Bug 2079376 - Request to remove hardcoded repo prefix "/pulp/content" from the Auth service/certificate verification service
Summary: Request to remove hardcoded repo prefix "/pulp/content" from the Auth service...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Update Infrastructure for Cloud Providers
Classification: Red Hat
Component: CDS
Version: 4.1.0
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: 4.1.1
: 4.x
Assignee: RHUI Bug List
QA Contact: Radek Bíba
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-04-27 13:14 UTC by anujmaurya
Modified: 2022-07-19 13:04 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-07-19 13:03:34 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHUI-255 0 None None None 2022-05-03 18:40:21 UTC
Red Hat Product Errata RHSA-2022:5602 0 None None None 2022-07-19 13:04:27 UTC

Description anujmaurya 2022-04-27 13:14:53 UTC
Description of problem:
At present in RHUI 3, MS is using repo paths with prefix "pulp/repos" as a prefix of rhui repos. SO as to enable the migration of exiting client requests with the same content certificate, we need to call RHUI 4 CDS. We tried rewriting uri to "/pulp/content" in the nginx config but the auth service running on RHUI4 is checking "HTTP_X_ORIGINAL_URI" to get the repo path and then matches with the content certificate. Because of this, even after having the same content.crt file RHUI CDS is not able to authenticate the https requests with any URIs other than those starting with "pulp/content".

Version-Release number of selected component (if applicable):
rhui-tools-4.1.0.6-1.el8ui.noarch
rhui-installer-4.1.0.4-1.el8ui.noarch
rhui-tools-libs-4.1.0.6-1.el8ui.noarch


How reproducible:
Always

Steps to Reproduce:
1. Install RHUI 4
2. Hit RHUI 4 CDS with yum command with RHUI 3 client packages on azure or curl with repo path starting with /pulp/repos 


Actual results:
Getting 403 access denied
022-04-20 08:13:14,308 [1676943] [WARNING] Access DENIED to 52.183.63.106 for /pulp/repos/content/dist/rhel8/rhui/8/x86_64/baseos/os/repodata/repomd.xml: Requested path is not a subpath of a path in the client certificate.

Expected results:
200 success since using the same content cert in rhui CDS.

Additional info:

The workaround is to configure NGinx to return "301 permanently moved" from RHUI CDS and then yum can make a call with pulp/content/ path.

Comment 5 errata-xmlrpc 2022-07-19 13:03:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHUI 4.1.1 release - Security Fixes and Enhancement Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5602


Note You need to log in before you can comment on or make changes to this bug.