Description of problem: This scenario is based on RH-Personal_dev_testplan: https://engineering.redhat.com/trac/IntegratedMgmtQE/wiki/RH-Personal_dev_testplan The following runtime error is thrown to stdout when a username is registered as --type=person and has subscribed to RHEL Personal and then unregisters while a separate client is registered under the same username with --type=system and is consuming the RHEL Personal Bits # subscription-manager-cli unregister Runtime Error javax.script.ScriptException: sun.org.mozilla.javascript.WrappedException: Wrapped org.fedoraproject.candlepin.exceptions.ForbiddenException (<Unknown source>#149) in <Unknown source> at line number 149 at com.sun.script.javascript.RhinoScriptEngine.invoke:209 Version-Release number of selected component (if applicable): Previous HEAD position was 18b0de5... Automatic commit of package [candlepin] release [0.0.29-1]. [root@jsefler-rhel6-clientpin ~]# rpm -q subscription-manager subscription-manager-0.75-1.git.2.52ef426.fc12.i386 Steps to Reproduce: Against an on-premises candlepin server (git tag candlepin-0.0.29-1) with my IMPORTDIR set to /root/cp_product_utils ... I have two separate clients ... ON FIRST CLIENT.... [root@jsefler-rhel6-client01 ~]# subscription-manager-cli register --username=testuser1 --password=password --type=person 7e75f57a-c83e-45a1-acf2-60c5d9567e30 testuser1 [root@jsefler-rhel6-client01 ~]# subscription-manager-cli list --available self.conn <connection.Restlib object at 0x7fa1be76a390> self.conn.cert_file /etc/pki/consumer/cert.pem /etc/pki/consumer/key.pem /etc/pki/CA/candlepin.pem +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ ProductName: RHEL Personal ProductId: RH09XYU34 PoolId: 4 Quantity: 10 Expires: 2011-08-12 [root@jsefler-rhel6-client01 ~]# subscription-manager-cli subscribe --pool=4 ON SECOND CLIENT... [root@jsefler-rhel6-client02 ~]# subscription-manager-cli register --username=testuser1 --password=password --type=system 40f5761c-63e8-4546-9c11-26ceb1aa7ed5 testuser1 [root@jsefler-rhel6-client02 ~]# subscription-manager-cli list --available self.conn <connection.Restlib object at 0x1a45450> self.conn.cert_file /etc/pki/consumer/cert.pem /etc/pki/consumer/key.pem /etc/pki/CA/candlepin.pem +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ ProductName: RHEL for Physical Servers ProductId: MKT-rhel-server PoolId: 1 Quantity: 10 Expires: 2011-08-12 ProductName: Basic RHEL Server ProductId: MKT-simple-rhel-server-mkt PoolId: 2 Quantity: 10 Expires: 2011-08-12 ProductName: RHEL Workstation ProductId: MKT-rhel-workstation-mkt PoolId: 3 Quantity: 10 Expires: 2011-08-12 ProductName: RHEL for Physical Servers ,2 Sockets, Standard Support with High Availability,Load Balancing,Shared Storage,Large File Support,Smart Management, Flexible Hypervisor(Unlimited) ProductId: MKT-rhel-physical-2-socket PoolId: 5 Quantity: 10 Expires: 2011-08-12 ProductName: RHEL for Physical Servers ,2 Sockets, L1-L3, Premium Support ProductId: MKT-rhel-physical-servers-only PoolId: 6 Quantity: 10 Expires: 2011-08-12 ProductName: RHEL for Physical Servers ,4 Sockets, L1-L3, Premium Support ProductId: MKT-rhel-physical-2-sockets-premium PoolId: 7 Quantity: 10 Expires: 2011-08-12 ProductName: RHEL for Physical Servers ,2 Sockets, L1-L3, Basic Support ProductId: MKT-rhel-physical-2-sockets-basic PoolId: 8 Quantity: 10 Expires: 2011-08-12 ProductName: RHEL for Premium Architectures ProductId: MKT-rhel-premium PoolId: 10 Quantity: 10 Expires: 2011-08-12 ProductName: RHEL for Premium Architectures, 16 socket, L1-L3, Standard support ProductId: MKT-rhel-prem-arch-16-socket-standard PoolId: 11 Quantity: 10 Expires: 2011-08-12 ProductName: RHEL Personal Bits ProductId: 1144 PoolId: 13 Quantity: unlimited Expires: 2011-08-12 [root@jsefler-rhel6-client02 ~]# subscription-manager-cli subscribe --pool=13 BACK ON FIRST CLIENT... [root@jsefler-rhel6-client01 ~]# subscription-manager-cli unregister Runtime Error javax.script.ScriptException: sun.org.mozilla.javascript.WrappedException: Wrapped org.fedoraproject.candlepin.exceptions.ForbiddenException (<Unknown source>#149) in <Unknown source> at line number 149 at com.sun.script.javascript.RhinoScriptEngine.invoke:209 ^^ UNEXPECTED RUNTIME EXCEPTION
*** Bug 621557 has been marked as a duplicate of this bug. ***
I believe this is working as designed, the issue is a security violation. During the cleanup, we need to delete the sub-pool and thus revoke the sub-pool's entitlements. Because we're operating as the "person" consumer, our security system will (correctly) not let us modify the entitlements of the system consumer. If you attempt to unregister this person consumer by authenticating as a user or super admin, the unregister will work fine. You can work around this very easily by doing the unregister as an owner admin: curl -k -u username:password -X delete https://candlepinurl/consumers/{uuid} Essentially this is because we're using RHSM to behave as a "person" consumer. This is not how this would normally be done as RHSM is designed for system consumers, but being used here as it's just the most convenient way to test this right now. Eventually personal consumers would be managed by a GUI which would be creating/deleting that consumer when authenticated as an owner admin. So by and large I would propose that we leave this behavior be, and instead modify the code to get a better error message out? Sound ok?
Hey Devan, Using the curl command should be fine for RH-Personal on premises. We'll be looking for the RH-Personal Webui for hosted candlepin testing. Thanks!!!
fixed in 6b8121cf54296e27ecd2b376da700b0129e6a002 You should now get a standard ForbiddenException if you try to unbind or unregister a person consumer (as that consumer), if systems are still bound to the sub-pool. Admin unbind/unregister will still work.
ON FIRST CLIENT... [root@jsefler-rhel6-client01 ~]# rpm -q subscription-manager subscription-manager-0.75-1.git.29.c3b1d88.fc12.i386 Following the scenario in problem description, the unregister call on the first person consumer client no longer throws a Runtime Exception. Instead here's what we get: [root@jsefler-rhel6-client01 ~]# subscription-manager-cli unregister Cannot unregister due to outstanding entitlement: 9 ^^^ VERIFIED no more Runtime Exception, and on the candlepin server a ForbiddenException is thrown... ON PREMISES CANDLEPIN SERVER... [root@jsefler-f12-candlepin ruby]# git show-ref HEAD fdfdd379ed7a55960573e9d02a63bbd013b2b3d8 refs/remotes/origin/HEAD VERIFIED tail -f /var/log/tomcat6/catalina.out CONTAINS THE ForbiddenException: Sep 07 17:26:51 [http-8443-1] ERROR org.fedoraproject.candlepin.exceptions.CandlepinExceptionMapper - Runtime exception: org.jboss.resteasy.spi.ApplicationException: org.fedoraproject.candlepin.exceptions.ForbiddenException at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:154) at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:248) at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:216) at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:205) <SNIP> Moving to VERIFIED
Group move of VERIFIED Candlepin component bugs to RELEASE_PENDING