Bug 809259
| Summary: | System not registering with activation key. | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Steve Reichard <sreichar> | ||||||||
| Component: | Content Management | Assignee: | Brad Buckingham <bbuckingham> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Kedar Bidarkar <kbidarka> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 6.0.1 | CC: | achan, asettle, cpelland, dmacpher, jliberma, jrist, lzap, omaciel, scollier | ||||||||
| Target Milestone: | Unspecified | Keywords: | Triaged | ||||||||
| Target Release: | Unused | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: |
A permission issue occurred when a user with correct read-only permissions fetched the list of activation keys using the command line interface. The API was not granting the user access to read the list of keys. This fix restores the correct access rights to the user to read the list.
|
Story Points: | --- | ||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2012-12-04 19:44:24 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 574638 [details]
keys permissions screen shot
Created attachment 574639 [details]
client logs
Created attachment 574640 [details]
katello debug
Since I wasn't sure which user made the key, I went back in as sadev and made a new key. An attempted registration with this new key yielded the same result. It looks like there could be 2 issues here: 1. The permissions model for listing activation keys using the CLI is not working properly. I was able to recreate the same error mentioned above using an 'sadev' user that has permissions to only activation keys. E.g. katello> activation_key list --org ACME_Corporation User sadev is not allowed to access api/organizations/show 2. Error in the ability to register a client using an activation key. Reported above with behavior like: # subscription-manager register --force --org=refarch --activationkey=dev-use-case Guest's host does not match owner of pool: '8a900ce53664f4810136746ced89009e'. Unfortunately, I have not been able to repro #2. For example, using an activation key created by sadev, I was able to register a client: # subscription-manager register --org ACME_Corporation --activationkey sadevkey The system has been registered with id: f90d8e1b-af1e-4b7b-921a-063a0c372754 It is possible that the second problem has already been solved. Kedar, are you able to reproduce the registration error? Was away for RHCE training, Brad I agree with you that the issue 1) persits and issue 2) looks already solved now.
For activation keys the verbs are (+all)
For all the other Permissions the verbs selected are only Administer and Read
[root@dhcp201-200 ~]# katello -u sa_dev -p sa_dev activation_key list
User sa_dev is not allowed to access api/activation_keys/index
[root@dhcp201-200 ~]# katello -u admin -p admin user list_roles --username=sa_dev
--------------------------------------------------------------------------------
User Role List
Id Name
--------------------------------------------------------------------------------
7 sa_common_role
9 sa_dev_role
14 sa_sysadm_role
[root@dhcp201-200 ~]# katello -u admin -p admin user_role info --name=sa_sysadm_role
--------------------------------------------------------------------------------
User Role Information
--------------------------------------------------------------------------------
Id: 14
Name: sa_sysadm_role
Description:
Permissions:
sa-org
sa-prov
sa-filt
sa-temp
sa-read_all-env_all
sa-keys
Ldap Groups:
[root@dhcp201-200 ~]# katello -u admin -p admin user_role info --name=sa_dev_role
---------------------------------------------------------------------------------------------------------------------------------
User Role Information
---------------------------------------------------------------------------------------------------------------------------------
Id: 9
Name: sa_dev_role
Description: None
Permissions:
sa_dev_libenv_read
sa_dev_perm
Ldap Groups:
[root@dhcp201-200 ~]# katello -u admin -p admin user_role info --name=sa_common_role
---------------------------------------------------------------------------------------------------------------------------------
User Role Information
---------------------------------------------------------------------------------------------------------------------------------
Id: 7
Name: sa_common_role
Description: None
Permissions:
sa_common_template
sa_common_provider
sa_common_org
sa_common_actkey
sa_common_filter
Ldap Groups:
##################################################
But on the client side, it does get register now.
[root@dhcp201-163 ~]# subscription-manager register --org redhat --activationkey sa_dev_163_activation_keys
The system has been registered with id: f475be2d-fb81-4250-b3a3-f9864c6589bd
[root@dhcp201-163 ~]# yum repolist
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.
Please use yum-config-manager to configure which software
repositories are used with Red Hat Subscription Management.
redhat_CFSE_cfse_repo | 2.3 kB 00:00
redhat_CFSE_cfse_repo/primary_db | 102 kB 00:00
rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00
rhel-6-server-rpms | 3.8 kB 00:00
repo id repo name status
epel Extra Packages for Enterprise Linux 6 - x86_64 7,765
katello-client Katello client tools 1
redhat_CFSE_cfse_repo cfse_repo 281
rhel-6-server-cf-tools-1-rpms Red Hat CloudForms Tools for RHEL 6 (RPMs) 26
rhel-6-server-rpms Red Hat Enterprise Linux 6 Server (RPMs) 8,436
repolist: 16,509
[root@dhcp201-200 ~]# rpm -qav | grep -i katello
katello-glue-foreman-1.1.10-1.git.31.2fb829c.el6.noarch
katello-1.1.10-1.git.31.2fb829c.el6.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-cli-1.1.6-1.el6.noarch
katello-glue-candlepin-1.1.10-1.git.31.2fb829c.el6.noarch
katello-common-1.1.10-1.git.31.2fb829c.el6.noarch
katello-certs-tools-1.1.8-1.el6.noarch
katello-selinux-1.1.1-1.el6.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-configure-1.1.8-1.git.14.2d383ea.el6.noarch
katello-glue-pulp-1.1.10-1.git.31.2fb829c.el6.noarch
katello-all-1.1.10-1.git.31.2fb829c.el6.noarch
katello-qpid-client-key-pair-1.0-1.noarch
katello-repos-1.1.2-1.el6.noarch
katello-cli-common-1.1.6-1.el6.noarch
katello pull request: https://github.com/Katello/katello/pull/623 katello commits: https://github.com/Katello/katello/commit/5a7461ea93c09e5d8982a286b73b77b570ac6605 https://github.com/Katello/katello/commit/b182a8113d402331f5da54230144815bb188c783 https://github.com/Katello/katello/commit/ef84bebb45810cce5a24685705b1f899cd1568fe The above commits the permissions issue that was mentioned as item 1 in comment #6 above. We were not able to reproduces item 2; therefore, moving this BZ to 'on_dev'. Now a user with a role, which has permissions to administer activation keys can list successfully the activation keys list.
[root@dhcp201-200 ~]# katello -u sa_dev -p sa_dev activation_key list
--------------------------------------------------------------------------------
Activation Key List
Id Name Description Usage Environment Id System Template Id
--------------------------------------------------------------------------------
1 act_163_key None 0 3 4
Was also able to successfully register systems with an activation key.
[root@dhcp201-163 ~]# subscription-manager register --org redhat --activationkey act_163_key
The system has been registered with id: 6bc508da-3d36-4b98-b1b4-c3617234349b
[root@dhcp201-163 ~]# yum repolist
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.
Please use yum-config-manager to configure which software
repositories are used with Red Hat Subscription Management.
rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00
rhel-6-server-rpms | 3.8 kB 00:00
rhel-6-server-rpms/primary_db | 15 MB 00:00
repo id repo name status
*epel Extra Packages for Enterprise Linux 6 - x86_64 7,775
katello-client Katello client tools 1
rhel-6-server-cf-tools-1-rpms Red Hat CloudForms Tools for RHEL 6 (RPMs) 26
rhel-6-server-rpms Red Hat Enterprise Linux 6 Server (RPMs) 8,479
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-1543.html getting rid of 6.0.0 version since that doesn't exist |
Description of problem: I have created an activation key with RHEL and and custom repo included. Both of these have been promoted to the environment (dev) that a user has permissions to register. When the client registers I see: + subscription-manager register --force --org=refarch --activationkey=dev-use-case Guest's host does not match owner of pool: '8a900ce53664f4810136746ced89009e'. I've attached a katello-debug and a tar of the client /var/log. I think this may be an issue with roles/permission becuase: [root@cf-se1 ~]# katello -u sadev -p sadev activation_key list User sadev is not allowed to access api/activation_keys/index [root@cf-se1 ~]# However you can see the user has the ra-sysadm_role, this roll has the permission of ra-keys, and since I can t see how to list info about permsissions using the cli (Is that a bug?) I've attached a screen shot with the info. Notice that verbs is all. I see that On is blank but in the interface I could not modify this. [root@cf-se1 ~]# katello -u admin -p admin user list_roles --username=sadev ------------------------------------------------------------------------------------------------- User Role List Id Name ------------------------------------------------------------------------------------------------- 7 ra-dev-role 5 ra-sysadm-role [root@cf-se1 ~]# katello -u admin -p admin user_role info --name=ra-sysadm-role ------------------------------------------------------------------------------------------------- User Role Information ------------------------------------------------------------------------------------------------- Id: 5 Name: ra-sysadm-role Description: Permissions: ra-env-read-all ra-filt ra-temp ra-org ra-prov ra-keys [root@cf-se1 ~]# Version-Release number of selected component (if applicable): beta 6 [root@cf-se1 ~]# /pub/scripts/post_install_configuration_scripts/cf-versions Red Hat Enterprise Linux Server release 6.2 (Santiago) Linux cf-se1.cloud.lab.eng.bos.redhat.com 2.6.32-220.7.1.el6.x86_64 #1 SMP Fri Feb 10 15:22:22 EST 2012 x86_64 x86_64 x86_64 GNU/Linux postgresql-8.4.9-1.el6_1.1.x86_64 mongodb-1.8.2-4.el6.x86_64 package euca2ools is not installed ruby-1.8.7.352-7.el6_2.x86_64 rubygems-1.8.16-1.el6.noarch package deltacloud-core is not installed package rubygem-deltacloud-client is not installed package libdeltacloud is not installed package hail is not installed puppet-2.6.14-1.el6.noarch package aeolus-configure is not installed package iwhd is not installed package imagefactory is not installed package aeolus-conductor-daemons is not installed package aeolus-conductor is not installed [root@cf-se1 ~]# How reproducible: In my current setup, easily, please let me know if you want access Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: