1977699 – [pulp3] rhsm certguard failure messages are lost in log-level debug

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1977699 - [pulp3] rhsm certguard failure messages are lost in log-level debug

Summary: [pulp3] rhsm certguard failure messages are lost in log-level debug

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Pulp
Sub Component:
Version:	6.10.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	stream
Assignee:	satellite6-bugs
QA Contact:	sganar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1957813
TreeView+	depends on / blocked

Reported:	2021-06-30 10:02 UTC by Matthias Dellweg
Modified:	2024-06-06 01:01 UTC (History)
CC List:	10 users (show)
Fixed In Version:	pulp-certguard-1.5.8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-06-06 01:01:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	pulp pulp-certguard issues 145	0	None	closed	RHSM certguard failure messages are lost in log-level debug	2023-01-18 18:49:45 UTC
Red Hat Issue Tracker	SAT-18410	0	None	Migrated	None	2024-06-06 01:01:36 UTC

Description Matthias Dellweg 2021-06-30 10:02:09 UTC

Description of problem:
When a client is denied access by the rhsm-certguard, the log messages describing the reason are lost with log level debug. They should be raised to at least warning, because they tell an administrator, why a client is unable to consume their subscriptions.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Subscribe a host to RH subscription content
2. Find a reason for the rhsm content guard to reject the client certificate
   Either https://bugzilla.redhat.com/show_bug.cgi?id=1977893,
   or misconfigure it, see below
3. On the host run `yum update` and observe that repodata.xml returns 403
4. In forman-tail observe that all reasons for ^ are in log level DEBUG

Actual results:


Expected results:
Failed authentication to subscription content should be logged at a higher level, maybe WARNING.


Additional info:

  Misconfiguring may be:
  `curl -vv -k -X PATCH  --data-urlencode 'ca_certificate' --cert /etc/pki/katello/certs/pulp-client.crt --key /etc/pki/katello/private/pulp-client.key "https://localhost/pulp/api/v3/contentguards/certguard/rhsm/<UUID>/"`

Comment 1 Brad Buckingham 2021-07-01 14:27:05 UTC

Hi Matthias, 

Can we provide a set of reproducer steps for QE to verify once a fix is available?  Thanks!

Comment 2 Grant Gainey 2021-07-02 12:28:17 UTC

I suspect this is a combination of https://github.com/pulp/pulp-certguard/blob/master/pulp_certguard/app/models.py#L42 and https://github.com/pulp/pulp-certguard/blob/master/pulp_certguard/app/models.py#L167-L169.

In the first, we only log "this doesn't even look like a cert" at debug-level.

In the second, we lose information on the specific error encountered and log "something went wrong".

Comment 3 Grant Gainey 2021-07-02 13:09:26 UTC

From discussion w/ Matthias:

certguard raises PermissionError, which is a base python error-class.  These error-messages appear to not show up in logging. Investigation needed on whether PermissionError is "special" in some way when it comes to being logged by the content-app.

NOTE: we really should not be overloadiung python's file-level PermissionError this way, and instead should have our own cecrtguard-perm-error. May want its own RFE.

See https://github.com/pulp/pulpcore/blob/master/pulpcore/content/handler.py#L296-L303 for where we might want to increase log-level.

Comment 4 Matthias Dellweg 2021-07-13 12:49:36 UTC

Provided the steps as part of the original comment.

Comment 5 pulp-infra@redhat.com 2021-07-26 08:09:10 UTC

The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Comment 6 pulp-infra@redhat.com 2021-07-26 08:09:11 UTC

The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 10 Robin Chan 2023-03-02 15:05:54 UTC

All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.

Comment 11 sganar 2024-04-10 08:15:05 UTC

Verified.

Tested on Satellite stream Snap 52
python3.11-pulp-certguard-1.7.1-2.el8pc.noarch

Steps followed: 
1. Subscribe a host to RH subscription content
2. Find a reason for the rhsm content guard to reject the client certificate or misconfigure it(`curl -vv -k -X PATCH  --data-urlencode 'ca_certificate' --cert /etc/pki/katello/certs/pulp-client.crt --key /etc/pki/katello/private/pulp-client.key "https://localhost/pulp/api/v3/contentguards/certguard/rhsm/<UUID>/"`)
3. On the host run `yum update` and observe that repodata.xml returns 403
4. Observe foreman-tail


Observation:
The log messages describing the failure reason are logged with higher level with WARNING

Comment 12 Eric Helms 2024-06-06 01:01:38 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "SAT-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Note You need to log in before you can comment on or make changes to this bug.