Description of problem: When a client is denied access by the rhsm-certguard, the log messages describing the reason are lost with log level debug. They should be raised to at least warning, because they tell an administrator, why a client is unable to consume their subscriptions. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Subscribe a host to RH subscription content 2. Find a reason for the rhsm content guard to reject the client certificate Either https://bugzilla.redhat.com/show_bug.cgi?id=1977893, or misconfigure it, see below 3. On the host run `yum update` and observe that repodata.xml returns 403 4. In forman-tail observe that all reasons for ^ are in log level DEBUG Actual results: Expected results: Failed authentication to subscription content should be logged at a higher level, maybe WARNING. Additional info: Misconfiguring may be: `curl -vv -k -X PATCH --data-urlencode 'ca_certificate' --cert /etc/pki/katello/certs/pulp-client.crt --key /etc/pki/katello/private/pulp-client.key "https://localhost/pulp/api/v3/contentguards/certguard/rhsm/<UUID>/"`
Hi Matthias, Can we provide a set of reproducer steps for QE to verify once a fix is available? Thanks!
I suspect this is a combination of https://github.com/pulp/pulp-certguard/blob/master/pulp_certguard/app/models.py#L42 and https://github.com/pulp/pulp-certguard/blob/master/pulp_certguard/app/models.py#L167-L169. In the first, we only log "this doesn't even look like a cert" at debug-level. In the second, we lose information on the specific error encountered and log "something went wrong".
From discussion w/ Matthias: certguard raises PermissionError, which is a base python error-class. These error-messages appear to not show up in logging. Investigation needed on whether PermissionError is "special" in some way when it comes to being logged by the content-app. NOTE: we really should not be overloadiung python's file-level PermissionError this way, and instead should have our own cecrtguard-perm-error. May want its own RFE. See https://github.com/pulp/pulpcore/blob/master/pulpcore/content/handler.py#L296-L303 for where we might want to increase log-level.
Provided the steps as part of the original comment.
The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.