Description of problem: when subscribing a system via subscription manager to katello without activation keys, I am seeing the API systems controller #create action get called as expected but then I also see the activate action being called. Looks like there is a match in the routes that is causing the activate to get invoked: match '/consumers' => 'systems#activate', :via => :post, :constraints => RegisterWithActivationKeyContraint.new this is causing a permissions error that gets sent back to subscription manager, 'content': "Errors::SecurityViolation: User admin is not allowed to access api/systems/activate\n/git/katello/src/lib/authorization_rules.rb:30:in `authorize'\n/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callback Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Regarding this issue, I have pushed a simple workaround to allow registration without activation keys. 1634bdc 736384 - workaround for perm. denied for rhsm registration This should be removed when we refactor permissions for system activations.
So I reverted the temporary fix and refactored way we handle RHSM permissions. 629d2ca 737563 - Subscription Manager fails permissions on accessing subscriptions eebb966 736141 - Systems Registration perms need to be reworked e84d7e8 Revert "736384 - workaround for perm. denied (unit test)" 95ea20a Revert "736384 - workaround for perm. denied for rhsm registration" I am not able to reproduce it now.
# VERIFIED doing call of `system subscribe` does not invoke the "*#activate" action (looking in the production.log of katello) All looks fine, RHSM gets exit 0. Checked against: katello-0.1.174-2.el6.noarch katello-cli-0.1.35-1.el6.noarch