Bug 809259
Summary: | System not registering with activation key. | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Steve Reichard <sreichar> | ||||||||
Component: | Content Management | Assignee: | Brad Buckingham <bbuckingham> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Kedar Bidarkar <kbidarka> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | unspecified | ||||||||||
Version: | 6.0.1 | CC: | achan, asettle, cpelland, dmacpher, jliberma, jrist, lzap, omaciel, scollier | ||||||||
Target Milestone: | Unspecified | Keywords: | Triaged | ||||||||
Target Release: | Unused | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: |
A permission issue occurred when a user with correct read-only permissions fetched the list of activation keys using the command line interface. The API was not granting the user access to read the list of keys. This fix restores the correct access rights to the user to read the list.
|
Story Points: | --- | ||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2012-12-04 19:44:24 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Steve Reichard
2012-04-02 21:28:04 UTC
Created attachment 574638 [details]
keys permissions screen shot
Created attachment 574639 [details]
client logs
Created attachment 574640 [details]
katello debug
Since I wasn't sure which user made the key, I went back in as sadev and made a new key. An attempted registration with this new key yielded the same result. It looks like there could be 2 issues here: 1. The permissions model for listing activation keys using the CLI is not working properly. I was able to recreate the same error mentioned above using an 'sadev' user that has permissions to only activation keys. E.g. katello> activation_key list --org ACME_Corporation User sadev is not allowed to access api/organizations/show 2. Error in the ability to register a client using an activation key. Reported above with behavior like: # subscription-manager register --force --org=refarch --activationkey=dev-use-case Guest's host does not match owner of pool: '8a900ce53664f4810136746ced89009e'. Unfortunately, I have not been able to repro #2. For example, using an activation key created by sadev, I was able to register a client: # subscription-manager register --org ACME_Corporation --activationkey sadevkey The system has been registered with id: f90d8e1b-af1e-4b7b-921a-063a0c372754 It is possible that the second problem has already been solved. Kedar, are you able to reproduce the registration error? Was away for RHCE training, Brad I agree with you that the issue 1) persits and issue 2) looks already solved now. For activation keys the verbs are (+all) For all the other Permissions the verbs selected are only Administer and Read [root@dhcp201-200 ~]# katello -u sa_dev -p sa_dev activation_key list User sa_dev is not allowed to access api/activation_keys/index [root@dhcp201-200 ~]# katello -u admin -p admin user list_roles --username=sa_dev -------------------------------------------------------------------------------- User Role List Id Name -------------------------------------------------------------------------------- 7 sa_common_role 9 sa_dev_role 14 sa_sysadm_role [root@dhcp201-200 ~]# katello -u admin -p admin user_role info --name=sa_sysadm_role -------------------------------------------------------------------------------- User Role Information -------------------------------------------------------------------------------- Id: 14 Name: sa_sysadm_role Description: Permissions: sa-org sa-prov sa-filt sa-temp sa-read_all-env_all sa-keys Ldap Groups: [root@dhcp201-200 ~]# katello -u admin -p admin user_role info --name=sa_dev_role --------------------------------------------------------------------------------------------------------------------------------- User Role Information --------------------------------------------------------------------------------------------------------------------------------- Id: 9 Name: sa_dev_role Description: None Permissions: sa_dev_libenv_read sa_dev_perm Ldap Groups: [root@dhcp201-200 ~]# katello -u admin -p admin user_role info --name=sa_common_role --------------------------------------------------------------------------------------------------------------------------------- User Role Information --------------------------------------------------------------------------------------------------------------------------------- Id: 7 Name: sa_common_role Description: None Permissions: sa_common_template sa_common_provider sa_common_org sa_common_actkey sa_common_filter Ldap Groups: ################################################## But on the client side, it does get register now. [root@dhcp201-163 ~]# subscription-manager register --org redhat --activationkey sa_dev_163_activation_keys The system has been registered with id: f475be2d-fb81-4250-b3a3-f9864c6589bd [root@dhcp201-163 ~]# yum repolist Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Please use yum-config-manager to configure which software repositories are used with Red Hat Subscription Management. redhat_CFSE_cfse_repo | 2.3 kB 00:00 redhat_CFSE_cfse_repo/primary_db | 102 kB 00:00 rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00 rhel-6-server-rpms | 3.8 kB 00:00 repo id repo name status epel Extra Packages for Enterprise Linux 6 - x86_64 7,765 katello-client Katello client tools 1 redhat_CFSE_cfse_repo cfse_repo 281 rhel-6-server-cf-tools-1-rpms Red Hat CloudForms Tools for RHEL 6 (RPMs) 26 rhel-6-server-rpms Red Hat Enterprise Linux 6 Server (RPMs) 8,436 repolist: 16,509 [root@dhcp201-200 ~]# rpm -qav | grep -i katello katello-glue-foreman-1.1.10-1.git.31.2fb829c.el6.noarch katello-1.1.10-1.git.31.2fb829c.el6.noarch katello-qpid-broker-key-pair-1.0-1.noarch katello-cli-1.1.6-1.el6.noarch katello-glue-candlepin-1.1.10-1.git.31.2fb829c.el6.noarch katello-common-1.1.10-1.git.31.2fb829c.el6.noarch katello-certs-tools-1.1.8-1.el6.noarch katello-selinux-1.1.1-1.el6.noarch katello-candlepin-cert-key-pair-1.0-1.noarch katello-configure-1.1.8-1.git.14.2d383ea.el6.noarch katello-glue-pulp-1.1.10-1.git.31.2fb829c.el6.noarch katello-all-1.1.10-1.git.31.2fb829c.el6.noarch katello-qpid-client-key-pair-1.0-1.noarch katello-repos-1.1.2-1.el6.noarch katello-cli-common-1.1.6-1.el6.noarch katello pull request: https://github.com/Katello/katello/pull/623 katello commits: https://github.com/Katello/katello/commit/5a7461ea93c09e5d8982a286b73b77b570ac6605 https://github.com/Katello/katello/commit/b182a8113d402331f5da54230144815bb188c783 https://github.com/Katello/katello/commit/ef84bebb45810cce5a24685705b1f899cd1568fe The above commits the permissions issue that was mentioned as item 1 in comment #6 above. We were not able to reproduces item 2; therefore, moving this BZ to 'on_dev'. Now a user with a role, which has permissions to administer activation keys can list successfully the activation keys list. [root@dhcp201-200 ~]# katello -u sa_dev -p sa_dev activation_key list -------------------------------------------------------------------------------- Activation Key List Id Name Description Usage Environment Id System Template Id -------------------------------------------------------------------------------- 1 act_163_key None 0 3 4 Was also able to successfully register systems with an activation key. [root@dhcp201-163 ~]# subscription-manager register --org redhat --activationkey act_163_key The system has been registered with id: 6bc508da-3d36-4b98-b1b4-c3617234349b [root@dhcp201-163 ~]# yum repolist Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Please use yum-config-manager to configure which software repositories are used with Red Hat Subscription Management. rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00 rhel-6-server-rpms | 3.8 kB 00:00 rhel-6-server-rpms/primary_db | 15 MB 00:00 repo id repo name status *epel Extra Packages for Enterprise Linux 6 - x86_64 7,775 katello-client Katello client tools 1 rhel-6-server-cf-tools-1-rpms Red Hat CloudForms Tools for RHEL 6 (RPMs) 26 rhel-6-server-rpms Red Hat Enterprise Linux 6 Server (RPMs) 8,479 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-1543.html getting rid of 6.0.0 version since that doesn't exist |