Description of problem: Becaus eof the special way RHSM-web authenticates, we can no longer create consumers in candlepin 4. Version-Release number of selected component (if applicable): 0.4.6 How reproducible: Every time Steps to Reproduce: 1. try to create a consumer with rhsm-web or with any Trusted Auth agent 2. You will see "Insufficient Permissions" 3. This comes from Consumer Resource line 246 Actual results: Expected results: Additional info: Jul 26 08:22:20 <zeus> jbowes: so yesterday tsmart ran into a problem where ConsumerResource threw an exception Jul 26 08:22:43 * jweiss (~user.redhat.com) has joined #candlepin Jul 26 08:22:43 <zeus> jbowes: he's coming in with TrustedUserPrincipal Jul 26 08:23:02 <zeus> jbowes: and we're looking for UserPrincipal Jul 26 08:23:20 <zeus> if (!(principal instanceof UserPrincipal) && (keyStrings.size() == 0)) { Jul 26 08:23:20 <zeus> throw new ForbiddenException(i18n.tr("Insufficient permissions")); Jul 26 08:23:20 <zeus> } Jul 26 08:23:48 <zeus> jbowes: so I was thinking of making TrustedUserPrincipal extend UserPrincipal Jul 26 08:24:24 <zeus> jbowes: but I didn't want to do that until I talk to someone about it. Since UserPrincipal seems to have more functionality than TrustedUserPrincipal i.e. getOwner, etc. Jul 26 08:24:29 <zeus> jbowes: thoughts? Jul 26 08:25:27 * gkhachik is now known as gkhachik_mtg Jul 26 08:25:35 * jbowes has a peek Jul 26 08:28:16 * jsefler-out is now known as jsefler Jul 26 08:30:00 * witlessb (~wb.redhat.com) has joined #candlepin Jul 26 08:31:29 <jbowes> zeus: i think i'd do something else, allow me to explain Jul 26 08:31:49 * zeus allows it, proceed Jul 26 08:31:55 <jbowes> zeus: prior to the work dgoodwin-pto and i did to support a userstoreless candlepin for katello, there was only a userprincipal, not a trusted one Jul 26 08:32:17 <jbowes> zeus: the trusted one is assuemd to have no backing user store, etc Jul 26 08:32:59 <jbowes> zeus: previously, you could get a userprincipal from UserAuth, TrustedUserAuth, or OAuth (which delegated to TrustedUserAuth) Jul 26 08:33:24 <jbowes> zeus: now, you get a userprincipal from UserAuth, and a TrustedUserPrincipal from TrustedUserAuth and OAuth Jul 26 08:33:39 <zeus> ok, go on. Jul 26 08:33:52 <jbowes> zeus: i'd propose that userauth returns a userprincipal, oauth returns a trusteduser principal, and trusteduserprincipal returns a user principal Jul 26 08:34:09 <jbowes> that way standalone and hosted work the same as before, and only katello (oauth) uses the new principal class Jul 26 08:34:15 <jbowes> the names might need to be changed, too Jul 26 08:34:17 <jbowes> :) Jul 26 08:34:20 <jbowes> clear as mud? Jul 26 08:34:25 * Abhilash|away has quit (Quit: Abhilash|away) Jul 26 08:34:44 <zeus> very muddy, I think you have a typo causing part of the problem Jul 26 08:34:49 <zeus> trusteduserprincipal returns a user principal? Jul 26 08:34:53 <zeus> is that trusteduserauth? Jul 26 08:35:35 <jbowes> yes Jul 26 08:35:42 <jbowes> trusteduserauth should return a userprincipal Jul 26 08:36:08 <jbowes> you could just rename trusteduserprincipal to katellouserprincipal Jul 26 08:36:41 <zeus> I think I get it Jul 26 08:37:01 <zeus> basically the current TrustedUserPrincipal is solely intended for katello Jul 26 08:37:19 <zeus> but really isn't it anyone that uses oauth to integrate? Jul 26 08:37:40 <jbowes> not really, imo Jul 26 08:37:44 <jbowes> not in the way we do it right now Jul 26 08:38:53 <jbowes> and in the future, lets say there's another system that's talking to candlepin and using oauth Jul 26 08:39:03 <jbowes> like maybe you can log into a candlepin with your google user/pass Jul 26 08:39:16 <jbowes> google won't have roles/perms stored that are applicable to candlepin Jul 26 08:39:22 <jbowes> so we can't use that trusteduserprincipal anyways Jul 26 08:39:44 <zeus> um ok Jul 26 08:39:54 <jbowes> and we're certainly not going to want to give that system carte blanche to modify whatever it wants Jul 26 08:40:04 <zeus> +1 Jul 26 08:40:45 <zeus> ok so then to reiterate what you said: Jul 26 08:40:53 <zeus> 1) have userauth return Userprincipal Jul 26 08:41:00 <zeus> 2) have oauth return KatelloUserPrincipal Jul 26 08:41:10 <zeus> 3) trustedauth return UserPrincipal Jul 26 08:41:21 <zeus> 4) rename TrustedUserPrincipal -> KatelloUserPrincipal Jul 26 08:41:25 * morazi (~morazi.redhat.com) has joined #candlepin Jul 26 08:41:30 <jbowes> +1 Jul 26 08:41:40 <zeus> jbowes: ok I'll make it happen :D Jul 26 08:41:44 <jbowes> rad Jul 26 08:41:49 <zeus> jbowes: also I made another change last night Jul 26 08:42:03 <zeus> I made getPrincipalName in Principal abstract Jul 26 08:42:14 <zeus> I found it annoying that it returned "" Jul 26 08:42:20 <zeus> and EVERYONE had an override Jul 26 08:42:30 <zeus> the class itself was already abstract Jul 26 08:42:33 <jbowes> good idea Jul 26 08:42:34 * zeus hasn't pushed the change Jul 26 08:42:43 <jbowes> i like changes like that Jul 26 08:42:51 <jbowes> makes things way more obvious when you mess stuff up Jul 26 08:42:57 * zeus likes going through the code Jul 26 08:43:05 <zeus> and cleaning things up
Fixed in candlepin.git master: 92d8a18cbe1b35a3bc564d1d0a6f6087332a1cd1 Will appear in candlepin-0.4.10-1 which is being built today.
We have deployed 0.4.12 in stage and I have confirmed that creating consumers in rhsm-web in stage works.
moving to VERIFIED based on comment 3