Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 661263 - Channels listed as private show up to non-trusted organizations created in RHN Satellite v5.4.0
Summary: Channels listed as private show up to non-trusted organizations created in RH...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server
Version: 540
Hardware: Unspecified
OS: Unspecified
medium
urgent
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Martin Minar
URL:
Whiteboard:
Depends On:
Blocks: sat54-errata
TreeView+ depends on / blocked
 
Reported: 2010-12-08 11:13 UTC by Paresh Mutha
Modified: 2018-11-14 16:16 UTC (History)
6 users (show)

Fixed In Version: spacewalk-java-1.2.39-35
Doc Type: Bug Fix
Doc Text:
Previously, non-trusted organizations had access to channels listed as private. With this update, this error has been resolved and private channels allow only trusted organizations access.
Clone Of:
Environment:
Last Closed: 2010-12-16 15:45:28 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0991 0 normal SHIPPED_LIVE Red Hat Network Satellite bug fix and enhancement update 2010-12-16 15:44:21 UTC

Description Paresh Mutha 2010-12-08 11:13:10 UTC
Description of problem:
After upgrade to RHN Satellite v5.4, under the newly created organization, we can see all the channels which are marked as private from other non-trust organization.

Ideally if the Organization don't have trust and channel is private then those channels shouldn't be seem in the newly created org.

For the old organizations which were created before the upgrade to Satellite v5.4 do not have such issues. This issue is only with the newly created organizations (post-upgrade to Satellite v540)

Example: If you had MainOrg and Org1 prior to upgrade and you created Org2 after upgrade then :
(Org1 and Org2 doesn't trust any organizations)
Org2's channels page lists channels from MainOrg and Org1
whereas this Org1 doesn't list any channels from MainOrg

Version-Release number of selected component (if applicable):
RHN Satellite v5.4.0

How reproducible:
Always

Steps to Reproduce:
1] On Satellite v5.4, create a new organization
2] Fill out information (username, passwd, personal information) Click create
3] Fill out Entitlement info, Subscriptions info
Note there is no trust at all between the main org and the newly created org
5] Verify that a channel (custom in this case) is set to private and is not shared.
6] Log out and log into the newly created org
7] Go to the Channels page

Actual results:
Private channel from non-trust organization are listed on this page.

Expected results:
Channels marked private from non-trust organization shouldn't be displayed.

Comment 3 Justin Sherrill 2010-12-08 13:20:04 UTC
The odd thing about about rhnuserchannel is that neither it nor any of the views it used changed between 5.3 and 5.4.  At least according to my quick check of git.


Paresh is however pointing to the right place to start looking.

Comment 4 Clifford Perry 2010-12-10 22:59:50 UTC
I've been looking at this bug with Partha and then Justin near end of day. 

It seems when you create a new Org you get:

SQL> select * from rhnPrivateChannelFamily where org_id = '25';

CHANNEL_FAMILY_ID     ORG_ID MAX_MEMBERS CURRENT_MEMBERS FVE_MAX_MEMBERS
----------------- ---------- ----------- --------------- ---------------
FVE_CURRENT_MEMBERS CREATED   MODIFIED
------------------- --------- ---------
             1202         25                           0               0
                  0 10-DEC-10 10-DEC-10


SQL> 
SQL> select id, org_id, label from rhnChannelFamily where org_id = '25';

        ID     ORG_ID
---------- ----------
LABEL
--------------------------------------------------------------------------------
      1202         25
private-channel-family-25


SQL> 

When you add say Management entitlement - the same. 

If you then go to /rhn/admin/multiorg/OrgSoftwareSubscriptions.do

and give the new org say 7 of something, we then have:

SQL> select * from rhnPrivateChannelFamily where org_id = '25' and max_members is NULL;

CHANNEL_FAMILY_ID     ORG_ID MAX_MEMBERS CURRENT_MEMBERS FVE_MAX_MEMBERS
----------------- ---------- ----------- --------------- ---------------
FVE_CURRENT_MEMBERS CREATED   MODIFIED
------------------- --------- ---------
             1000         25                           0               0
                  0 10-DEC-10 10-DEC-10

             1202         25                           0               0
                  0 10-DEC-10 10-DEC-10


SQL> select * from rhnPrivateChannelFamily where org_id = '25' and max_members != '0';

CHANNEL_FAMILY_ID     ORG_ID MAX_MEMBERS CURRENT_MEMBERS FVE_MAX_MEMBERS
----------------- ---------- ----------- --------------- ---------------
FVE_CURRENT_MEMBERS CREATED   MODIFIED
------------------- --------- ---------
             1043         25           7               0               0
                  0 10-DEC-10 10-DEC-10


SQL> 


Basically *something* somewhere is setting Max_Members to unlimtied/Null for the Private Channel Family for the base org to other Orgs. This is why new orgs created can see channels from base org, even though they had not been granted permission to do so. 

Hopefully can continue looking Monday.

Comment 5 Clifford Perry 2010-12-10 23:39:23 UTC
In 5.3 code base :

Create a new Org, no entitlements yet:

SQL> select * from rhnPrivateChannelFamily where org_id = '43';

CHANNEL_FAMILY_ID     ORG_ID MAX_MEMBERS CURRENT_MEMBERS CREATED   MODIFIED
----------------- ---------- ----------- --------------- --------- ---------
             1522         43                           0 10-DEC-10 10-DEC-10

Then add entitlement for software channel for anything:

SQL> /

CHANNEL_FAMILY_ID     ORG_ID MAX_MEMBERS CURRENT_MEMBERS CREATED   MODIFIED
----------------- ---------- ----------- --------------- --------- ---------
             1176         43           7               0 10-DEC-10 10-DEC-10
             1522         43                           0 10-DEC-10 10-DEC-10

SQL> 

Here, we do not copy/populate everything out of base org with values set to '0' and incorrect for the private-channel for base org. 

So, we can see the end result differences. Just to track down what/where something changed, if it was FlexGuest or other code changes. 

Cliff

Comment 7 Clifford Perry 2010-12-11 05:13:15 UTC
Looking when using Admin > Subscriptions > <specific channel entitlement> and set values for multiple orgs on that page:

rhn/admin/multiorg/SoftwareEntitlementSubscriptions.do

We do not exhibit this issue. While Admin > Oraganizations > <Org Name> > Subscriptions > Software Channel Subscriptions 
 
does insert a 'bad' private channel family entry to DB for org in Q. At least from the observed behavior from looking.

Comment 9 Justin Sherrill 2010-12-13 17:57:54 UTC
Should be fixed here:

c2e182b60ac124f2660471f56b48e90251357ab4


Basically when distributing entitlements to an org, extra channel families were being included which shouldn't have been.  This patch will not fix existing orgs that have the issue, but will only fix newly created orgs.

A query will need to be run manually to fix existing orgs.

-Justin

Comment 10 Jan Pazdziora 2010-12-14 09:54:25 UTC
The fix was cherry picked to SATELLITE-5.4, a45b75ec627dec255861a2a06ab92d123dcb9ee1, sadly without -x.

It was tagged as spacewalk-java-1.2.39-35.

Comment 12 Justin Sherrill 2010-12-14 13:47:50 UTC
ack, sorry about missing the -x

Comment 15 errata-xmlrpc 2010-12-16 15:45:28 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0991.html

Comment 16 Jaromir Hradilek 2010-12-16 16:36:17 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, non-trusted organizations had access to channels listed as private. With this update, this error has been resolved and private channels allow only trusted organizations access.

Comment 18 Paresh Mutha 2010-12-23 12:19:37 UTC
I believe another symptom has been fixed by this errata where under an activation key -> child channels, duplicate entries for custom/cloned channels are displayed and trying to update such activation key would result in traceback.


Note You need to log in before you can comment on or make changes to this bug.