Bug 1455822 - [BUG] Cannot register system or query Satellite 6 api using the IDM/IPA user
Summary: [BUG] Cannot register system or query Satellite 6 api using the IDM/IPA user
Keywords:
Status: NEW
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: LDAP
Version: 6.2.8
Hardware: Unspecified
OS: Unspecified
high
high with 1 vote vote
Target Milestone: Unspecified
Assignee: Daniel Lobato Garcia
QA Contact: Sanket Jagtap
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-26 08:31 UTC by vivpatil
Modified: 2019-09-14 03:33 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 21765 None None None 2017-11-26 12:45:48 UTC
Red Hat Bugzilla 1266407 None NEW IPA (external users) not able to authenticate using hammer CLI: invalid user / SSO failed 2019-09-17 15:49:28 UTC
Red Hat Bugzilla 1462635 None None None 2019-09-17 15:49:28 UTC

Internal Links: 1266407 1462635

Description vivpatil 2017-05-26 08:31:38 UTC
Description of problem:

When Satellite is integrated for external authentication with IPA using the below guide.

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html-single/server_administration_guide/#sect-Red_Hat_Satellite-Server_Administration_Guide-Configuring_External_Authentication-Integrate_IdM_with_Satellite

The IPA/IDM users are able to login into the Satellite Web UI . But they cannot register the client using the subscription-manager and is not able query the Satellite api. 

Version-Release number of selected component (if applicable):
Satellite 6.2.8

How reproducible:
Every time

Steps to Reproduce:
1. Configure satellite for external authentication with ipa using the below guide

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html-single/server_administration_guide/#sect-Red_Hat_Satellite-Server_Administration_Guide-Configuring_External_Authentication-Integrate_IdM_with_Satellite

2. Try to register one of the system using the IPA user . Or try to call the Satellite api using the curl command.

Actual results:
The IPA users are not able to register the client host to Satellite 6 and also use the api.

Expected results:

The IPA users should be able to register to the Satellite 6 using the subscription manager and call the api too.

Additional info:
[A] We see the below error while registering. 
On the client
====
Registering to: satellite.example.com:443/rhsm
Username: <username>
Password: 
Unauthorized: Invalid credentials for request.
====

In Satellite 6 foreman/production.log file
====
2017-05-26 04:23:07 [app] [I] Started GET "/rhsm/users/<user>/owners" for 192.168.124.100 at 2017-05-26 04:23:07 -0400
2017-05-26 04:23:07 [app] [I] Processing by Katello::Api::Rhsm::CandlepinProxiesController#list_owners as JSON
2017-05-26 04:23:07 [app] [I]   Parameters: {"login"=>"<user>"}
2017-05-26 04:23:07 [katello/cp_proxy] [W] SSO failed
2017-05-26 04:23:07 [app] [I]   Rendered api/v2/errors/unauthorized.json.rabl within api/v2/layouts/error_layout (0.5ms)
2017-05-26 04:23:07 [app] [I] Filter chain halted as :authorize rendered or redirected
2017-05-26 04:23:07 [app] [I] Completed 401 Unauthorized in 7ms (Views: 1.2ms | ActiveRecord: 0.6ms)
====

[B] Invoking api using curl
====
# curl -k -u <username>:'<password>' https://sat.example.com/api/hosts
====

Errors in production log
====
2017-05-26 04:29:09 [app] [I] Started GET "/api/hosts" for 192.168.124.100 at 2017-05-26 04:29:09 -0400
2017-05-26 04:29:09 [app] [I] Processing by Api::V2::HostsController#index as JSON
2017-05-26 04:29:09 [app] [I]   Parameters: {"apiv"=>"v2"}
2017-05-26 04:29:09 [app] [W] SSO failed
2017-05-26 04:29:09 [app] [I]   Rendered api/v2/errors/unauthorized.json.rabl within api/v2/layouts/error_layout (0.4ms)
2017-05-26 04:29:09 [app] [I] Filter chain halted as :authorize rendered or redirected
2017-05-26 04:29:09 [app] [I] Completed 401 Unauthorized in 4ms (Views: 1.0ms | ActiveRecord: 0.5ms)
====

Comment 10 Tomer Brisker 2017-11-26 12:45:43 UTC
Connecting redmine issue http://projects.theforeman.org/issues/21765 from this bug

Comment 11 Matt Hyclak 2018-03-02 21:05:39 UTC
Any movement on this? It is making the foreman-maintain upgrade process from 6.2 to 6.3 impossible as well as that expects hammer to work - which is not the case with External Auth enabled.

Comment 12 Bryan Kearney 2018-11-30 15:00:49 UTC
The Satellite Team is attempting to provide an accurate backlog of bugzilla requests which we feel will be resolved in the next few releases. We do not believe this bugzilla will meet that criteria, and have plans to close it out in 1 month. This is not a reflection on the validity of the request, but a reflection of the many priorities for the product. If you have any concerns about this, feel free to contact Rich Jerrido or Bryan Kearney or your account team. If we do not hear from you, we will close this bug out. Thank you.

Comment 14 Bryan Kearney 2018-12-04 17:52:46 UTC
This is related to https://bugzilla.redhat.com/show_bug.cgi?id=1462635, and we will therefore keep it.


Note You need to log in before you can comment on or make changes to this bug.