Bug 713576 - If the consumer cert fails to be written, the consumer still exists in Pulp and needs to be deleted
Summary: If the consumer cert fails to be written, the consumer still exists in Pulp a...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Pulp
Classification: Retired
Component: user-experience
Version: 1.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: James Slagle
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-15 19:36 UTC by Jay Dobies
Modified: 2013-09-09 16:31 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jay Dobies 2011-06-15 19:36:23 UTC 
I stumbled on this by accident by running a consumer create without sudo:

jdob@atlantis    ~/.pulp
 -> pulp-client -u admin -p admin consumer create --id localhost-consumer
warning: this client is not registered; please register to continue
Traceback (most recent call last):
  File "/usr/bin/pulp-client", line 7, in <module>
    execfile(__file__)
  File "/home/jdob/code/pulp/bin/pulp-client", line 63, in <module>
    client.main()
  File "/home/jdob/code/pulp/src/pulp/client/cli/base.py", line 117, in main
    command.main(args[1:])
  File "/home/jdob/code/pulp/src/pulp/client/core/base.py", line 116, in main
    action.main(args[1:])
  File "/home/jdob/code/pulp/src/pulp/client/core/base.py", line 204, in main
    self.run()
  File "/home/jdob/code/pulp/src/pulp/client/core/consumer.py", line 179, in run
    bundle.write(crt)
  File "/home/jdob/code/pulp/src/pulp/common/bundle.py", line 149, in write
    self.mkdir()
  File "/home/jdob/code/pulp/src/pulp/common/bundle.py", line 172, in mkdir
    os.makedirs(path)
  File "/usr/lib64/python2.7/os.py", line 157, in makedirs
    mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/etc/pki/consumer'

jdob@atlantis    ~/.pulp
 -> sudo pulp-client -u admin -p admin consumer create --id localhost-consumer
warning: this client is not registered; please register to continue
error: operation failed: Consumer with id: localhost-consumer already exists


Since we know consumer create is going to write to that directory, before even sending the request to the server we should make sure the user has write privileges. Otherwise, they'll need to use the admin CLI to delete the consumer before repeating the command with root privileges.
Comment 1 Sayli Karmarkar 2011-06-22 16:02:47 UTC 
We need to add checking
Comment 2 Sayli Karmarkar 2011-07-18 06:19:53 UTC 
At very least, we need to make changes so that use can't run pulp-client as non-root.
Comment 3 Nick Coghlan 2011-08-02 04:45:41 UTC 
I just ran into the exact situation Jay describes and it took me a while to figure out what I had done wrong (i.e. run pulp-client as a normal user rather than via sudo).

Completely banning running pulp-client as non-root seems overly restrictive though. Other commands (such as "pulp-client repo list") work fine as a non-root user.
Comment 4 Nick Coghlan 2011-08-02 04:48:04 UTC 
Although "consumer bind" does suffer a similar fate to "consumer create"...
Comment 5 James Slagle 2011-12-20 13:23:11 UTC 
Added checks for write permissions before we register/unregister/bind/unbind a consumer.  The checks happen before we send the request to the pulp server, so if we have to fail the operation, the pulp server does not get out of sync with what is on the consumer.

commit 76b394dbd5276af04c857e4ab4300235ccd87ab7

QA:
If you attempt one of these operations without the correct write permissions needed you will see:
error:  Write permission is required for /etc/pki/consumer/pulp to perform this operation.

The /etc/pki/consumer/pulp path will be /etc/yum.repos.d if the operation is a bind or unbind.
Comment 6 Jeff Ortel 2012-01-04 21:48:39 UTC 
build: 0.256
Comment 7 Preethi Thomas 2012-01-06 21:32:32 UTC 
verified
[root@el6-client ~]# ls -l /etc/pki/pulp/
total 4
dr-xr-xr-x. 2 root root 4096 Jan  6 16:10 consumer

[pthomas@pthomas-lt ~]$ ssh guest1.79.217
reverse mapping checking getaddrinfo for unused [10.16.79.217] failed - POSSIBLE BREAK-IN ATTEMPT!
guest1.79.217's password: 
[guest1@el6-client ~]$ pulp-consumer -u admin -p admin consumer unregister 
error:  Write permission is required for /etc/pki/pulp/consumer/cert.pem to perform this operation.
[guest1@el6-client ~]$ pulp-consumer -u admin -p admin consumer bind --repoid=f15
error:  Write permission is required for /etc/yum.repos.d to perform this operation.
[guest1@el6-client ~]$ pulp-consumer -u admin -p admin consumer unbind --repoid=f15
error:  Write permission is required for /etc/yum.repos.d to perform this operation.
[guest1@el6-client ~]$ 
[guest1@el6-client ~]$  pulp-consumer -u admin -p admin consumer register --id=el6-client
warning: this client is not known to the pulp server; run 'pulp-consumer consumer register' to register it
error:  Write permission is required for /etc/pki/pulp/consumer to perform this operation.


[guest1@el6-client ~]$ ls -l /etc/pki/pulp/
total 4
drwxr-xr-x. 2 guest1 root 4096 Jan  6 16:31 consumer
[guest1@el6-client ~]$ 
[guest1@el6-client ~]$  pulp-consumer -u admin -p admin consumer register --id=el6-client
warning: this client is not known to the pulp server; run 'pulp-consumer consumer register' to register it
Successfully registered consumer [ el6-client ]
Comment 8 Preethi Thomas 2012-02-24 20:17:54 UTC 
Pulp v1.0 is released
Closed Current Release.
Comment 9 Preethi Thomas 2012-02-24 20:18:40 UTC 
Pulp v1.0 is released.
Note You need to log in before you can comment on or make changes to this bug.