Bug 1191071 - Permission error on proxy details page and connection tab for proxied hosts missing in spacewalk nightly/2.3
Summary: Permission error on proxy details page and connection tab for proxied hosts m...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Proxy Server
Version: 2.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Stephen Herr
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space23
TreeView+ depends on / blocked
 
Reported: 2015-02-10 12:34 UTC by Patrick Hurrelmann
Modified: 2015-04-14 19:03 UTC (History)
0 users

Fixed In Version: spacewalk-java-2.3.146-1
Clone Of:
Environment:
Last Closed: 2015-04-14 19:03:51 UTC
Embargoed:

Attachments (Terms of Use)

Description Patrick Hurrelmann 2015-02-10 12:34:33 UTC 
Description of problem:

After updating my spacewalk nightly setup from a snapshot of early December to current latest, the proxy details page gives an permission error and the connection tab for proxies hosts is no longer shown, probably due to the following commits:

commit ed2e505058b37e8fae5a8bcb5cf8ab05f4701115
commit e752bfd98f05898523c944bb4f4761a4aebf86d7

The following permission error is show in web ui on proxy details page:

"Permission Error.

You do not have the appropriate permission set to access the requested page. You may have reached this error page in one of several ways:

    Your login session has expired. For security reasons, Spacewalk terminates your login session after 60 minutes of inactivity. To sign in again, click here.
    You've found an error in our site. Please contact your Support representative with details of how you received this message.
    Your browser does not have cookies enabled. The Spacewalk requires cookies in order to function; if you have disabled them, please re-enable them to use the site.
    You've done something naughty. Stop it."


with the corresponding error in catalina.out:

2015-02-10 11:25:02,335 [ajp-bio-0:0:0:0:0:0:0:1-8009-exec-7] ERROR org.apache.struts.action.RequestProcessor - Missing Acl: org_channel_family(rhn-proxy) when accessing /rhn/systems/details/Proxy.do

Version-Release number of selected component (if applicable):

spacewalk:
rhn-check.noarch                         2.3.8-1.el7   @spacewalk-client-nightly
rhn-client-tools.noarch                  2.3.8-1.el7   @spacewalk-client-nightly
rhn-setup.noarch                         2.3.8-1.el7   @spacewalk-client-nightly
rhncfg.noarch                            5.10.81-1.el7 @spacewalk-client-nightly
rhncfg-client.noarch                     5.10.81-1.el7 @spacewalk-client-nightly
rhnlib.noarch                            2.5.74-1.el7  @spacewalk-client-nightly
rhnpush.noarch                           5.5.84-1.el7  @spacewalk-nightly       
rhnsd.x86_64                             5.0.15-1.el7  @spacewalk-client-nightly
spacewalk-admin.noarch                   2.3.3-1.el7   @spacewalk-nightly       
spacewalk-backend.noarch                 2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-app.noarch             2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-applet.noarch          2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-config-files.noarch    2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-config-files-common.noarch
                                         2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-config-files-tool.noarch
                                         2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-iss.noarch             2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-iss-export.noarch      2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-libs.noarch            2.3.38-1.el7  @spacewalk-client-nightly
spacewalk-backend-package-push-server.noarch
                                         2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-server.noarch          2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-sql.noarch             2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-sql-postgresql.noarch  2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-tools.noarch           2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-xml-export-libs.noarch 2.3.38-1.el7  @spacewalk-nightly       
spacewalk-backend-xmlrpc.noarch          2.3.38-1.el7  @spacewalk-nightly       
spacewalk-base.noarch                    2.3.33-1.el7  @spacewalk-nightly       
spacewalk-base-minimal.noarch            2.3.33-1.el7  @spacewalk-nightly       
spacewalk-base-minimal-config.noarch     2.3.33-1.el7  @spacewalk-nightly       
spacewalk-branding.noarch                2.3.19-1.el7  @spacewalk-nightly       
spacewalk-certs-tools.noarch             2.3.1-1.el7   @spacewalk-client-nightly
spacewalk-common.noarch                  2.3.1-1.el7   @spacewalk-nightly       
spacewalk-config.noarch                  2.3.3-1.el7   @spacewalk-nightly       
spacewalk-doc-indexes.noarch             2.3.2-1.el7   @spacewalk-nightly       
spacewalk-grail.noarch                   2.3.33-1.el7  @spacewalk-nightly       
spacewalk-html.noarch                    2.3.33-1.el7  @spacewalk-nightly       
spacewalk-java.noarch                    2.3.139-1.el7 @spacewalk-nightly       
spacewalk-java-config.noarch             2.3.139-1.el7 @spacewalk-nightly       
spacewalk-java-lib.noarch                2.3.139-1.el7 @spacewalk-nightly       
spacewalk-java-postgresql.noarch         2.3.139-1.el7 @spacewalk-nightly       
spacewalk-jpp-workaround.noarch          2.3.2-1.el7   @spacewalk-nightly       
spacewalk-monitoring.noarch              2.2.1-1.el7   @spacewalk-nightly       
spacewalk-monitoring-selinux.noarch      2.2.1-1.el7   @spacewalk-nightly       
spacewalk-postgresql.noarch              2.3.1-1.el7   @spacewalk-nightly       
spacewalk-pxt.noarch                     2.3.33-1.el7  @spacewalk-nightly       
spacewalk-schema.noarch                  2.3.34-1.el7  @spacewalk-nightly       
spacewalk-search.noarch                  2.3.5-1.el7   @spacewalk-nightly       
spacewalk-selinux.noarch                 2.3.1-1.el7   @spacewalk-nightly       
spacewalk-setup.noarch                   2.3.8-1.el7   @spacewalk-nightly       
spacewalk-setup-jabberd.noarch           2.3.1-1.el7   @spacewalk-nightly       
spacewalk-setup-postgresql.noarch        2.3.1-1.el7   @spacewalk-nightly       
spacewalk-sniglets.noarch                2.3.33-1.el7  @spacewalk-nightly       
spacewalk-taskomatic.noarch              2.3.139-1.el7 @spacewalk-nightly  

proxy:
rhn-check.noarch                        2.3.8-1.el7   @spacewalk-client-nightly 
rhn-client-tools.noarch                 2.3.8-1.el7   @spacewalk-client-nightly 
rhn-setup.noarch                        2.3.8-1.el7   @spacewalk-client-nightly 
rhncfg.noarch                           5.10.81-1.el7 @spacewalk-client-nightly 
rhncfg-actions.noarch                   5.10.81-1.el7 @spacewalk-client-nightly 
rhncfg-client.noarch                    5.10.81-1.el7 @spacewalk-client-nightly 
rhncfg-management.noarch                5.10.81-1.el7 @spacewalk-client-nightly 
rhnlib.noarch                           2.5.74-1.el7  @spacewalk-client-nightly 
rhnpush.noarch                          5.5.84-1.el7  @spacewalk-nightly        
rhnsd.x86_64                            5.0.15-1.el7  @spacewalk-client-nightly 
spacewalk-backend.noarch                2.3.38-1.el7  @spacewalk-nightly        
spacewalk-backend-libs.noarch           2.3.38-1.el7  @spacewalk-client-nightly 
spacewalk-base-minimal.noarch           2.3.33-1.el7  @spacewalk-nightly        
spacewalk-base-minimal-config.noarch    2.3.33-1.el7  @spacewalk-nightly        
spacewalk-certs-tools.noarch            2.3.1-1.el7   @spacewalk-client-nightly 
spacewalk-proxy-broker.noarch           2.3.10-1.el7  @spacewalk-nightly        
spacewalk-proxy-common.noarch           2.3.10-1.el7  @spacewalk-nightly        
spacewalk-proxy-docs.noarch             2.3.1-1.el7   @spacewalk-nightly        
spacewalk-proxy-html.noarch             2.3.1-1.el7   @spacewalk-nightly        
spacewalk-proxy-installer.noarch        2.3.9-1.el7   @spacewalk-nightly        
spacewalk-proxy-management.noarch       2.3.10-1.el7  @spacewalk-nightly        
spacewalk-proxy-package-manager.noarch  2.3.10-1.el7  @spacewalk-nightly        
spacewalk-proxy-redirect.noarch         2.3.10-1.el7  @spacewalk-nightly        
spacewalk-proxy-selinux.noarch          2.0.1-1.el7   @spacewalk-nightly        
spacewalk-setup-jabberd.noarch          2.3.1-1.el7   @spacewalk-nightly        
spacewalk-ssl-cert-check.noarch         1:2.4-1.el7   @spacewalk-nightly 


How reproducible:

Always

Steps to Reproduce:

Proxy details page
1. Go to proxy hosts and click on proxy details

Connection tab
1. Connection tab on proxied hosts is missing

Actual results:

Permission error on visit to proxy details page and missing connection tab for proxied hosts.

Expected results:

Proxy details page and connection tab is shown.

Additional info:
Comment 1 Stephen Herr 2015-02-18 17:22:42 UTC 
I ported the acls incorrectly from perl. In the process of fixing.
Comment 2 Stephen Herr 2015-02-18 22:58:10 UTC 
I believe I have fixed things so that the behavior of those pages should be the same as it was in Spacewalk 2.2, namely:

Connections.do is shown as an option any time the org has at least one proxy.

Proxy.do is shown as an option (and works) if the system is a proxy or could become one (the latter condition requires channel family entitlements that probably will only be true for Satellites).

If you want to try out the newest spacewalk-java and see if that matches your expectations that would be great.

Committing to Spacewalk master:
a5a50d7c47488173b1ce9210c18de79dd1f38533
Comment 3 Patrick Hurrelmann 2015-02-19 09:10:45 UTC 
Thanks for that :) Most cases are fixed in spacewalk-java-2.3.142. "Connection" tab and "Proxy" tab are working, but the "Systems Using Proxy" on the "Proxy" tab is still not working. Probably the same fix as done for proxy.jsp is needed, but I was unable to build and test spacewalk-java due to missing dependencies :/

Maybe the following patch is enough, but as written above I could not build and test.

--- code/webapp/WEB-INF/struts-config.xml.orig	2015-02-18 23:36:35.000000000 +0100
+++ code/webapp/WEB-INF/struts-config.xml	2015-02-19 09:45:05.525410627 +0100
@@ -2920,7 +2920,8 @@
         input="/WEB-INF/pages/systems/sdc/proxyclients.jsp"
         type="com.redhat.rhn.frontend.action.systems.sdc.ProxyClientsAction"
         className="com.redhat.rhn.frontend.struts.RhnActionMapping">
-        <set-property property="acls" value="org_channel_family(rhn-proxy)"/>
+        <set-property property="mixins" value="com.redhat.rhn.common.security.acl.SystemAclHandler"/>
+        <set-property property="acls" value="user_role(org_admin); system_feature(ftr_proxy_capable) or system_is_proxy(); org_channel_family(rhn-proxy) or system_is_proxy(); child_channel_candidate(rhn-proxy) or system_is_proxy(); org_entitlement(rhn_provisioning); not system_is_satellite(); system_feature(ftr_kickstart) or system_feature(ftr_snapshotting)"/>
         <forward name="default"
                  path="/WEB-INF/pages/systems/sdc/proxyclients.jsp" />
     </action>
Comment 4 Stephen Herr 2015-02-23 19:21:41 UTC 
Ah, thanks I missed that one. It's similar, but that page should only displayed if the system is currently a proxy, so the acls are actually quite a bit simpler.

Committing to Spacewalk master (under your name):
cebe095e800dbdfd3a8573c374dfbdd0bd3a865a
Comment 5 Patrick Hurrelmann 2015-02-25 11:56:39 UTC 
I can confirm the fix. No permission errors any longer after update to spacewalk-java > 2.3.146.

Thank you very much :)
Comment 6 Grant Gainey 2015-03-23 16:59:26 UTC 
Moving bugs to ON_QA as we move to release Spacewalk 2.3
Comment 7 Grant Gainey 2015-04-14 19:03:51 UTC 
Spacewalk 2.3 has been released. See

https://fedorahosted.org/spacewalk/wiki/ReleaseNotes23
Note You need to log in before you can comment on or make changes to this bug.