Description of problem: Read-only user can register new system or manipulate with configuration channels Version-Release number of selected component (if applicable): Satellite-5.7.0-RHEL6-re20140925.0 How reproducible: 100% Steps to Reproduce: 1. register new system and use a credential of the read-only user 2. on client machine: > yum install -y rhncfg-manager > rhncfg-manager create-channel --username test --password xxx test Creating config channel test Config channel test created > rhncfg-manager add -c test --username test --password xxx /etc/sysconfig/rhn/up2date Pushing to channel test: Local file /etc/sysconfig/rhn/up2date -> remote file /etc/sysconfig/rhn/up2date Actual results: We can register new system and manipulate with configuration channels when we use the read-only credentials.. Expected results: We will not able to register new system and manipulate with configuration channels when we use the read-only credentials. Additional info:
backend likely needs a central location to fail read-only user authentications, maybe with new error message thrown.
Fixed in spacewalk master by commit d967d141850f7bde1cb72364e3cdbf25f4d61511 1150010 - deny read-only user from accessing XMLRPC API
Backported to SATELLITE-5.7 as commit 522ebb3874696975ae75819432dbc8dc03687c9e 1150010 - deny read-only user from accessing XMLRPC API
VERIFIED on Satellite-5.7.0-RHEL6-re20141119.0 (spacewalk-backend-2.3.3-20.el6sat) Reproducer from comment 0: > rhncfg-manager create-channel --username test --password xxx test Session error: (-702, '\nError Class Code: 702\nError Class Info: This user has read only API access. Action denied.\nExplanation: \n An error has occurred while processing your request. If this problem\n persists please enter a bug report at bugzilla.redhat.com.\n If you choose to submit the bug report, please be sure to include\n details of what you were trying to do when this error occurred and\n details on how to reproduce this problem.\n') > rhncfg-manager add -c test --username test --password xxx /etc/sysconfig/rhn/up2date Session error: (-702, '\nError Class Code: 702\nError Class Info: This user has read only API access. Action denied.\nExplanation: \n An error has occurred while processing your request. If this problem\n persists please enter a bug report at bugzilla.redhat.com.\n If you choose to submit the bug report, please be sure to include\n details of what you were trying to do when this error occurred and\n details on how to reproduce this problem.\n') > rhnpush -c clone-rhn-tools-rhel-x86_64-server-6 -u test -p xxx rhn-custom-info-5.4.14-1.el6sat.noarch.rpm Error Class Code: 702 Error Class Info: This user has read only API access. Action denied. Explanation: An error has occurred while processing your request. If this problem persists please enter a bug report at bugzilla.redhat.com. If you choose to submit the bug report, please be sure to include details of what you were trying to do when this error occurred and details on how to reproduce this problem. Login via WebUI: This user has read only API access. WebUI login is denied.
With the release of Red Hat Satellite 5.7 on January 12th 2015 this bug is being moved to a Closed Current Release state. The Satellite 5.7 GA Errata: - https://rhn.redhat.com/errata/RHSA-2015-0033.html Satellite 5.7 Release Notes: - https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/5.7/html-single/Release_Notes/index.html Satellite Customer Portal Blog announcement for release: - https://access.redhat.com/blogs/1169563/posts/1315743 Cliff NOTE: This bug has not been re-verified (moved to RELEASE_PENDING) prior to release. We assume that the bug has indeed been fixed and not regressed since we initially verified it. Please re-open in the future if needed.