Description of problem: [root@preethi ~]# pulp-admin -u admin -p admin consumer bind --id=pulp-client --repoid=f14 Successfully subscribed consumer [pulp-client] to repo [f14] [root@preethi ~]# rpm -q pulp pulp-0.0.132-1.fc14.noarch From the client.log on the remote client 2011-01-28 09:31:52,046 [INFO][pulp-client] received() @ consumer.py:159 - {pulp-client} received: { "origin": "9a5c2a44-0f1d-4fb0-ba21-2cc64eb8cc21", "window": {}, "version": "0.2", "sn": "b19d2361-9b59-4e55-9a68-8661ee150d5a", "replyto": null, "request": { "classname": "Repo", "kws": {}, "args": [], "method": "update" }, "any": null } 2011-01-28 09:31:52,048 [INFO][pulp-client] dispatch() @ dispatcher.py:287 - dispatching:{ "classname": "Repo", "kws": {}, "args": [], "method": "update" } 2011-01-28 09:31:52,049 [INFO][pulp-client] update() @ pulp.py:127 - updating yum repo 2011-01-28 09:31:52,051 [INFO][pulp-client] setUp() @ connection.py:168 - Connection Established for cli: Host: preethi.usersys.redhat.com, Port: 443, handler: /pulp/api 2011-01-28 09:31:52,051 [INFO][pulp-client] setUp() @ connection.py:170 - Using cert_file: /root/.pulp/user-cert.pem and key_file: /root/.pulp/user-key.pem 2011-01-28 09:31:52,052 [INFO][pulp-client] setUp() @ connection.py:168 - Connection Established for cli: Host: preethi.usersys.redhat.com, Port: 443, handler: /pulp/api 2011-01-28 09:31:52,053 [INFO][pulp-client] setUp() @ connection.py:170 - Using cert_file: /root/.pulp/user-cert.pem and key_file: /root/.pulp/user-key.pem 2011-01-28 09:31:52,054 [INFO][pulp-client] _request() @ connection.py:99 - Using SSLv3 context 2011-01-28 09:31:52,392 [ERROR][pulp-client] __call__() @ dispatcher.py:255 - 401: Authorization failed. Check your username and password or your certificate Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/gofer/messaging/dispatcher.py", line 252, in __call__ retval = method(*args, **keywords) File "/usr/lib/gofer/plugins/pulp.py", line 129, in update rlib.update() File "/usr/lib/python2.7/site-packages/pulp/client/repolib.py", line 67, in update return action.perform() File "/usr/lib/python2.7/site-packages/pulp/client/repolib.py", line 134, in perform for cont in self.getUniqueContent(): File "/usr/lib/python2.7/site-packages/pulp/client/repolib.py", line 157, in getUniqueContent products = self.pulp.getProducts() File "/usr/lib/python2.7/site-packages/pulp/client/repolib.py", line 92, in getProducts consumer = self.capi.consumer(cid) File "/usr/lib/python2.7/site-packages/pulp/client/connection.py", line 418, in consumer consumer = self.conn.request_get(method) File "/usr/lib/python2.7/site-packages/pulp/client/connection.py", line 126, in request_get return self._request("GET", method) File "/usr/lib/python2.7/site-packages/pulp/client/connection.py", line 114, in _request self.validateResponse(response) File "/usr/lib/python2.7/site-packages/pulp/client/connection.py", line 122, in validateResponse raise RestlibException(response.status, response.read()) RestlibException: 401: Authorization failed. Check your username and password or your certificate 2011-01-28 09:31:52,426 [INFO][pulp-client] run() @ consumer.py:65 - ready From the pulp.log on the server 2011-01-28 09:35:17,217 [ERROR][Dummy-2] check_admin_cert() @ role_check.py:207 - ID in admin certificate for user [admin] was incorrect 2011-01-28 09:35:17,233 [ERROR][Dummy-2] check_consumer() @ role_check.py:409 - Consumer with id [admin:admin:ba1a17a1-aedc-4c67-8863-66eab97c4926] does not exist
Basically, this is a sequencing problem. To support pulp-admin, we make an asynchronous RMI request that notifies that consumer (agent) that it has been deleted. The method cleans up artefacts such as /etc/pki/consumer/*. But, since pulp-client deletes them locally first, the pulp agent (via gofer) unsubscribes from the queue BEFORE processing the RMI request. So, when the consumer is then re-created with the same consumer ID, the first thing it does is consume the RMI request and deletes the consumer certificates meant to clean up the previous registration. Then as part of registration, the pulp-client does a local call to RepoLib to update the repo and since the consumer cert is gone, it attempts to use the admin cert. using: PULP-ADMIN 1) (user) 'pulp-client consumer delete' 2) pulp-admin --> API(delete consumer '123') 3) pulp (agent) <-- API(consumer '123' deleted) 4) pulp (agent) delete /etc/pki/consumer/* 5) pulp (agent) unsubscribes to queue='123' ... 6) create consumer '123' .. all is good .. using: PULP-CLIENT 1) (user) 'pulp-client consumer delete' 2) pulp-client delete /etc/pki/consumer/* 3) pulp (agent) unsubscribes to queue='123' 4) pulp-client --> API(delete consumer '123') 5) pulp (agent) <-- API(consumer '123' deleted) ** RMI:request queued but the agent has already unsubscribed. --------------- 6) (user) 'pulp consumer create --id=123' 7) pulp-client --> API(create consumer '123') 8) pulp-client write key/cert to /etc/pki/consumer/ 9) pulp (agent) subscribes to queue=123 10) pulp (agent) delete /etc/pki/consumer/* ## FINDS UNCONSUMED DELETE REQUEST 11) pulp (agent) unsubscribes to queue='123' 12) pulp-client update repo: --> API(give me repo data) No consumer certificate, so admin (user) cert is send and bam.
Storing the consumer key & cert on the Consumer in DB. Then when the consumer is deleted, those credentials are sent to the consumer when notified that it has been deleted. That way, the agent can determine whether or not to clean up artefacts. If the /etc/pki/consumer credentials don't match, nothing is cleaned up. Also, added delete of the pulp.repo file when a consumer is deleted. Fixed: 103468101dd044ae1af170ae272d1035f5555065
Fixed in 0.134.
fails_qa steps 1. user pulp client create --id= 123 2. user pulp-client delete 3. user pulp-client create --id=123 4. server pulp-admin consumer bind see the following in my pulp client log of my remote server 2011-02-03 10:33:48,393 [ERROR][remote_client] __call__() @ dispatcher.py:255 - 401: Authorization failed. Check your username and password or your certificate Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/gofer/messaging/dispatcher.py", line 252, in __call__ retval = method(*args, **keywords) File "/usr/lib/gofer/plugins/pulp.py", line 137, in update rlib.update() File "/usr/lib/python2.7/site-packages/pulp/client/repolib.py", line 67, in update return action.perform() File "/usr/lib/python2.7/site-packages/pulp/client/repolib.py", line 147, in perform for cont in self.getUniqueContent(): File "/usr/lib/python2.7/site-packages/pulp/client/repolib.py", line 170, in getUniqueContent products = self.pulp.getProducts() File "/usr/lib/python2.7/site-packages/pulp/client/repolib.py", line 104, in getProducts consumer = self.capi.consumer(cid) File "/usr/lib/python2.7/site-packages/pulp/client/connection.py", line 415, in consumer consumer = self.conn.request_get(method) File "/usr/lib/python2.7/site-packages/pulp/client/connection.py", line 126, in request_get return self._request("GET", method) File "/usr/lib/python2.7/site-packages/pulp/client/connection.py", line 114, in _request self.validateResponse(response) File "/usr/lib/python2.7/site-packages/pulp/client/connection.py", line 122, in validateResponse raise RestlibException(response.status, response.read()) RestlibException: 401: Authorization failed. Check your username and password or your certificate 2011-02-03 10:33:48,419 [INFO][remote_client] run() @ consumer.py:65 - ready
After investigation on the test box, it seems the admin cert was not valid for your pulp server. Since the client send the "best" cert, it was sending that one when retrieving the repo data and it was rejected. We need to revise how we handle credentials on the client but that is not related to this bug. I did a 'auth logout' and re-ran your test and it worked. Please retest.
verified [root@pulp-qe ~]# rpm -q pulp pulp-0.0.135-1.fc13.noarch
Closing with Community Release 15 pulp-0.0.223-4.