20110803.key Successfully created repository [ protected_test_repo ] [root@pulp-f16 ~]# cat /etc/pki/content/pulp-protected-repos content/dist/rhel/rhui/server/6/6Server/i386/rhui/2.0/os,protected_test_repo [root@pulp-f16 ~]# [root@pulp-f16 ~]# [root@pulp-f16 ~]# [root@pulp-f16 ~]# pulp-admin repo create --id=test --feed=http://10.16.76.78/pub/updates/ --relativepath=test Successfully created repository [ test ] [root@pulp-f16 ~]# cat /etc/pki/content/pulp-protected-repos content/dist/rhel/rhui/server/6/6Server/i386/rhui/2.0/os,protected_test_repo Pulp v1.0 is released Closed Current Release. Pulp v1.0 is released. |
Not sure when this changed. The /etc/pki/content/pulp-protected-repos file contains a list of all relative paths that are protected. This will only get written if consumer cert data is passed in. The code is at api/repo.py line 276: if consumer_cert_data: # consolidate key & certificate self._consolidate_bundle(consumer_cert_data) # store certificates consumer_cert_files = repo_cert_utils.write_consumer_cert_bundle(id, consumer_cert_data) r['consumer_ca'] = consumer_cert_files['ca'] r['consumer_cert'] = consumer_cert_files['cert'] protected_repo_utils.add_protected_repo(r['relative_path'], id) At some point, the change was made that instead of consumer cert data being None from the client, it's being a dict that references each potential piece of data as None: {'ca': None, 'cert': None, 'key': None} That's causing Pulp to mark the repository as protected.