Bug 624063 - Runtime Error thrown when unregistering a "person" consumer while one of his "system"'s is registered and consuming RHEL Personal Bits
Runtime Error thrown when unregistering a "person" consumer while one of his ...
Status: RELEASE_PENDING
Product: Candlepin
Classification: Community
Component: candlepin (Show other bugs)
0.5
All Linux
low Severity medium
: ---
: ---
Assigned To: Devan Goodwin
John Sefler
:
: 621557 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-13 10:43 EDT by John Sefler
Modified: 2015-05-14 11:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Sefler 2010-08-13 10:43:14 EDT
Description of problem:
This scenario is based on RH-Personal_dev_testplan:
https://engineering.redhat.com/trac/IntegratedMgmtQE/wiki/RH-Personal_dev_testplan

The following runtime error is thrown to stdout when a username is registered as --type=person and has subscribed to RHEL Personal and then unregisters while a separate client is registered under the same username with --type=system and is consuming the RHEL Personal Bits

# subscription-manager-cli unregister
Runtime Error javax.script.ScriptException: sun.org.mozilla.javascript.WrappedException: Wrapped org.fedoraproject.candlepin.exceptions.ForbiddenException (<Unknown source>#149) in <Unknown source> at line number 149 at com.sun.script.javascript.RhinoScriptEngine.invoke:209


Version-Release number of selected component (if applicable):
Previous HEAD position was 18b0de5... Automatic commit of package [candlepin] release [0.0.29-1].
[root@jsefler-rhel6-clientpin ~]# rpm -q subscription-manager
subscription-manager-0.75-1.git.2.52ef426.fc12.i386




Steps to Reproduce:
Against an on-premises candlepin server (git tag candlepin-0.0.29-1) with my IMPORTDIR set to /root/cp_product_utils ...
I have two separate clients ...


ON FIRST CLIENT....

[root@jsefler-rhel6-client01 ~]# subscription-manager-cli register --username=testuser1 --password=password --type=person
7e75f57a-c83e-45a1-acf2-60c5d9567e30 testuser1
[root@jsefler-rhel6-client01 ~]# subscription-manager-cli list --available
self.conn <connection.Restlib object at 0x7fa1be76a390>
self.conn.cert_file /etc/pki/consumer/cert.pem /etc/pki/consumer/key.pem /etc/pki/CA/candlepin.pem
+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+


ProductName:       	RHEL Personal            
ProductId:         	RH09XYU34                
PoolId:            	4                        
Quantity:          	10                       
Expires:           	2011-08-12               

[root@jsefler-rhel6-client01 ~]# subscription-manager-cli subscribe --pool=4


ON SECOND CLIENT...

[root@jsefler-rhel6-client02 ~]# subscription-manager-cli register --username=testuser1 --password=password --type=system
40f5761c-63e8-4546-9c11-26ceb1aa7ed5 testuser1
[root@jsefler-rhel6-client02 ~]# subscription-manager-cli list --available
self.conn <connection.Restlib object at 0x1a45450>
self.conn.cert_file /etc/pki/consumer/cert.pem /etc/pki/consumer/key.pem /etc/pki/CA/candlepin.pem
+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+


ProductName:       	RHEL for Physical Servers
ProductId:         	MKT-rhel-server          
PoolId:            	1                        
Quantity:          	10                       
Expires:           	2011-08-12               


ProductName:       	Basic RHEL Server        
ProductId:         	MKT-simple-rhel-server-mkt
PoolId:            	2                        
Quantity:          	10                       
Expires:           	2011-08-12               


ProductName:       	RHEL Workstation         
ProductId:         	MKT-rhel-workstation-mkt 
PoolId:            	3                        
Quantity:          	10                       
Expires:           	2011-08-12               


ProductName:       	RHEL for Physical Servers ,2 Sockets, Standard Support with
                        High Availability,Load Balancing,Shared Storage,Large File
                        Support,Smart Management, Flexible Hypervisor(Unlimited)
ProductId:         	MKT-rhel-physical-2-socket
PoolId:            	5                        
Quantity:          	10                       
Expires:           	2011-08-12               


ProductName:       	RHEL for Physical Servers ,2 Sockets, L1-L3, Premium Support
ProductId:         	MKT-rhel-physical-servers-only
PoolId:            	6                        
Quantity:          	10                       
Expires:           	2011-08-12               


ProductName:       	RHEL for Physical Servers ,4 Sockets, L1-L3, Premium Support
ProductId:         	MKT-rhel-physical-2-sockets-premium
PoolId:            	7                        
Quantity:          	10                       
Expires:           	2011-08-12               


ProductName:       	RHEL for Physical Servers ,2 Sockets, L1-L3, Basic Support
ProductId:         	MKT-rhel-physical-2-sockets-basic
PoolId:            	8                        
Quantity:          	10                       
Expires:           	2011-08-12               


ProductName:       	RHEL for Premium Architectures
ProductId:         	MKT-rhel-premium         
PoolId:            	10                       
Quantity:          	10                       
Expires:           	2011-08-12               


ProductName:       	RHEL for Premium Architectures, 16 socket, L1-L3, Standard
                        support
ProductId:         	MKT-rhel-prem-arch-16-socket-standard
PoolId:            	11                       
Quantity:          	10                       
Expires:           	2011-08-12               


ProductName:       	RHEL Personal Bits       
ProductId:         	1144                     
PoolId:            	13                       
Quantity:          	unlimited                
Expires:           	2011-08-12               

[root@jsefler-rhel6-client02 ~]# subscription-manager-cli subscribe --pool=13


BACK ON FIRST CLIENT...

[root@jsefler-rhel6-client01 ~]# subscription-manager-cli unregister
Runtime Error javax.script.ScriptException: sun.org.mozilla.javascript.WrappedException: Wrapped org.fedoraproject.candlepin.exceptions.ForbiddenException (<Unknown source>#149) in <Unknown source> at line number 149 at com.sun.script.javascript.RhinoScriptEngine.invoke:209

^^ UNEXPECTED RUNTIME EXCEPTION
Comment 1 Devan Goodwin 2010-08-31 14:31:31 EDT
*** Bug 621557 has been marked as a duplicate of this bug. ***
Comment 2 Devan Goodwin 2010-08-31 14:39:01 EDT
I believe this is working as designed, the issue is a security violation.

During the cleanup, we need to delete the sub-pool and thus revoke the sub-pool's entitlements. Because we're operating as the "person" consumer, our security system will (correctly) not let us modify the entitlements of the system consumer.

If you attempt to unregister this person consumer by authenticating as a user or super admin, the unregister will work fine.

You can work around this very easily by doing the unregister as an owner admin:

curl -k -u username:password -X delete https://candlepinurl/consumers/{uuid}

Essentially this is because we're using RHSM to behave as a "person" consumer. This is not how this would normally be done as RHSM is designed for system consumers, but being used here as it's just the most convenient way to test this right now. Eventually personal consumers would be managed by a GUI which would be creating/deleting that consumer when authenticated as an owner admin.

So by and large I would propose that we leave this behavior be, and instead modify the code to get a better error message out? Sound ok?
Comment 3 John Sefler 2010-08-31 17:51:41 EDT
Hey Devan,

Using the curl command should be fine for RH-Personal on premises. We'll be looking for the RH-Personal Webui for hosted candlepin testing.

Thanks!!!
Comment 4 Devan Goodwin 2010-09-01 15:06:01 EDT
fixed in 6b8121cf54296e27ecd2b376da700b0129e6a002

You should now get a standard ForbiddenException if you try to unbind or unregister a person consumer (as that consumer), if systems are still bound to the sub-pool.

Admin unbind/unregister will still work.
Comment 5 John Sefler 2010-09-07 17:35:27 EDT
ON FIRST CLIENT...

[root@jsefler-rhel6-client01 ~]# rpm -q subscription-manager
subscription-manager-0.75-1.git.29.c3b1d88.fc12.i386

Following the scenario in problem description, the unregister call on the first person consumer client no longer throws a Runtime Exception.  Instead here's what we get:

[root@jsefler-rhel6-client01 ~]# subscription-manager-cli unregister
Cannot unregister due to outstanding entitlement: 9

^^^ VERIFIED no more Runtime Exception,
and on the candlepin server a ForbiddenException is thrown...

ON PREMISES CANDLEPIN SERVER...
[root@jsefler-f12-candlepin ruby]# git show-ref HEAD
fdfdd379ed7a55960573e9d02a63bbd013b2b3d8 refs/remotes/origin/HEAD


VERIFIED  tail -f /var/log/tomcat6/catalina.out  CONTAINS THE ForbiddenException:
Sep 07 17:26:51 [http-8443-1] ERROR org.fedoraproject.candlepin.exceptions.CandlepinExceptionMapper - Runtime exception:
org.jboss.resteasy.spi.ApplicationException: org.fedoraproject.candlepin.exceptions.ForbiddenException
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:154)
	at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:248)
	at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:216)
	at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:205)

<SNIP>


Moving to VERIFIED
Comment 6 John Sefler 2011-05-04 10:40:52 EDT
Group move of VERIFIED Candlepin component bugs to RELEASE_PENDING

Note You need to log in before you can comment on or make changes to this bug.