Description of problem: Custom info can be added to a system without provisioning entitlement via API and rhn-custom-info tool. It can be read via both API and tool and after adding provisioning entitlement, the value is visible via webUI. How reproducible: Always. Have a system registered to the satellite and an existing custom info key. 1. Remove the provisioning entitlement from the system 2. Add the custom value to the system via API or a rhn-custom-info tool client.system.setCustomValues(session, sysID, {keyLabel: keyValue}) OR rhn-custom-info -u <user> -p <password> -s http://<hostname>/rpc/api keyLabel keyValue 3. Add the provisioning entitlement to the system Actual results: The custom value is set Expected results: This shouldn't be possible without the provisioning entitlement Additional info: Test RHN-Tools/rhn-custom-info (currently workaround)
Created attachment 865154 [details] patch This patch fixes both issues described.
Created attachment 1122504 [details] Updated patch to adjust to code changes Approach is sound, updated to reflect code changes and to add new reason-for-exception to docs (NOTE: no matching spacewalk change, as spacewalk-master no longer has provisioning entitlements)
Verified with Satellite 5.8 compose and SW nightly from 2016-11-10 (in SW, you can not remove provisioning entitlement so I just checked custom info works). Note: After setting custom info, removing Provisioning entitlement and returning it back, the custom info persists. I think that is ok.
This fix was released as part of 5.8GA - closing