Bug 1029593 - IPA CLI: ipa sudorule-del generates "Internal Server Error"
IPA CLI: ipa sudorule-del generates "Internal Server Error"
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
Depends On:
  Show dependency treegraph
Reported: 2013-11-12 12:11 EST by Yi Zhang
Modified: 2016-01-29 08:19 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-01-29 08:19:43 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Yi Zhang 2013-11-12 12:11:10 EST
Description of problem:
This error discovered by accident.

[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudorule-find sudo.rule | grep "Rule name:" | cut -d":" -f2 | xargs ipa sudorule-del
ipa: ERROR: cannot connect to 'https://rh7a.yzhang.redhat.com/ipa/session/xml': Internal Server Error

In order to re-produce this error, some sudo rule like "sudo.rule" has to exist. In another words, the following command has to success:
[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudorule-find sudo.rule | grep "Rule name:" | cut -d":" -f2 

Version-Release number of selected component (if applicable): ipa-server-3.3.3-3.el7.x86_64

How reproducible:

Steps to Reproduce:
1. create sudorule "sudo.rule.001" "sudo.rule.002"
2. run above command:
ipa sudorule-find sudo.rule | grep "Rule name:" | cut -d":" -f2 | xargs ipa sudorule-del

Actual results:
[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudorule-find sudo.rule | grep "Rule name:" | cut -d":" -f2 | xargs ipa sudorule-del
ipa: ERROR: cannot connect to 'https://rh7a.yzhang.redhat.com/ipa/session/xml': Internal Server Error

Additional info:

corresponding error msg in /var/log/httpd/error_log

[Tue Nov 12 09:07:40.390300 2013] [:error] [pid 1599] [remote] mod_wsgi (pid=1599): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Tue Nov 12 09:07:40.390373 2013] [:error] [pid 1599] [remote] Traceback (most recent call last):
[Tue Nov 12 09:07:40.390396 2013] [:error] [pid 1599] [remote]   File "/usr/share/ipa/wsgi.py", line 49, in application
[Tue Nov 12 09:07:40.390432 2013] [:error] [pid 1599] [remote]     return api.Backend.wsgi_dispatch(environ, start_response)
[Tue Nov 12 09:07:40.390447 2013] [:error] [pid 1599] [remote]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 247, in __call__
[Tue Nov 12 09:07:40.390471 2013] [:error] [pid 1599] [remote]     return self.route(environ, start_response)
[Tue Nov 12 09:07:40.390483 2013] [:error] [pid 1599] [remote]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 259, in route
[Tue Nov 12 09:07:40.390502 2013] [:error] [pid 1599] [remote]     return app(environ, start_response)
[Tue Nov 12 09:07:40.390514 2013] [:error] [pid 1599] [remote]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 1197, in __call__
[Tue Nov 12 09:07:40.390533 2013] [:error] [pid 1599] [remote]     response = super(xmlserver_session, self).__call__(environ, start_response)
[Tue Nov 12 09:07:40.390545 2013] [:error] [pid 1599] [remote]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 709, in __call__
[Tue Nov 12 09:07:40.390564 2013] [:error] [pid 1599] [remote]     response = super(xmlserver, self).__call__(environ, start_response)
[Tue Nov 12 09:07:40.390576 2013] [:error] [pid 1599] [remote]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 374, in __call__
[Tue Nov 12 09:07:40.390594 2013] [:error] [pid 1599] [remote]     response = self.wsgi_execute(environ)
[Tue Nov 12 09:07:40.390624 2013] [:error] [pid 1599] [remote]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 328, in wsgi_execute
[Tue Nov 12 09:07:40.390643 2013] [:error] [pid 1599] [remote]     (name, args, options, _id) = self.unmarshal(data)
[Tue Nov 12 09:07:40.390654 2013] [:error] [pid 1599] [remote]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 732, in unmarshal
[Tue Nov 12 09:07:40.390673 2013] [:error] [pid 1599] [remote]     (params, name) = xml_loads(data)
[Tue Nov 12 09:07:40.390685 2013] [:error] [pid 1599] [remote]   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 262, in xml_loads
[Tue Nov 12 09:07:40.390706 2013] [:error] [pid 1599] [remote]     (params, method) = loads(data)
[Tue Nov 12 09:07:40.390717 2013] [:error] [pid 1599] [remote]   File "/usr/lib64/python2.7/xmlrpclib.py", line 1135, in loads
[Tue Nov 12 09:07:40.390738 2013] [:error] [pid 1599] [remote]     p.feed(data)
[Tue Nov 12 09:07:40.390749 2013] [:error] [pid 1599] [remote]   File "/usr/lib64/python2.7/xmlrpclib.py", line 557, in feed
[Tue Nov 12 09:07:40.390768 2013] [:error] [pid 1599] [remote]     self._parser.Parse(data, 0)
[Tue Nov 12 09:07:40.390792 2013] [:error] [pid 1599] [remote] ExpatError: not well-formed (invalid token): line 8, column 15
[Tue Nov 12 09:09:13.139490 2013] [:error] [pid 1600] ipa: INFO: admin@YZHANG.REDHAT.COM: sudorule_find(u'sudo.rule', all=False, raw=False, version=u'2.65', no_members=False, pkey_only=False): SUCCESS
Comment 1 Yi Zhang 2013-11-12 12:14:13 EST
Additional information:

1. in order do generate ipa server error, the command format has to be followed.
ipa sudorule-find sudo.rule | grep "Rule name:" | cut -d":" -f2 | xargs ipa sudorule-del

2. ipa sudorule-find sudo.rule has to return valid ipa record
3. without xargs, it does not report error

4. I tried to run "ipa sudorule-del" with various bogus string, I couldn't produce the same error. It appears to me that "xargs" produces some inputs that ipa server don't handle correctly. 

my test was performed on rhel7.0 x86_64, but i don't think it matters.
Comment 2 Rob Crittenden 2013-11-12 12:17:38 EST
Can you add a -vv to the xargs ipa call? That may show us the XML-RPC request being sent. xargs ipa -vv sudorule-del.
Comment 4 Yi Zhang 2013-11-14 13:39:15 EST
[root@rh7a (RH7.0-x86_64) ipa-sudo] ipa sudorule-find sudo.rule | grep "Rule name:" | cut -d":" -f2 | xargs ipa -vv sudorule-del
send: "POST /ipa/xml HTTP/1.1\r\nHost: rh7a.yzhang.redhat.com\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://rh7a.yzhang.redhat.com/ipa/xml\r\nAuthorization: negotiate YIICbgYJKoZIhvcSAQICAQBuggJdMIICWaADAgEFoQMCAQ6iBwMFACAAAACjggFrYYIBZzCCAWOgAwIBBaETGxFZWkhBTkcuUkVESEFULkNPTaIpMCegAwIBAaEgMB4bBEhUVFAbFnJoN2EueXpoYW5nLnJlZGhhdC5jb22jggEaMIIBFqADAgESoQMCAQKiggEIBIIBBDcyWAghuQaKfk5Pi9Fsyas8rYf1AS0eGg4U/QvnltUqmPF1x1pfcDE682icit4Ytt8eVtMiv9xtuEFpxmC4n+zkFcc11/F8/pwKBj2YUe4arQ9uig2KB2yjElJcv8UuH552nuctpZfeobdaJS+rIHPptF/sah94X6qVxpEuEqVYzHsQdhFMwT6gp01BP1yYuVaaVWIkZTPb1rYGABiOpqU7WQzkS+4Ljk5Tgxu2uhM04eJEm/nzNHri3con/ykPAPGLggxdS4v7N7h8tkG2vRasrfZu4xO9t5WiDWuFddzcPaIFyJCrJe8umbzwdXCY3vMzpf4Zdz8tNqUHawLcZy8X38CjpIHUMIHRoAMCARKigckEgcZoQ10EWkBR2+F/iUhYtuar0YNOFSUWYcSdD2n5u6EkKvmgGc7kQoNO/iXy36uNE/DKlnunNXMXQ5z22Xe6fuGjSI/wcgAHv8esaXVZyCQV3IIsx2U94B0E/OAsN4wVUr0oTFCycsKSrWdt6lbbG8+Z1jT+nLtMq49H3k+J6zbbsTU7uHm2P0lbf3fxEb1bajo3yXyfhw8vncf/WLoHM1FkWwaWv5OkUi33vOj2ArQ/uai5NHuanVnrCs0lZGo4ZBbm2QwB7iE=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: text/xml\r\nContent-Length: 522\r\n\r\n<?xml version='1.0' encoding='UTF-8'?>\n<methodCall>\n<methodName>sudorule_del</methodName>\n<params>\n<param>\n<value><array><data>\n<value><array><data>\n<value><string>\x1b[m\x1b[K</string></value>\n<value><string>sudo.rule.15958</string></value>\n</data></array></value>\n</data></array></value>\n</param>\n<param>\n<value><struct>\n<member>\n<name>continue</name>\n<value><boolean>0</boolean></value>\n</member>\n<member>\n<name>version</name>\n<value><string>2.65</string></value>\n</member>\n</struct></value>\n</param>\n</params>\n</methodCall>\n"
reply: 'HTTP/1.1 500 Internal Server Error\r\n'
header: Date: Thu, 14 Nov 2013 18:39:37 GMT
header: Server: Apache/2.4.6 (Red Hat) mod_auth_kerb/5.4 mod_fcgid/2.3.9 mod_nss/2.4.6 NSS/3.15.2 Basic ECC PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv5knk2jCvNufzLMXz1mudCdSrh7Gx9FF1j/oGX601ghFMdRreVcbJjFkBe1V+jk9gg8CBd5rCXoouJWQr+rPuqrdpj77A6B0gTcC+IMeMUOfc+FcwysjHYI7Fgc8BrQeOhUX3S+gIu/ynz8MCXX9k
header: Content-Length: 527
header: Connection: close
header: Content-Type: text/html; charset=iso-8859-1
ipa: ERROR: cannot connect to 'https://rh7a.yzhang.redhat.com/ipa/xml': Internal Server Error
Comment 5 Rob Crittenden 2013-11-14 21:04:33 EST
There is some garbage mixed in there, \x1b[m\x1b[K

I wonder if escape characters from python are being stuffed in there.

Can you try setting TERM to vt100 before executing this?
Comment 6 Yi Zhang 2013-11-18 23:06:03 EST
such garbage mixed chars might produced by pipe ("|") . I have seen similar chars in log file when "|" being used. The following command I used before create similar junk chars like "\[m\x265?" in log file. 

time $script 2>&1 |tee -a $log

I will try set my terminal to vt100 and see if i can remove it.
Comment 7 Martin Kosek 2013-11-20 03:08:22 EST
Yi, did setting the terminal help? When tested in normal BASH, the command worked:

# ipa sudorule-find sudo.rule | grep "Rule name:" | cut -d":" -f2 | xargs ipa sudorule-del
Deleted Sudo Rule "sudo.rule"

Rob, I am thinking if that may be something we should fix and catch ExpatError, to let ipa provide better error message.
Comment 8 Rob Crittenden 2013-11-20 08:37:25 EST
Yes, I agree.
Comment 9 Martin Kosek 2013-11-22 04:04:41 EST
Upstream ticket:
Comment 13 Martin Kosek 2016-01-29 08:19:43 EST
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as WONTFIX. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.

Note You need to log in before you can comment on or make changes to this bug.