RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 707641 - CLI auto-subscribe tries to re-use basic auth credentials.
Summary: CLI auto-subscribe tries to re-use basic auth credentials.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: subscription-manager
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Bryan Kearney
QA Contact: John Sefler
URL:
Whiteboard:
Depends On:
Blocks: rhsm-rhel62 743047
TreeView+ depends on / blocked
 
Reported: 2011-05-25 15:39 UTC by Devan Goodwin
Modified: 2011-12-06 17:14 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 17:14:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1695 0 normal SHIPPED_LIVE subscription-manager bug fix and enhancement update 2011-12-06 01:23:29 UTC

Description Devan Goodwin 2011-05-25 15:39:38 UTC 
Description of problem:

Doing a register with auto-subscribe on the CLI does not properly reset the credentials after the registration completes. (before attempting the separate auto-subscribe request)

Version-Release number of selected component (if applicable):



How reproducible:

100%, but it may technically work in most deployments, it just shouldn't be using basic auth.

Steps to Reproduce:
1. subscription-manager register --autosubscribe
  
Actual results:

This will technoically work in a devel deployment, and even in hosted they are making changes to allow basic auth for auto-subscribe calls. However, it should not be using basic auth for the auto-subscribe request. The type of auth will have to be verified in server logs.

Expected results:

Registration should complete, identity cert should be loaded as the credential for all future candlepin requests.

Additional info:

I believe the GUI is doing this correctly, in managergui.py you will see something like this:

self.backend.create_admin_uep(username=username,                                           password=password)                              
            newAccount = self.backend.admin_uep.registerConsumer(name=consumername,                           facts=self.facts.get_facts())                                         managerlib.persist_consumer_cert(newAccount)                                  
self.consumer.reload()
if self.auto_subscribe():

We should probably verify the GUI is doing the right thing, and if so, make the CLI behave the same.
Comment 4 Devan Goodwin 2011-09-12 13:45:24 UTC 
You can verify against a local candlepin by registering with autosubscribe, and checking /var/log/tomcat6/catalina.out. Look for the request to: /consumers/531c1021-fd58-453b-9c0d-e2838d99ccdf/entitlements

I just tried and see this:

ep 12 10:41:40 [http-8443-2] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/531c1021-fd58-453b-9c0d-e2838d99ccdf/entitlements
Sep 12 10:41:40 [http-8443-2] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.OAuth - Checking for oauth authentication
Sep 12 10:41:40 [http-8443-2] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 12 10:41:40 [http-8443-2] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.BasicAuth - check for: admin - password of length #5 = <omitted>
Sep 12 10:41:40 [http-8443-2] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.BasicAuth - principal created for user 'admin
Sep 12 10:41:41 [http-8443-2] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Invoked security interceptor public javax.ws.rs.core.Response org.fedoraproject.candlepin.resource.ConsumerResource.bind(java.lang.String,java.lang.String,java.lang.String[],java.lang.Integer,java.lang.String,java.lang.String,boolean)
Sep 12 10:41:41 [http-8443-2] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 12 10:41:41 [http-8443-2] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Verifying ALL access to class org.fedoraproject.candlepin.model.Consumer: 531c1021-fd58-453b-9c0d-e2838d99ccdf


In here you can see BasicAuth creating the principal, which I believe is a strong indication this is not even fixed.

Will: need to assign the tickets to yourself when you fix them, and add a comment with the git hash after you've pushed to master, and any notes that might be useful to QE or for historical purposes. This looks like it's not working as far as I can tell.
Comment 5 J.C. Molet 2011-09-12 15:16:31 UTC 
QE has replicated what appears in comment 4 exactly.  Failing QA, I'm pushing this back to NEW.
Comment 7 William Poteat 2011-09-23 11:49:49 UTC 
Master:

Author: William Poteat <wpoteat>
Date:   Mon Sep 12 10:51:03 2011 -0400

    707641: CLI auto-subscribe tries to re-use basic auth credentials.
    
    730020: Subscription-manager configuration should not allow list and modify in single command.

commit adab5e37024cf2a52e40cd37bfc447fc795d1244


RHEL6.2:

Author: William Poteat <wpoteat>
Date:   Mon Sep 12 10:51:03 2011 -0400

    707641: CLI auto-subscribe tries to re-use basic auth credentials.
    
    730020: Subscription-manager configuration should not allow list and modify in single command.

commit adab5e37024cf2a52e40cd37bfc447fc795d1244
Comment 8 John Sefler 2011-09-23 15:28:10 UTC 
Verifying Version...
[root@jsefler-onprem-62server ~]# rpm -q subscription-manager
subscription-manager-0.96.11-1.el6.x86_64
[root@jsefler-onprem-62server ~]# curl -k https://jsefler-onprem-62candlepin.usersys.redhat.com:8443/candlepin/status
{"version":"0.4.17","result":true,"release":"1"}


Following Devan's test strategy in comment 4, I registered with autosubscribe on a client...
[root@jsefler-onprem-62server ~]# subscription-manager register --username=testuser1 --password=password --org=admin --autosubscribe
The system has been registered with id: c06d6b7e-f143-4f95-adfe-de28adb48f78 
... and then parsed the following output from tail -f /var/log/tomcat6/catalina.out in search of log blocks beginning with "Authentication check for"




Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /
Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.OAuth - Checking for oauth authentication
Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.BasicAuth - check for: testuser1 - password of length #8 = <omitted>
Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.BasicAuth - principal created for user 'testuser1
Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Invoked security interceptor public java.util.List org.fedoraproject.candlepin.resource.RootResource.getRootResources()
Sep 23 10:48:44 [http-8443-1] WARN  org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Allowing invocation to proceed with no authentication required.
Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - 

^^^ HERE interceptor.BasicAuth IS BEING USED AGAINST / WHICH MAKES SENSE



Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.OAuth - Checking for oauth authentication
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.BasicAuth - check for: testuser1 - password of length #8 = <omitted>
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.BasicAuth - principal created for user 'testuser1
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Invoked security interceptor public org.fedoraproject.candlepin.model.Consumer org.fedoraproject.candlepin.resource.ConsumerResource.create(org.fedoraproject.candlepin.model.Consumer,org.fedoraproject.candlepin.auth.Principal,java.lang.String,java.lang.String,java.lang.String) throws org.fedoraproject.candlepin.exceptions.BadRequestException
Sep 23 10:48:45 [http-8443-1] WARN  org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Allowing invocation to proceed with no authentication required.
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.Principal - org.fedoraproject.candlepin.auth.UserPrincipal principal checking for access to: Owner [name = Admin Owner, key = admin, id = 8a90f8c63296bc55013296bcd0890006]
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.Principal -  perm class: org.fedoraproject.candlepin.model.OwnerPermission
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.Principal -   permission granted

^^^ HERE interceptor.BasicAuth IS BEING USED AGAINST /consumers ALSO MAKES SENSE AS WE ARE ABOUT TO CREATE A CONSUMER



Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.OAuth - Checking for oauth authentication
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.ConsumerAuth - principal created for consumer 'c06d6b7e-f143-4f95-adfe-de28adb48f78
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Invoked security interceptor public java.util.List org.fedoraproject.candlepin.resource.RootResource.getRootResources()
Sep 23 10:48:47 [http-8443-1] WARN  org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Allowing invocation to proceed with no authentication required.
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - 

^^^ HERE interceptor.ConsumerAuth IS BEING USED AGAINST / BECAUSE NOW THE CONSUMER HAS BEEN CREATED AND ACTUALLY HAS A CERT THAT CAN BE USED FOR AUTHENTICATION - THAT's GOOD



org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/c06d6b7e-f143-4f95-adfe-de28adb48f78/entitlements
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.OAuth - Checking for oauth authentication
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.ConsumerAuth - principal created for consumer 'c06d6b7e-f143-4f95-adfe-de28adb48f78
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Invoked security interceptor public javax.ws.rs.core.Response org.fedoraproject.candlepin.resource.ConsumerResource.bind(java.lang.String,java.lang.String,java.lang.String[],java.lang.Integer,java.lang.String,java.lang.String,boolean)
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US

^^^ HERE interceptor.ConsumerAuth IS BEING USED AGAINST /consumers/c06d6b7e-f143-4f95-adfe-de28adb48f78 - THAT's GOOD TOO



Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/c06d6b7e-f143-4f95-adfe-de28adb48f78/certificates/serials
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.OAuth - Checking for oauth authentication
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.ConsumerAuth - principal created for consumer 'c06d6b7e-f143-4f95-adfe-de28adb48f78
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Invoked security interceptor public java.util.List org.fedoraproject.candlepin.resource.ConsumerResource.getEntitlementCertificateSerials(java.lang.String)
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US

^^^ FINALLY interceptor.ConsumerAuth IS BEING USED AGAINST /consumers/c06d6b7e-f143-4f95-adfe-de28adb48f78/certificates/serials - THAT's GREAT



Moving to VERIFIED. ConsumerAuth is being used by the client after BasicAuth is used to obtain a consumer cert.
Comment 9 errata-xmlrpc 2011-12-06 17:14:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1695.html
Note You need to log in before you can comment on or make changes to this bug.