Hide Forgot
When attempting to register against katello, subscription manager is failing when trying to get the owners for the user. To reproduce, please do the following: [root@bkearney src]# curl -k -u "admin:admin" https://10.11.230.185:3000/api/users/admin/owners Errors::SecurityViolation: User admin is not allowed to access api/organizations/list_owners /usr/share/katello/lib/authorization_rules.rb:30:in `authorize' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:442:in `_run__101499026__process_action__1803004532__callbacks' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:220:in `_conditional_callback_around_1654' /usr/share/katello/lib/util/threadsession.rb:77:in `thread_locals' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:219:in `_conditional_callback_around_1654' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:440:in `_run__101499026__process_action__1803004532__callbacks' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:409:in `send' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:409:in `_run_process_action_callbacks' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:93:in `send' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:93:in `run_callbacks' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/abstract_controller/callbacks.rb:17:in `process_action' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_controller/metal/instrumentation.rb:30:in `process_action' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/notifications.rb:52:in `instrument' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/notifications/instrumenter.rb:21:in `instrument' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/notifications.rb:52:in `instrument' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_controller/metal/instrumentation.rb:29:in `process_action' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_controller/metal/rescue.rb:17:in `process_action' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/abstract_controller/base.rb:119:in `process' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/abstract_controller/rendering.rb:41:in `process' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_controller/metal.rb:138:in `dispatch' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_controller/metal/rack_delegation.rb:14:in `dispatch' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_controller/metal.rb:178:in `action' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/routing/route_set.rb:62:in `call' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/routing/route_set.rb:62:in `dispatch' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/routing/route_set.rb:27:in `call' /usr/lib/ruby/gems/1.8/gems/rack-mount-0.6.13/lib/rack/mount/route_set.rb:148:in `call' /usr/lib/ruby/gems/1.8/gems/rack-mount-0.6.13/lib/rack/mount/code_generation.rb:93:in `recognize' /usr/lib/ruby/gems/1.8/gems/rack-mount-0.6.13/lib/rack/mount/code_generation.rb:138:in `optimized_each' /usr/lib/ruby/gems/1.8/gems/rack-mount-0.6.13/lib/rack/mount/code_generation.rb:92:in `recognize' /usr/lib/ruby/gems/1.8/gems/rack-mount-0.6.13/lib/rack/mount/route_set.rb:139:in `call' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/routing/route_set.rb:492:in `call' /usr/lib/ruby/gems/1.8/gems/warden-1.0.3/lib/warden/manager.rb:35:in `call' /usr/lib/ruby/gems/1.8/gems/warden-1.0.3/lib/warden/manager.rb:34:in `catch' /usr/lib/ruby/gems/1.8/gems/warden-1.0.3/lib/warden/manager.rb:34:in `call' /usr/lib/ruby/gems/1.8/gems/sass-3.1.4/lib/sass/../sass/plugin/rack.rb:54:in `call' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/best_standards_support.rb:17:in `call' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/head.rb:14:in `call' /usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/methodoverride.rb:24:in `call' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/params_parser.rb:21:in `call' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/flash.rb:182:in `call' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/session/abstract_store.rb:149:in `call' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/cookies.rb:302:in `call' /usr/lib/ruby/gems/1.8/gems/activerecord-3.0.5/lib/active_record/query_cache.rb:32:in `call' /usr/lib/ruby/gems/1.8/gems/activerecord-3.0.5/lib/active_record/connection_adapters/abstract/query_cache.rb:28:in `cache' /usr/lib/ruby/gems/1.8/gems/activerecord-3.0.5/lib/active_record/query_cache.rb:12:in `cache' /usr/lib/ruby/gems/1.8/gems/activerecord-3.0.5/lib/active_record/query_cache.rb:31:in `call' /usr/lib/ruby/gems/1.8/gems/activerecord-3.0.5/lib/active_record/connection_adapters/abstract/connection_pool.rb:354:in `call' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/callbacks.rb:46:in `call' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/callbacks.rb:415:in `_run_call_callbacks' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/callbacks.rb:44:in `call' /usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/sendfile.rb:105:in `call' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/remote_ip.rb:48:in `call' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/show_exceptions.rb:47:in `call' /usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/rack/logger.rb:13:in `call' /usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/runtime.rb:17:in `call' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.5/lib/active_support/cache/strategy/local_cache.rb:72:in `call' /usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/lock.rb:11:in `call' /usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/lock.rb:11:in `synchronize' /usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/lock.rb:11:in `call' /usr/lib/ruby/gems/1.8/gems/actionpack-3.0.5/lib/action_dispatch/middleware/static.rb:30:in `call' /usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/application.rb:168:in `call' /usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/application.rb:77:in `send' /usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/application.rb:77:in `method_missing' /usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/rack/log_tailer.rb:14:in `call' /usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/content_length.rb:13:in `call' /usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/handler/webrick.rb:48:in `service' /usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service' /usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run' /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:95:in `start' /usr/lib/ruby/1.8/webrick/server.rb:92:in `each' /usr/lib/ruby/1.8/webrick/server.rb:92:in `start' /usr/lib/ruby/1.8/webrick/server.rb:23:in `start' /usr/lib/ruby/1.8/webrick/server.rb:82:in `start' /usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/handler/webrick.rb:14:in `run' /usr/lib/ruby/gems/1.8/gems/rack-1.1.0/lib/rack/server.rb:155:in `start' /usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/commands/server.rb:65:in `start' /usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/commands.rb:30 /usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/commands.rb:27:in `tap' /usr/lib/ruby/gems/1.8/gems/railties-3.0.5/lib/rails/commands.rb:27 /usr/share/katello/script/rails:81:in `require' [root@bkearney src]#
Ok I already fixed a quick workaround for the similar problem: 1634bdc 736384 - workaround for perm. denied for rhsm registration but since this is blocker I am going to provide full solution. Taking.
I wonder what the permission should look like. RHSM is requesting list of owners for given user1, it is authorized as user2. So I am assuming the following: a) user1 = user2 b) user1/2 can register system I am going to implement both there permission rules and correct the behavior.
6f6160e 736438 - implement permission check for list_owners The code now checks if the user is the authenticated user. If not, access is denied.
TODO: unit test
I still get this with katello-0.1.79-1.git.0.ff7921a.fc15.noarch katello-cli-0.1.10-1.git.43.3d76463.fc15.noarch
@Bryan - Sorry I fixed it last week, but forgot to do the push. I did it but it failed... bed93c3 736438 - implement permission check for list_owners 311bf3b 736438 - move list_owners from orgs to users controller Pushed.
# curl -k -u "admin:admin" https://rhel61-server.usersys.redhat.com/katello/api/users/admin/owners [{"displayName":"ACME_Corporation","key":"ACME_Corporation"},{"displayName":"NY Data Center","key":"NY_Data_Center"}] # curl -k -u "admin:adminghffusersys.redhat.com/katello/api/users/admin/owners curl: (6) Couldn't resolve host 'rhel61-server.ghffusersys.redhat.com' # curl -k -u "admin:adminn" https://rhel61-server.redhat.com/katello/api/users/admin/owners curl: (6) Couldn't resolve host 'rhel61-server.redhat.com'
# curl -k -u "admin:adminn" https://rhel61-server.usersys.redhat.com/katello/api/users/admin/owners {"errors":["Invalid credentials"],"displayMessage":"Invalid credentials"}
Verified on Katello Version: 0.1.194-1.el6