Bug 784638

Summary:	Authorization HTTP param in the whole httpd context
Product:	[Retired] Pulp	Reporter:	Lukas Zapletal <lzap>
Component:	user-experience	Assignee:	James Slagle <jslagle>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Preethi Thomas <pthomas>
Severity:	urgent	Docs Contact:
Priority:	unspecified
Version:	unspecified	CC:	inecas, skarmark
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-02-24 20:12:27 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Lukas Zapletal 2012-01-25 16:23:40 UTC

Hello,

in the pulp.conf configuration file there is the following line:

RequestHeader append Authorization "Basic" early

It's a workaround for Pulp when Authorization is missing for yum, as I have been told. Unfortunately this breaks other applications (e.g. Katello) which are deployed on the same httpd server.

For our CLI and RHSM we also use HTTP AUTH BASIC, so this configuration changes our data to this:

Authorization: Basic Qmxvb21iZXJnOnRjbG1lU1JT, Basic

(more about it in https://bugzilla.redhat.com/show_bug.cgi?id=766906)

The Rails3 stack is not able to parse this because of the ", Basic" suffix for some username/password lengths thank to the Base64 padding. It simply does not authenticate for some combinations. It looks like this is against RFC HTTP specification as not all headers can be concatenated with comma, but I did not find particular paragraph.

The purpose of this BZ is to change this configuration to be effective only in the Pulp context, and not the others. According to the mod_headers documentation (http://httpd.apache.org/docs/2.0/mod/mod_headers.html) either <Location> or <Directory> could be used for that.

If this is not possible we need to solve this differently. If this does break RFC, Rails3 won't change the parser for us and we need to implement a workaround for the Katello Rails3 code, but this could possibly change behavior of any app deployed on the same httpd that makes use of HTTP AUTH BASIC. And it's difficult to track.

This is a blocker bug for Katello since our users are not able to use some username/password combination with RHSM and katello CLI.

Comment 1 James Slagle 2012-01-26 01:33:49 UTC

Looks like we might not need the RequestHeader line at all anymore.  Still need to test on RHEL 5 tomorrow before committing.

Comment 2 James Slagle 2012-02-01 20:44:57 UTC

This has been fixed by switching to WSGIAccessScript instead of WSGIAuthUserScript.  This required a patch to mod_wsgi which we are now carrying to reorder the mod_ssl apache hook that exports the variable for the client certificate before a WSGIAccessScript runs.

pulp commit:
e33759822373cc48d974383710cea44b45c23cd2

new mod_wsgi build will be mod_wsgi-3.3-3.pulp

Comment 3 James Slagle 2012-02-01 20:46:20 UTC

QA: verify repo auth is working as expected.  I would test an unprotected repo, and a protected repo.  When testing a protected repo, test with a correct certificate, incorrect certificate, and no certificate and verify the desired result.

Comment 4 James Slagle 2012-02-01 20:46:53 UTC

I also put together a wiki page that has more detail about this issue:
https://fedorahosted.org/pulp/wiki/ModWsgiRepoAuth

Comment 5 Jeff Ortel 2012-02-01 21:35:22 UTC

build: 0.264

Comment 6 Lukas Zapletal 2012-02-02 13:02:32 UTC

Hey,

pulp-0.0.264-1.fc16.noarch is not authorizing my consumer anymore. Not sure if this is anyhow related. Fedora 15.

Comment 7 Lukas Zapletal 2012-02-02 13:23:41 UTC

Oh this is not related. Okay.

Comment 8 Ivan Necas 2012-02-03 12:32:17 UTC

Updating to 0.264 is causing problems accessing Pulp repo using Cp entitlements certificates for me as well. I'm getting 401. It even returns 401 when enabled is false in repo_auth.conf

Comment 9 Ivan Necas 2012-02-03 12:45:26 UTC

For some reason, updating from 263 didn't update my /etc/httpd/conf.d/pulp.conf, I've used fresh intallation, after that I'm able to access files with disable authorization, but with enabled, I'm getting 403 now with entitlement cert.

Comment 10 Ivan Necas 2012-02-03 13:42:04 UTC

It looks like environ["mod_ssl.var_lookup"]("SSL_CLIENT_CERT") not containing the provided client certificate

Comment 11 Ivan Necas 2012-02-03 13:52:16 UTC

So the problem is in package dependencies: updating to pulp-0.0.264 doesn't update mod_wsgi, updating package requirements to mod_wsgi-3.3-3.pulp should fix this problem.

Comment 12 James Slagle 2012-02-03 16:52:03 UTC

I updated the requirement in pulp.spec

committed to pulp: 488016ad0808f10177f753c394f6fdfdbe5f2744

Comment 13 Jeff Ortel 2012-02-06 22:22:58 UTC

build: 0.265

Comment 14 Preethi Thomas 2012-02-22 16:00:28 UTC

verified
[root@preethi chain_example]# rpm -q pulp
pulp-0.0.267-1.fc15.noarch

[root@preethi-el6-pulp ~]# yum repolist
Loaded plugins: product-id, pulp-profile-update, security, subscription-manager
Updating certificate-based repositories.
pulp_f15_x86_64                                          | 2.9 kB     00:00     
pulp_f15_x86_64/primary_db                               |  11 kB     00:00     
rhel6                                                    | 4.0 kB     00:00     
rhel6/primary_db                                         | 3.1 MB     00:02     
rhel6_2                                                  | 3.7 kB     00:00     
rhel6_2/primary_db                                       |  11 MB     00:03     
repo id             repo name                                            
status
epel                Extra Packages for Enterprise Linux 6 - x86_64        6,991
pulp-v1-testing     Pulp v1 Testing                                          20
pulp_f15_x86_64     pulp_f15_x86_64                                          20
rhel6               Red Hat Enterprise Linux 6Server - x86_64 - RHEL6     3,529
rhel6_2             rhel6_2                                               6,862
repolist: 17,422
[root@preethi-el6-pulp ~]# cat /etc/yum.repos.d/
epel.repo          pulp.repo          rhel-pulp.repo     rhel-source.repo
epel-testing.repo  redhat.repo        rhel-pulp.repo.1   
[root@preethi-el6-pulp ~]# cat /etc/yum.repos.d/pulp.repo 
#
# Pulp Repositories
# Managed by Pulp client
#

[rhel6_2]
name = rhel6_2
enabled = 1
sslverify = 0
gpgcheck = 0
baseurl =
https://preethi.usersys.redhat.com/pulp/repos/content/dist/rhel/rhui/server/6/6Server/x86_64/os

[pulp_f15_x86_64]
name = pulp_f15_x86_64
enabled = 1
sslverify = 1
gpgcheck = 0
sslcacert = /etc/pki/pulp/client/repo/pulp_f15_x86_64/ca.crt
sslclientcert = /etc/pki/pulp/client/repo/pulp_f15_x86_64/client.crt
baseurl =
https://preethi.usersys.redhat.com/pulp/repos/repos/pulp/pulp/v1/testing/fedora-15/x86_64[root@preethi-el6-pulp
~]#

Comment 15 Preethi Thomas 2012-02-24 20:12:27 UTC

Pulp v1.0 is released
Closed Current Release.