Bug 727611 - RHSM-web authenticated as TrustedUserPrincipal and this causes consumer creation failure.
RHSM-web authenticated as TrustedUserPrincipal and this causes consumer creat...
Status: CLOSED CURRENTRELEASE
Product: Candlepin
Classification: Community
Component: candlepin (Show other bugs)
0.5
Unspecified Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Bryan Kearney
sshevach
:
Depends On:
Blocks: rhsm-rhel62
  Show dependency treegraph
 
Reported: 2011-08-02 11:23 EDT by Tyler Smart
Modified: 2015-05-14 11:23 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-30 09:15:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tyler Smart 2011-08-02 11:23:14 EDT
Description of problem:


Becaus eof the special way RHSM-web authenticates, we can no longer create consumers in candlepin 4.

Version-Release number of selected component (if applicable):

0.4.6
How reproducible:
Every time

Steps to Reproduce:
1. try to create a consumer with rhsm-web or with any Trusted Auth agent
2. You will see  "Insufficient Permissions"
3. This comes from Consumer Resource line 246
  
Actual results:


Expected results:


Additional info:
Jul 26 08:22:20 <zeus>  jbowes: so yesterday tsmart ran into a problem where ConsumerResource threw an exception
Jul 26 08:22:43 *       jweiss (~user@vpn-9-149.rdu.redhat.com) has joined #candlepin
Jul 26 08:22:43 <zeus>  jbowes: he's coming in with TrustedUserPrincipal 
Jul 26 08:23:02 <zeus>  jbowes: and we're looking for UserPrincipal 
Jul 26 08:23:20 <zeus>          if (!(principal instanceof UserPrincipal) && (keyStrings.size() == 0)) {
Jul 26 08:23:20 <zeus>              throw new ForbiddenException(i18n.tr("Insufficient permissions"));
Jul 26 08:23:20 <zeus>          }
Jul 26 08:23:48 <zeus>  jbowes: so I was thinking of making TrustedUserPrincipal extend UserPrincipal
Jul 26 08:24:24 <zeus>  jbowes: but I didn't want to do that until I talk to someone about it. Since UserPrincipal seems to have more functionality than TrustedUserPrincipal i.e. getOwner, etc.
Jul 26 08:24:29 <zeus>  jbowes: thoughts?
Jul 26 08:25:27 *       gkhachik is now known as gkhachik_mtg
Jul 26 08:25:35 *       jbowes has a peek
Jul 26 08:28:16 *       jsefler-out is now known as jsefler
Jul 26 08:30:00 *       witlessb (~wb@vpn-9-228.rdu.redhat.com) has joined #candlepin
Jul 26 08:31:29 <jbowes>        zeus: i think i'd do something else, allow me to explain
Jul 26 08:31:49 *       zeus allows it, proceed
Jul 26 08:31:55 <jbowes>        zeus: prior to the work dgoodwin-pto and i did to support a userstoreless candlepin for katello, there was only a userprincipal, not a trusted one
Jul 26 08:32:17 <jbowes>        zeus: the trusted one is assuemd to have no backing user store, etc
Jul 26 08:32:59 <jbowes>        zeus: previously, you could get a userprincipal from UserAuth, TrustedUserAuth, or OAuth (which delegated to TrustedUserAuth)
Jul 26 08:33:24 <jbowes>        zeus: now, you get a userprincipal from UserAuth, and a TrustedUserPrincipal from TrustedUserAuth and OAuth
Jul 26 08:33:39 <zeus>  ok, go on.
Jul 26 08:33:52 <jbowes>        zeus: i'd propose that userauth returns a userprincipal, oauth returns a trusteduser principal, and trusteduserprincipal returns a user principal
Jul 26 08:34:09 <jbowes>        that way standalone and hosted work the same as before, and only katello (oauth) uses the new principal class
Jul 26 08:34:15 <jbowes>        the names might need to be changed, too
Jul 26 08:34:17 <jbowes>        :)
Jul 26 08:34:20 <jbowes>        clear as mud?
Jul 26 08:34:25 *       Abhilash|away has quit (Quit: Abhilash|away)
Jul 26 08:34:44 <zeus>  very muddy, I think you have a typo causing part of the problem
Jul 26 08:34:49 <zeus>  trusteduserprincipal returns a user principal?
Jul 26 08:34:53 <zeus>  is that trusteduserauth?
Jul 26 08:35:35 <jbowes>        yes
Jul 26 08:35:42 <jbowes>        trusteduserauth should return a userprincipal
Jul 26 08:36:08 <jbowes>        you could just rename trusteduserprincipal to katellouserprincipal
Jul 26 08:36:41 <zeus>  I think I get it
Jul 26 08:37:01 <zeus>  basically the current TrustedUserPrincipal is solely intended for katello
Jul 26 08:37:19 <zeus>  but really isn't it anyone that uses oauth to integrate?
Jul 26 08:37:40 <jbowes>        not really, imo
Jul 26 08:37:44 <jbowes>        not in the way we do it right now
Jul 26 08:38:53 <jbowes>        and in the future, lets say there's another system that's talking to candlepin and using oauth
Jul 26 08:39:03 <jbowes>        like maybe you can log into a candlepin with your google user/pass
Jul 26 08:39:16 <jbowes>        google won't have roles/perms stored that are applicable to candlepin
Jul 26 08:39:22 <jbowes>        so we can't use that trusteduserprincipal anyways
Jul 26 08:39:44 <zeus>  um ok
Jul 26 08:39:54 <jbowes>        and we're certainly not going to want to give that system carte blanche to modify whatever it wants


Jul 26 08:40:04 <zeus>  +1
Jul 26 08:40:45 <zeus>  ok so then to reiterate what you said: 
Jul 26 08:40:53 <zeus>  1) have userauth return Userprincipal
Jul 26 08:41:00 <zeus>  2) have oauth return KatelloUserPrincipal
Jul 26 08:41:10 <zeus>  3) trustedauth return UserPrincipal
Jul 26 08:41:21 <zeus>  4) rename TrustedUserPrincipal -> KatelloUserPrincipal
Jul 26 08:41:25 *       morazi (~morazi@dhcp231-194.rdu.redhat.com) has joined #candlepin
Jul 26 08:41:30 <jbowes>        +1
Jul 26 08:41:40 <zeus>  jbowes: ok I'll make it happen :D
Jul 26 08:41:44 <jbowes>        rad
Jul 26 08:41:49 <zeus>  jbowes: also I made another change last night
Jul 26 08:42:03 <zeus>  I made getPrincipalName in Principal abstract
Jul 26 08:42:14 <zeus>  I found it annoying that it returned ""
Jul 26 08:42:20 <zeus>  and EVERYONE had an override
Jul 26 08:42:30 <zeus>  the class itself was already abstract
Jul 26 08:42:33 <jbowes>        good idea
Jul 26 08:42:34 *       zeus hasn't pushed the change
Jul 26 08:42:43 <jbowes>        i like changes like that
Jul 26 08:42:51 <jbowes>        makes things way more obvious when you mess stuff up
Jul 26 08:42:57 *       zeus likes going through the code
Jul 26 08:43:05 <zeus>  and cleaning things up
Comment 1 Devan Goodwin 2011-08-08 10:05:25 EDT
Fixed in candlepin.git master: 92d8a18cbe1b35a3bc564d1d0a6f6087332a1cd1

Will appear in candlepin-0.4.10-1 which is being built today.
Comment 3 Jordan OMara 2011-09-12 13:49:31 EDT
We have deployed 0.4.12 in stage and I have confirmed that creating consumers in rhsm-web in stage works.
Comment 4 John Sefler 2011-09-13 17:03:49 EDT
moving to VERIFIED based on comment 3

Note You need to log in before you can comment on or make changes to this bug.