Recent changes to permissions in Katello seem to have broken subscription manager's registration functionality in the GUI. The failure occurs when subman attempts to update the system's package profile during its registration process and is due to a permissions error. Currently subscription manager expects that the package profile can be updated via basic auth (admin user) and consumer auth (oauth), and it appears that an admin via basic auth is no longer able to make this call. Registration via the subman CLI is different (and working) because it creates a new connection using the newly aquired consumer id cert and uses it to update the package profile. We can fix this in subamn, but it will still be broken for old subman clients. We have to support both. Generally in subscription manager, most 'consumer' related API calls are made via consumer id cert, however, many of them can be made via basic auth (a user who has permissions). The following should be checked to ensure that the API can be called via basic auth. <pre> Basic Auth (User) --------------------------- GET / GET /users/{user_uuid}/owners GET /owners/{owner_key}/environments POST /environments/{environment}/consumers (registration) PUT /consumers/{consumer_uuid}/packages POST /consumers/{consumer_uuid} (force regen of identity certificate) GET /owners/{org_id}/servicelevels PUT /hypervisors </pre> Exception details: <pre> [DEBUG 2014-05-27 10:18:38 cp_proxy] Checking params for katello/api/v1/candlepin_proxies/upload_package_profile Katello::System Load (0.6ms) SELECT "katello_systems".* FROM "katello_systems" WHERE "katello_systems"."uuid" = '0b7712ee-42ad-4ed4-9141-b61cd3ba6116' LIMIT 1 Rendered api/v1/errors/access_denied.json.rabl (1.4ms) Filter chain halted as :authorize_client rendered or redirected Completed 403 Forbidden in 37.4ms (Views: 30.7ms | ActiveRecord: 0.6ms) With body: {"message":"Access denied","details":null} </pre>
Created from redmine issue http://projects.theforeman.org/issues/5938
Upstream bug assigned to ehelms
https://github.com/Katello/katello/pull/4158
Failed. Verification Steps: 1. Launch subscription-manager-gui 2. Go to System -> Register 3. Register with: sat6host:443/katello/api. Click Next 4. Enter credentials: admin/changeme. click Next 5. UI error message: User admin is not able to register with any orgs Note: registration via cli worked fine Version Tested: * apr-util-ldap-1.3.9-3.el6_0.1.x86_64 * candlepin-0.9.7-1.el6_5.noarch * candlepin-scl-1-5.el6_4.noarch * candlepin-scl-quartz-2.1.5-5.el6_4.noarch * candlepin-scl-rhino-1.7R3-1.el6_4.noarch * candlepin-scl-runtime-1-5.el6_4.noarch * candlepin-selinux-0.9.7-1.el6_5.noarch * candlepin-tomcat6-0.9.7-1.el6_5.noarch * elasticsearch-0.90.10-4.el6sat.noarch * foreman-1.6.0.14-1.el6sat.noarch * foreman-compute-1.6.0.14-1.el6sat.noarch * foreman-gce-1.6.0.14-1.el6sat.noarch * foreman-libvirt-1.6.0.14-1.el6sat.noarch * foreman-ovirt-1.6.0.14-1.el6sat.noarch * foreman-postgresql-1.6.0.14-1.el6sat.noarch * foreman-proxy-1.6.0.6-1.el6sat.noarch * foreman-selinux-1.6.0-4.el6sat.noarch * foreman-vmware-1.6.0.14-1.el6sat.noarch * katello-1.5.0-25.el6sat.noarch * katello-ca-1.0-1.noarch * katello-certs-tools-1.5.5-1.el6sat.noarch * katello-installer-0.0.45-1.el6sat.noarch * openldap-2.4.23-32.el6_4.1.x86_64 * pulp-katello-0.3-3.el6sat.noarch * pulp-nodes-common-2.4.0-0.18.beta.el6sat.noarch * pulp-nodes-parent-2.4.0-0.18.beta.el6sat.noarch * pulp-puppet-plugins-2.4.0-0.18.beta.el6sat.noarch * pulp-puppet-tools-2.4.0-0.18.beta.el6sat.noarch * pulp-rpm-plugins-2.4.0-0.18.beta.el6sat.noarch * pulp-selinux-2.4.0-0.18.beta.el6sat.noarch * pulp-server-2.4.0-0.18.beta.el6sat.noarch * python-ldap-2.3.10-1.el6.x86_64 * ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch * ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch
The above test was performed with subscription-manager-gui-1.9.11-1.el6.x86_64.
Please re-test with snap9 as there are number of changes that have gone in since the last one.
Verified. Now I am able to register/subscribe a content-host to sat6: 1. using activation key - PASS 2. using env/cv - FAIL (Another bug https://bugzilla.redhat.com/show_bug.cgi?id=1109380 is written to track this) Note: Also retrieving active subscriptions failed which is tracked in a new bug https://bugzilla.redhat.com/show_bug.cgi?id=1109398 Version Tested: * apr-util-ldap-1.3.9-3.el6_0.1.x86_64 * candlepin-0.9.19-1.el6_5.noarch * candlepin-scl-1-5.el6_4.noarch * candlepin-scl-quartz-2.1.5-5.el6_4.noarch * candlepin-scl-rhino-1.7R3-1.el6_4.noarch * candlepin-scl-runtime-1-5.el6_4.noarch * candlepin-selinux-0.9.19-1.el6_5.noarch * candlepin-tomcat6-0.9.19-1.el6_5.noarch * elasticsearch-0.90.10-4.el6sat.noarch * foreman-1.6.0.17-1.el6sat.noarch * foreman-compute-1.6.0.17-1.el6sat.noarch * foreman-gce-1.6.0.17-1.el6sat.noarch * foreman-libvirt-1.6.0.17-1.el6sat.noarch * foreman-ovirt-1.6.0.17-1.el6sat.noarch * foreman-postgresql-1.6.0.17-1.el6sat.noarch * foreman-proxy-1.6.0.7-1.el6sat.noarch * foreman-selinux-1.6.0-4.el6sat.noarch * foreman-vmware-1.6.0.17-1.el6sat.noarch * katello-1.5.0-26.el6sat.noarch * katello-ca-1.0-1.noarch * katello-certs-tools-1.5.5-1.el6sat.noarch * katello-installer-0.0.48-1.el6sat.noarch * openldap-2.4.23-31.el6.x86_64 * pulp-katello-0.3-3.el6sat.noarch * pulp-nodes-common-2.4.0-0.20.beta.el6sat.noarch * pulp-nodes-parent-2.4.0-0.20.beta.el6sat.noarch * pulp-puppet-plugins-2.4.0-0.20.beta.el6sat.noarch * pulp-puppet-tools-2.4.0-0.20.beta.el6sat.noarch * pulp-rpm-plugins-2.4.0-0.20.beta.el6sat.noarch * pulp-selinux-2.4.0-0.20.beta.el6sat.noarch * pulp-server-2.4.0-0.20.beta.el6sat.noarch * python-ldap-2.3.10-1.el6.x86_64 * ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch * ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch
This was delivered with 6.0.3, which is the Satellite 6 Beta.
This was delivered in 6.0.3, the Beta version of Satellite 6.0