Bug 772660

Summary:	Client cert authentication on repo access - KeyError: 'mod_ssl.var_lookup' - Fedora 16
Product:	[Retired] Pulp	Reporter:	Ivan Necas <inecas>
Component:	user-experience	Assignee:	James Slagle <jslagle>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Preethi Thomas <pthomas>
Severity:	urgent	Docs Contact:
Priority:	high
Version:	1.0.0	CC:	lzap, omaciel, skarmark
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Ivan Necas 2012-01-09 14:55:58 UTC

Description of problem:
When trying to access protected repository using client certificate, the authentication fails.

Version-Release number of selected component (if applicable):
pulp-0.0.256-1.f16
mod_wsgi-3.3-1.fc16

How reproducible:
Very

Steps to Reproduce:
1. set up repos to be protected
2. generate a client certificate to access the repo
3. try accessing repo using that certificate
  
Actual results:
401 - Authorization Required

In log:
[Mon Jan 09 15:37:27 2012] [error] [client ::1] mod_wsgi (pid=8105): Exception occurred processing WSGI script '/srv/pulp/repo_auth.wsgi'.
[Mon Jan 09 15:37:27 2012] [error] [client ::1] Traceback (most recent call last):
[Mon Jan 09 15:37:27 2012] [error] [client ::1]   File "/srv/pulp/repo_auth.wsgi", line 34, in check_password
[Mon Jan 09 15:37:27 2012] [error] [client ::1]     authorized = _handle(environ)
[Mon Jan 09 15:37:27 2012] [error] [client ::1]   File "/srv/pulp/repo_auth.wsgi", line 71, in _handle
[Mon Jan 09 15:37:27 2012] [error] [client ::1]     result = f(environ)
[Mon Jan 09 15:37:27 2012] [error] [client ::1]   File "/usr/lib/python2.7/site-packages/pulp/repo_auth/oid_validation.py", line 54, in authenticate
[Mon Jan 09 15:37:27 2012] [error] [client ::1]     cert_pem = environ["mod_ssl.var_lookup"]("SSL_CLIENT_CERT")
[Mon Jan 09 15:37:27 2012] [error] [client ::1] KeyError: 'mod_ssl.var_lookup'

Expected results:
200

Additional info:

Works with mod_wsgi-3.2-6.pulp, it seems newer version of mod_wsgi in Fedora 16 repo prevents using the version of mod_wsgi in pulp repo.

Comment 1 Ivan Necas 2012-01-09 14:58:13 UTC

It breaks basic functionality for Katello on F16.

Comment 2 James Slagle 2012-01-17 16:06:08 UTC

Fixed in commit 00673c96b1c10585f585783b1b284b2865e77cfa to pulp.  Bumped our build of mod_wsgi to 3.3.  Removed our patch that we were carrying for the KeyError on httpd shutdown since that's now included in mod_wsgi.

Comment 3 Jeff Ortel 2012-01-21 00:23:03 UTC

build: 0.259

Comment 4 Lukas Zapletal 2012-01-23 12:50:17 UTC

Guys,

the pulp-testing repo has smaller version:

http://repos.fedorapeople.org/repos/pulp/pulp/testing/6Server/x86_64/

leading to:

Error: Package: pulp-0.0.259-1.el6.noarch (pulp-testing)
           Requires: mod_wsgi >= 3.3-1.pulp.el6
           Available: mod_wsgi-3.2-1.el6.x86_64 (rhel-x86_64-server-6.1.z)
               mod_wsgi = 3.2-1.el6
           Available: mod_wsgi-3.2-6.pulp.el6.x86_64 (pulp-testing)
               mod_wsgi = 3.2-6.pulp.el6

This blocks katello installer. Please distribute the correct version there (and in the stable later on too). Thanks!

Comment 5 Lukas Zapletal 2012-01-23 12:56:23 UTC

Fedora 15 fails too for the very same reason. Severity urgent - cannot install Katello.

Comment 6 Lukas Zapletal 2012-01-23 13:20:43 UTC

So it is in F16 updates, but not in F15 updates. Katello supports two fedora versions back. James would you mind cherry-picking the change into the F15 as well?

http://koji.fedoraproject.org/koji/packageinfo?packageID=5541

For now I created a scratch build for F15:

http://koji.fedoraproject.org/koji/taskinfo?taskID=3724750

Comment 7 Lukas Zapletal 2012-01-23 13:28:26 UTC

Hmmm adding updated version in Fedora did not help:

Error: Package: pulp-0.0.259-1.fc15.noarch (pulp-testing)
           Requires: mod_wsgi >= 3.3-1.pulp.fc15
           Available: mod_wsgi-3.2-3.fc15.x86_64 (fedora-local)
               mod_wsgi = 3.2-3.fc15
           Available: mod_wsgi-3.2-6.pulp.fc15.x86_64 (pulp)
               mod_wsgi = 3.2-6.pulp.fc15
           Available: mod_wsgi-3.3-1.fc15.x86_64 (fedora-updates-local)
               mod_wsgi = 3.3-1.fc15

The issue is the "pulp" disttag. Will need to wait for James.

Comment 8 Og Maciel 2012-01-23 13:57:53 UTC

fwiw this is what I saw this morning when installing on rhel61:

Error: Package: pulp-0.0.260-1.el6.noarch (pulp-testing)
           Requires: mod_wsgi >= 3.3-1.pulp.el6
           Available: mod_wsgi-3.2-1.el6.x86_64 (rhel-6-server-rpms)
               mod_wsgi = 3.2-1.el6
           Available: mod_wsgi-3.2-6.pulp.el6.x86_64 (pulp)
               mod_wsgi = 3.2-6.pulp.el6

Comment 9 James Slagle 2012-01-23 14:58:38 UTC

latest mod_wsgi build didn't get tagged before Friday's QE build.  I tagged and redid the QE build (there were no other changes between Friday and this morning).  It's fixed and built in the pulp test repos.

Comment 10 Preethi Thomas 2012-02-22 17:08:55 UTC

verified
[root@preethi-el6-pulp ~]# pulp-consumer -u admin -p admin consumer bind --repoid=pulp_f15_x86_64
Successfully subscribed consumer [client1] to repo [pulp_f15_x86_64]

[root@preethi-el6-pulp ~]# yum repolist
Loaded plugins: product-id, pulp-profile-update, security, subscription-manager
Updating certificate-based repositories.
pulp_f15_x86_64                                          | 2.9 kB     00:00     
pulp_f15_x86_64/primary_db                               |  11 kB     00:00     
rhel6                                                    | 4.0 kB     00:00     
rhel6/primary_db                                         | 3.1 MB     00:02     
rhel6_2                                                  | 3.7 kB     00:00     
rhel6_2/primary_db                                       |  11 MB     00:03     
repo id             repo name                                             status
epel                Extra Packages for Enterprise Linux 6 - x86_64        6,991
pulp-v1-testing     Pulp v1 Testing                                          20
pulp_f15_x86_64     pulp_f15_x86_64                                          20
rhel6               Red Hat Enterprise Linux 6Server - x86_64 - RHEL6     3,529
rhel6_2             rhel6_2                                               6,862
repolist: 17,422
[root@preethi-el6-pulp ~]# cat /etc/yum.repos.d/
epel.repo          pulp.repo          rhel-pulp.repo     rhel-source.repo
epel-testing.repo  redhat.repo        rhel-pulp.repo.1   
[root@preethi-el6-pulp ~]# cat /etc/yum.repos.d/pulp.repo 
#
# Pulp Repositories
# Managed by Pulp client
#

[rhel6_2]
name = rhel6_2
enabled = 1
sslverify = 0
gpgcheck = 0
baseurl = https://preethi.usersys.redhat.com/pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64/os

[pulp_f15_x86_64]
name = pulp_f15_x86_64
enabled = 1
sslverify = 1
gpgcheck = 0
sslcacert = /etc/pki/pulp/client/repo/pulp_f15_x86_64/ca.crt
sslclientcert = /etc/pki/pulp/client/repo/pulp_f15_x86_64/client.crt
baseurl = https://preethi.usersys.redhat.com/pulp/repos/repos/pulp/pulp/v1/testing/fedora-15/x86_64[root@preethi-el6-pulp ~]#

Comment 11 Preethi Thomas 2012-02-24 20:18:45 UTC

Pulp v1.0 is released
Closed Current Release.

Comment 12 Preethi Thomas 2012-02-24 20:19:37 UTC

Pulp v1.0 is released.