Bug 661263 - Channels listed as private show up to non-trusted organizations created in RHN Satellite v5.4.0
Channels listed as private show up to non-trusted organizations created in RH...
Status: CLOSED ERRATA
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
540
Unspecified Unspecified
medium Severity urgent
: ---
: ---
Assigned To: Jan Pazdziora
Martin Minar
:
Depends On:
Blocks: sat54-errata
  Show dependency treegraph
 
Reported: 2010-12-08 06:13 EST by Paresh Mutha
Modified: 2011-07-15 22:34 EDT (History)
5 users (show)

See Also:
Fixed In Version: spacewalk-java-1.2.39-35
Doc Type: Bug Fix
Doc Text:
Previously, non-trusted organizations had access to channels listed as private. With this update, this error has been resolved and private channels allow only trusted organizations access.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-16 10:45:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Paresh Mutha 2010-12-08 06:13:10 EST
Description of problem:
After upgrade to RHN Satellite v5.4, under the newly created organization, we can see all the channels which are marked as private from other non-trust organization.

Ideally if the Organization don't have trust and channel is private then those channels shouldn't be seem in the newly created org.

For the old organizations which were created before the upgrade to Satellite v5.4 do not have such issues. This issue is only with the newly created organizations (post-upgrade to Satellite v540)

Example: If you had MainOrg and Org1 prior to upgrade and you created Org2 after upgrade then :
(Org1 and Org2 doesn't trust any organizations)
Org2's channels page lists channels from MainOrg and Org1
whereas this Org1 doesn't list any channels from MainOrg

Version-Release number of selected component (if applicable):
RHN Satellite v5.4.0

How reproducible:
Always

Steps to Reproduce:
1] On Satellite v5.4, create a new organization
2] Fill out information (username, passwd, personal information) Click create
3] Fill out Entitlement info, Subscriptions info
Note there is no trust at all between the main org and the newly created org
5] Verify that a channel (custom in this case) is set to private and is not shared.
6] Log out and log into the newly created org
7] Go to the Channels page

Actual results:
Private channel from non-trust organization are listed on this page.

Expected results:
Channels marked private from non-trust organization shouldn't be displayed.
Comment 3 Justin Sherrill 2010-12-08 08:20:04 EST
The odd thing about about rhnuserchannel is that neither it nor any of the views it used changed between 5.3 and 5.4.  At least according to my quick check of git.


Paresh is however pointing to the right place to start looking.
Comment 4 Clifford Perry 2010-12-10 17:59:50 EST
I've been looking at this bug with Partha and then Justin near end of day. 

It seems when you create a new Org you get:

SQL> select * from rhnPrivateChannelFamily where org_id = '25';

CHANNEL_FAMILY_ID     ORG_ID MAX_MEMBERS CURRENT_MEMBERS FVE_MAX_MEMBERS
----------------- ---------- ----------- --------------- ---------------
FVE_CURRENT_MEMBERS CREATED   MODIFIED
------------------- --------- ---------
             1202         25                           0               0
                  0 10-DEC-10 10-DEC-10


SQL> 
SQL> select id, org_id, label from rhnChannelFamily where org_id = '25';

        ID     ORG_ID
---------- ----------
LABEL
--------------------------------------------------------------------------------
      1202         25
private-channel-family-25


SQL> 

When you add say Management entitlement - the same. 

If you then go to /rhn/admin/multiorg/OrgSoftwareSubscriptions.do

and give the new org say 7 of something, we then have:

SQL> select * from rhnPrivateChannelFamily where org_id = '25' and max_members is NULL;

CHANNEL_FAMILY_ID     ORG_ID MAX_MEMBERS CURRENT_MEMBERS FVE_MAX_MEMBERS
----------------- ---------- ----------- --------------- ---------------
FVE_CURRENT_MEMBERS CREATED   MODIFIED
------------------- --------- ---------
             1000         25                           0               0
                  0 10-DEC-10 10-DEC-10

             1202         25                           0               0
                  0 10-DEC-10 10-DEC-10


SQL> select * from rhnPrivateChannelFamily where org_id = '25' and max_members != '0';

CHANNEL_FAMILY_ID     ORG_ID MAX_MEMBERS CURRENT_MEMBERS FVE_MAX_MEMBERS
----------------- ---------- ----------- --------------- ---------------
FVE_CURRENT_MEMBERS CREATED   MODIFIED
------------------- --------- ---------
             1043         25           7               0               0
                  0 10-DEC-10 10-DEC-10


SQL> 


Basically *something* somewhere is setting Max_Members to unlimtied/Null for the Private Channel Family for the base org to other Orgs. This is why new orgs created can see channels from base org, even though they had not been granted permission to do so. 

Hopefully can continue looking Monday.
Comment 5 Clifford Perry 2010-12-10 18:39:23 EST
In 5.3 code base :

Create a new Org, no entitlements yet:

SQL> select * from rhnPrivateChannelFamily where org_id = '43';

CHANNEL_FAMILY_ID     ORG_ID MAX_MEMBERS CURRENT_MEMBERS CREATED   MODIFIED
----------------- ---------- ----------- --------------- --------- ---------
             1522         43                           0 10-DEC-10 10-DEC-10

Then add entitlement for software channel for anything:

SQL> /

CHANNEL_FAMILY_ID     ORG_ID MAX_MEMBERS CURRENT_MEMBERS CREATED   MODIFIED
----------------- ---------- ----------- --------------- --------- ---------
             1176         43           7               0 10-DEC-10 10-DEC-10
             1522         43                           0 10-DEC-10 10-DEC-10

SQL> 

Here, we do not copy/populate everything out of base org with values set to '0' and incorrect for the private-channel for base org. 

So, we can see the end result differences. Just to track down what/where something changed, if it was FlexGuest or other code changes. 

Cliff
Comment 7 Clifford Perry 2010-12-11 00:13:15 EST
Looking when using Admin > Subscriptions > <specific channel entitlement> and set values for multiple orgs on that page:

rhn/admin/multiorg/SoftwareEntitlementSubscriptions.do

We do not exhibit this issue. While Admin > Oraganizations > <Org Name> > Subscriptions > Software Channel Subscriptions 
 
does insert a 'bad' private channel family entry to DB for org in Q. At least from the observed behavior from looking.
Comment 9 Justin Sherrill 2010-12-13 12:57:54 EST
Should be fixed here:

c2e182b60ac124f2660471f56b48e90251357ab4


Basically when distributing entitlements to an org, extra channel families were being included which shouldn't have been.  This patch will not fix existing orgs that have the issue, but will only fix newly created orgs.

A query will need to be run manually to fix existing orgs.

-Justin
Comment 10 Jan Pazdziora 2010-12-14 04:54:25 EST
The fix was cherry picked to SATELLITE-5.4, a45b75ec627dec255861a2a06ab92d123dcb9ee1, sadly without -x.

It was tagged as spacewalk-java-1.2.39-35.
Comment 12 Justin Sherrill 2010-12-14 08:47:50 EST
ack, sorry about missing the -x
Comment 15 errata-xmlrpc 2010-12-16 10:45:28 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0991.html
Comment 16 Jaromir Hradilek 2010-12-16 11:36:17 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, non-trusted organizations had access to channels listed as private. With this update, this error has been resolved and private channels allow only trusted organizations access.
Comment 18 Paresh Mutha 2010-12-23 07:19:37 EST
I believe another symptom has been fixed by this errata where under an activation key -> child channels, duplicate entries for custom/cloned channels are displayed and trying to update such activation key would result in traceback.

Note You need to log in before you can comment on or make changes to this bug.