1379366 – RHUI client isn't allowed to use an unprotected repo from the configuration RPM

Bug 1379366 - RHUI client isn't allowed to use an unprotected repo from the configuration RPM

Summary: RHUI client isn't allowed to use an unprotected repo from the configuration RPM

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Update Infrastructure for Cloud Providers
Classification:	Red Hat
Component:	CDS
Sub Component:
Version:	3.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	3.0.0
Assignee:	RHUI Bug List
QA Contact:	Radek Bíba
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-26 13:28 UTC by Radek Bíba
Modified:	2017-03-01 22:13 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-01 22:13:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0367	0	normal	SHIPPED_LIVE	Red Hat Update Infrastructure 3.0 Release	2017-03-02 03:05:22 UTC

Description Radek Bíba 2016-09-26 13:28:14 UTC

Description of problem:
When an unprotected repo is set up in rhui-manager and used in a client configuration RPM, yum on the client runs into a problem with the repo. Details are below.

Version-Release number of selected component (if applicable):
RHUI-3.0-RHEL-{6,7}-20160921.n.0

How reproducible:
Always.

Steps to Reproduce:
1. Create two new custom repos: one protected and one unprotected.
2. Create an entitlement certificate with the protected repo.
3. Create a client configuration RPM with both repos (and, optionally, a Red Hat repo.
4. Install the RPM on a client.
5. Run a yum command on the client.

Actual results:
The unprotected repo can't be used because yum gets an HTTP 403 error on the repodata file:

====
[root@cli01 ~]# yum repolist
Loaded plugins: search-disabled-repos
rhui-custom-prot                                       | 2.1 kB     00:00     
rhui-rhel-ha-for-rhel-7-server-rhui-rpms               | 2.0 kB     00:00     
https://cds.example.com/pulp/repos/unprot/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
To address this issue please refer to the below knowledge base article

https://access.redhat.com/solutions/69319

If above article doesn't help to resolve this issue please open a ticket with Red Hat Support.

rhui-custom-prot/primary                               | 1.0 kB     00:00     
rhui-custom-prot                                                          1/1
rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_6 |  53 kB     00:00     
rhui-rhel-ha-for-rhel-7-server-rhui-rpms                              225/225
https://cds.example.com/pulp/repos/unprot/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
repo id                                                 repo name       status
rhui-custom-prot                                        Custom Reposito   1
rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64 Red Hat Enterpr 225
rhui-unprot                                             unprot            0
repolist: 226
====

Expected results:
The unprotected repo works. (I have one package in it.)

Additional info:
The following lines appear in /var/log/httpd/cds.example.com_access_ssl.log on the CDS:

10.120.47.158 - - [26/Sep/2016:04:06:03 -0400] "GET /pulp/mirror/prot HTTP/1.1" 200 39 "-" "urlgrabber/3.10 yum/3.4.3"
10.120.47.158 - - [26/Sep/2016:04:06:03 -0400] "GET /pulp/mirror//content/dist/rhel/rhui/server/7/7Server/x86_64/highavailability/os HTTP/1.1" 200 101 "-" "urlgrabber/3.10 yum/3.4.3"
10.120.47.158 - - [26/Sep/2016:04:06:03 -0400] "GET /pulp/mirror/unprot HTTP/1.1" 200 41 "-" "urlgrabber/3.10 yum/3.4.3"
10.120.47.158 - - [26/Sep/2016:04:06:03 -0400] "GET /pulp/repos/prot/repodata/3cf255d0673b9e9c483c2553e34674262eac85260fb95135a9d1b0e0e30bc2f2-primary.xml.gz HTTP/1.1" 200 1015 "-" "urlgrabber/3.10 yum/3.4.3"
10.120.47.158 - - [26/Sep/2016:04:06:04 -0400] "GET /pulp/repos/unprot/repodata/repomd.xml HTTP/1.1" 403 239 "-" "urlgrabber/3.10 yum/3.4.3"

And these lines appear in /var/log/httpd/cds.example.com_error_ssl.log:

[Mon Sep 26 04:06:04.350076 2016] [:error] [pid 12894] [client 10.120.47.158:55871] Request denied to destination [/pulp/repos/unprot/repodata/repomd.xml]Client certificate failed extension check for destination: /pulp/repos/unprot/repodata/repomd.xml
[Mon Sep 26 04:06:04.350113 2016] [:error] [pid 12894] [client 10.120.47.158:55871] mod_wsgi (pid=12894): Client denied by server configuration: '/var/lib/pulp/published/yum/https/repos/unprot/repodata/repomd.xml'.

Comment 1 Radek Bíba 2016-09-26 13:40:31 UTC

FWIW:

[root@cli01 ~]# cat /etc/yum.repos.d/rh-cloud.repo 
[rhui-custom-prot]
name=Custom Repositories - prot
mirrorlist=https://cds.example.com/pulp/mirror/prot
enabled=1
gpgcheck=0
sslverify=1
sslcacert=/etc/pki/rhui/ca.crt
sslclientcert=/etc/pki/rhui/product/content.crt
sslclientkey=/etc/pki/rhui/key.pem

[rhui-rhel-ha-for-rhel-7-server-rhui-rpms]
name=Red Hat Enterprise Linux High Availability (for RHEL 7 Server) (RPMs) from RHUI
mirrorlist=https://cds.example.com/pulp/mirror//content/dist/rhel/rhui/server/7/$releasever/$basearch/highavailability/os
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
sslverify=1
sslcacert=/etc/pki/rhui/ca.crt
sslclientcert=/etc/pki/rhui/product/content.crt
sslclientkey=/etc/pki/rhui/key.pem

[rhui-unprot]
name=unprot
mirrorlist=https://cds.example.com/pulp/mirror/unprot
enabled=1
gpgcheck=0
sslverify=1
sslcacert=/etc/pki/rhui/ca.crt

Comment 4 Radek Bíba 2016-10-26 13:38:21 UTC

Fix confirmed in the 20161025 compose:

[root@cli01 ~]# yum repolist enabled
Loaded plugins: search-disabled-repos
rhui-custom-prot                                       | 2.1 kB     00:00     
rhui-rhel-ha-for-rhel-7-server-rhui-rpms               | 2.0 kB     00:00     
rhui-unprot                                            | 2.1 kB     00:00     
(1/9): rhui-custom-prot/updateinfo                       |   93 B   00:00     
(2/9): rhui-custom-prot/group                            |  130 B   00:00     
(3/9): rhui-custom-prot/primary                          | 1.3 kB   00:00     
(4/9): rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/ |  11 kB   00:00     
(5/9): rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/ |  42 kB   00:00     
(6/9): rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/ |  53 kB   00:00     
(7/9): rhui-unprot/updateinfo                            |   93 B   00:00     
(8/9): rhui-unprot/group                                 |  130 B   00:00     
(9/9): rhui-unprot/primary                               | 1.0 kB   00:00     
rhui-custom-prot                                                          1/1
rhui-rhel-ha-for-rhel-7-server-rhui-rpms                              225/225
rhui-unprot                                                               1/1
repo id                                                 repo name       status
rhui-custom-prot                                        Custom Reposito   1
rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64 Red Hat Enterpr 225
rhui-unprot                                             Unprotected Rep   1
repolist: 227

The client node is also able to download packages from both custom repos, and no problem is logged in the cds.example.com_error_ssl.log files on the CDSes anymore.

RHEL 6 is also good.

Thanks!

Comment 5 errata-xmlrpc 2017-03-01 22:13:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0367

Note You need to log in before you can comment on or make changes to this bug.