Bug 1273582 - Permissions seem to be wrong
Permissions seem to be wrong
Status: CLOSED CURRENTRELEASE
Product: Red Hat Certification Program
Classification: Red Hat
Component: Certification Workflow Engine (Show other bugs)
1.0
Unspecified Unspecified
urgent Severity high
: ---
: ---
Assigned To: MaoPeng
Suprith Gangawar
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-20 14:03 EDT by Glen Millard
Modified: 2015-11-23 19:14 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-23 19:14:51 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Error message (100.85 KB, image/png)
2015-10-20 14:03 EDT, Glen Millard
no flags Details
Error message when trying to create a cert for "Black Duck Hub" with account hrivero@redhat.com (141.97 KB, image/png)
2015-10-21 15:24 EDT, Hugo Rivero
no flags Details

  None (edit)
Description Glen Millard 2015-10-20 14:03:22 EDT
Created attachment 1084857 [details]
Error message

Description of problem:

I cannot create a new certification on the production CWE.
When I log in using my Red Hat SSO, I get a "you do not have permissions" message


Version-Release number of selected component (if applicable):


How reproducible:

Repoducible

Steps to Reproduce:
1.Log on to the prodcution CWE - access.redhat.com
2.Browse to a vendor/ISV page
3.Click on a product
4.Select an existing Software product.
5.Click on create new cert
6.See the error result

Actual results:

Permission denied message


Expected results:

Should be able to create a cert.


Additional info:
Comment 1 MaoPeng 2015-10-21 03:31:03 EDT
Hi Glen,

Can you verify if you are in the user list of the vendor which you want to create cert for ? 
Only the sso account who is in the user list of the vendor can create cert for it.

Traivs,

Any idea about this issue?
Is Glen have the proper right to access the HAProxy products?


Thanks,
Peng Mao
Comment 2 Travis McTighe 2015-10-21 10:32:38 EDT
Peng,

The access denied is occuring when Glen gets redirected to https://hardware.redhat.com/enter.cgi?product_nid=1471483&product_type=sw&vendor_nid=1466253
Comment 3 Glen Millard 2015-10-21 13:37:45 EDT
(In reply to MaoPeng from comment #1)
> Hi Glen,
> 
> Can you verify if you are in the user list of the vendor which you want to
> create cert for ? 
> Only the sso account who is in the user list of the vendor can create cert
> for it.
> 
> Traivs,
> 
> Any idea about this issue?
> Is Glen have the proper right to access the HAProxy products?
> 
> 
> Thanks,
> Peng Mao

Peng - this is HAProxy - it was the vendor that attempted to submit the cert. I had to use the 'vendor login' feature to be able to create the cert. Otherwise, I was getting a 'permission denied' message.

The catalogue is for HAProxy:

https://access.redhat.com/ecosystem/software/1471483

The user is using the 'haproxy' userid to submit a cert from the rhcert-backend tool.

He is getting the following:
+++++++++++++++++++

Hi Glen,

I'm getting the user access errors when trying to submit the image for
the certification process:

Error: could not submit the image
Error: The username or password you entered is not valid. (300)

I'm using the haproxy username with the corresponding password we've had
on our registry -- has that been changed? I've replicated step by step
on how we've been publishing the previous images..


Kind regards,
D.
+++++++++++++++++++++++
Comment 4 Hugo Rivero 2015-10-21 15:23:02 EDT
I tried this with my account as well. I attempted to create a certification for Black Duck Hub:
https://access.redhat.com/ecosystem/software/2018643

And got a permission error. I even tried to add myself to the list of "Certification Users" for that vendor. Didn't make any difference.

This means the certification workflow is broken and partners cannot submit a new certification. This is a P1, please treat is as such.
Comment 5 Hugo Rivero 2015-10-21 15:24 EDT
Created attachment 1085271 [details]
Error message when trying to create a cert for "Black Duck Hub" with account hrivero@redhat.com
Comment 7 Hong Tao 2015-10-21 22:19:54 EDT
Hi, Travis,

This problem is caused by that 'groupMembers' attribute of each vendor has disappear. When I try to use relative link to get IBM's vendor information, it shows like following:

<vendor>
  <title>IBM</title>
  <language>en</language>
  <id>918313</id>
  <tnid>0</tnid>
  <uri>https://api.access.redhat.com/rs/ecosystem/vendors/918313</uri>    
  <viewUri>https://access.redhat.com/ecosystem/vendors/918313</viewUri>
  <tsaNetMemberLevel>Premium</tsaNetMemberLevel>
  <displayTitle>IBM</displayTitle>
  <vendorType>Certified Hardware</vendorType>
  <vendorType>Certified Software</vendorType>
  <logoUrl>https://access.redhat.com/sites/default/files/ibm_small.jpg</logoUrl></vendor>

Obviously no 'groupMembers' attribute in the xml. The node for 'Black Duck Software, Inc.' are the same, no 'groupMembers' attribute in xml. From CWE, we can determine if a user can/cannot create a cert by and only by seeing the login name is in the 'groupMembers' or not. But now the 'groupMembers' attribute disappear, all login users are not in the 'groupMembers', so no one can create cert from CWE redirected from UCC. Would you please help us to take a look in this issue? This could be a blocking issue... Thanks a lot for your kindly help!

Best Regards,
Hong Tao
Comment 8 Hugo Rivero 2015-10-22 09:37:06 EDT
Are there any workarounds to allow a Red Hat person to create a cert ID? If so, will an external user be allowed to use that cert id to submit a certification via rhcert?
Comment 9 Glen Millard 2015-10-23 08:06:14 EDT
I'm now seeing a 'broken pipe' message at the command line. Errno 32 Broken Pipe.

I cancelled the operation and I tried again.

The upload seems to be 'stuck' - 40 minutes with no activity.

Glen
Comment 10 Glen Millard 2015-10-23 08:13:44 EDT
When I attempt to submit the second time, I see the following:

Red Hat Catalog User Name: gmillard@redhat.com
response: gmillard@redhat.com

Password: 
Error: could not ftp image file: [Errno 110] Connection timed out
FTP to dropbox.redhat.com
RHEL71Vbox [root@rhel7glenI openshift-haproxy
Comment 11 MaoPeng 2015-11-11 01:03:54 EST
Please try again on web2 or partner site, we have fix that.
Comment 12 MaoPeng 2015-11-11 01:04:23 EST
Please try again on web2 or partner site, we have fix that.
Comment 13 MaoPeng 2015-11-13 01:52:53 EST
Partner site is fixed by workaround way, Live site need to be fixed by IT to change the configuration of idp.redhat.com which refuse connection request from hardware.redhat.com.
Comment 14 Suman Guha 2015-11-13 10:01:05 EST
Hi folks,

This is may or may not be related but I logged into access.redhat.com with my sso account and then I tried logging to hardware.redhat.com and got this following error on live site. (useraccount I used: sguha@redhat.com)

Software error:

Insecure dependency in piped open while running with -T switch at Catalog/Strata/StrataClient.pm line 805.

For help, please send mail to the webmaster (bugzilla-owner@redhat.com), giving this error message and the time and date of the error. 

@Mao do you think this maybe because of idp.redhat.com issue ? But I tried logging on access.stage.redhat.com and cwe stage: https://partner-hwcert.redhat.com/ it worked perfectly there.

Note You need to log in before you can comment on or make changes to this bug.