Bug 809259 - System not registering with activation key.
System not registering with activation key.
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Content Management (Show other bugs)
6.0.1
Unspecified Unspecified
unspecified Severity medium (vote)
: Unspecified
: --
Assigned To: Brad Buckingham
Kedar Bidarkar
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-02 17:28 EDT by Steve Reichard
Modified: 2013-08-16 14:08 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A permission issue occurred when a user with correct read-only permissions fetched the list of activation keys using the command line interface. The API was not granting the user access to read the list of keys. This fix restores the correct access rights to the user to read the list.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-04 14:44:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
keys permissions screen shot (102.88 KB, image/png)
2012-04-02 17:29 EDT, Steve Reichard
no flags Details
client logs (87.56 KB, application/x-gzip)
2012-04-02 17:29 EDT, Steve Reichard
no flags Details
katello debug (1.05 MB, application/x-gzip)
2012-04-02 17:30 EDT, Steve Reichard
no flags Details

  None (edit)
Description Steve Reichard 2012-04-02 17:28:04 EDT
Description of problem:


I have created an activation key with RHEL and and custom repo included.  Both of these have been promoted to the environment (dev) that a user has permissions to register. 

When the client registers I see:

+ subscription-manager register --force --org=refarch --activationkey=dev-use-case
Guest's host does not match owner of pool: '8a900ce53664f4810136746ced89009e'.

I've attached a katello-debug and a tar of the client /var/log.


I think this may be an issue with roles/permission becuase:

[root@cf-se1 ~]# katello -u sadev -p sadev activation_key list
User sadev is not allowed to access api/activation_keys/index
[root@cf-se1 ~]# 


However you can see the user has the ra-sysadm_role, this roll has the permission of ra-keys,  and since I can t see how to list info about permsissions using the cli (Is that a bug?) I've attached a screen shot with the info.  Notice that verbs is all.  I see that On is blank but in the interface I could not modify this.

[root@cf-se1 ~]# katello -u admin -p admin user list_roles --username=sadev
-------------------------------------------------------------------------------------------------
                                         User Role List

 Id   Name            
-------------------------------------------------------------------------------------------------
 7    ra-dev-role     
 5    ra-sysadm-role  
[root@cf-se1 ~]# katello -u admin -p admin user_role info --name=ra-sysadm-role
-------------------------------------------------------------------------------------------------
                                      User Role Information
-------------------------------------------------------------------------------------------------

Id:          5
Name:        ra-sysadm-role
Description: 
Permissions:
    ra-env-read-all
    ra-filt
    ra-temp
    ra-org
    ra-prov
    ra-keys

[root@cf-se1 ~]# 






Version-Release number of selected component (if applicable):


beta 6

[root@cf-se1 ~]# /pub/scripts/post_install_configuration_scripts/cf-versions 
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Linux cf-se1.cloud.lab.eng.bos.redhat.com 2.6.32-220.7.1.el6.x86_64 #1 SMP Fri Feb 10 15:22:22 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
postgresql-8.4.9-1.el6_1.1.x86_64
mongodb-1.8.2-4.el6.x86_64
package euca2ools is not installed
ruby-1.8.7.352-7.el6_2.x86_64
rubygems-1.8.16-1.el6.noarch
package deltacloud-core is not installed
package rubygem-deltacloud-client is not installed
package libdeltacloud is not installed
package hail is not installed
puppet-2.6.14-1.el6.noarch
package aeolus-configure is not installed
package iwhd is not installed
package imagefactory is not installed
package aeolus-conductor-daemons is not installed
package aeolus-conductor is not installed
[root@cf-se1 ~]# 


How reproducible:

In my current setup, easily,   please let me know if you want access

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Steve Reichard 2012-04-02 17:29:03 EDT
Created attachment 574638 [details]
keys permissions screen shot
Comment 2 Steve Reichard 2012-04-02 17:29:38 EDT
Created attachment 574639 [details]
client logs
Comment 3 Steve Reichard 2012-04-02 17:30:08 EDT
Created attachment 574640 [details]
katello debug
Comment 4 Steve Reichard 2012-04-02 18:02:22 EDT
Since I wasn't sure which user made the key, I went back in as sadev and made a new key.   An attempted registration with this new key yielded the same result.
Comment 6 Brad Buckingham 2012-08-30 11:55:04 EDT
It looks like there could be 2 issues here:

1. The permissions model for listing activation keys using the CLI is not working properly.  I was able to recreate the same error mentioned above using an 'sadev' user that has permissions to only activation keys.  E.g. 

   katello> activation_key list --org ACME_Corporation
   User sadev is not allowed to access api/organizations/show

2. Error in the ability to register a client using an activation key.  Reported above with behavior like:
   # subscription-manager register --force --org=refarch --activationkey=dev-use-case
   Guest's host does not match owner of pool: '8a900ce53664f4810136746ced89009e'.

Unfortunately, I have not been able to repro #2.  For example, using an activation key created by sadev, I was able to register a client:
   # subscription-manager register --org ACME_Corporation --activationkey sadevkey
   The system has been registered with id: f90d8e1b-af1e-4b7b-921a-063a0c372754
Comment 7 Brad Buckingham 2012-08-30 11:56:17 EDT
It is possible that the second problem has already been solved.

Kedar, are you able to reproduce the registration error?
Comment 8 Kedar Bidarkar 2012-09-11 06:11:56 EDT
Was away for RHCE training, Brad I agree with you that the issue 1) persits and issue 2) looks already solved now.

For activation keys the verbs are (+all)
For all the other Permissions the verbs selected are only Administer and Read 


[root@dhcp201-200 ~]# katello -u sa_dev -p sa_dev activation_key list
User sa_dev is not allowed to access api/activation_keys/index
[root@dhcp201-200 ~]# katello -u admin -p admin user list_roles --username=sa_dev
--------------------------------------------------------------------------------
                                User Role List

 Id   Name
--------------------------------------------------------------------------------
 7    sa_common_role
 9    sa_dev_role
 14   sa_sysadm_role
[root@dhcp201-200 ~]# katello -u admin -p admin user_role info --name=sa_sysadm_role
--------------------------------------------------------------------------------
                            User Role Information
--------------------------------------------------------------------------------

Id:          14
Name:        sa_sysadm_role
Description:
Permissions:
    sa-org
    sa-prov
    sa-filt
    sa-temp
    sa-read_all-env_all
    sa-keys
Ldap Groups:

[root@dhcp201-200 ~]# katello -u admin -p admin user_role info --name=sa_dev_role
---------------------------------------------------------------------------------------------------------------------------------
                                                     User Role Information
---------------------------------------------------------------------------------------------------------------------------------

Id:          9
Name:        sa_dev_role
Description: None
Permissions:
    sa_dev_libenv_read
    sa_dev_perm
Ldap Groups: 

[root@dhcp201-200 ~]# katello -u admin -p admin user_role info --name=sa_common_role
---------------------------------------------------------------------------------------------------------------------------------
                                                     User Role Information
---------------------------------------------------------------------------------------------------------------------------------

Id:          7
Name:        sa_common_role
Description: None
Permissions:
    sa_common_template
    sa_common_provider
    sa_common_org
    sa_common_actkey
    sa_common_filter
Ldap Groups: 


##################################################

But on the client side, it does get register now.

[root@dhcp201-163 ~]# subscription-manager register --org redhat --activationkey sa_dev_163_activation_keys
The system has been registered with id: f475be2d-fb81-4250-b3a3-f9864c6589bd 
[root@dhcp201-163 ~]# yum repolist
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.

Please use yum-config-manager to configure which software
repositories are used with Red Hat Subscription Management.

redhat_CFSE_cfse_repo                                                                                     | 2.3 kB     00:00     
redhat_CFSE_cfse_repo/primary_db                                                                          | 102 kB     00:00     
rhel-6-server-cf-tools-1-rpms                                                                             | 2.8 kB     00:00     
rhel-6-server-rpms                                                                                        | 3.8 kB     00:00     
repo id                                              repo name                                                             status
epel                                                 Extra Packages for Enterprise Linux 6 - x86_64                        7,765
katello-client                                       Katello client tools                                                      1
redhat_CFSE_cfse_repo                                cfse_repo                                                               281
rhel-6-server-cf-tools-1-rpms                        Red Hat CloudForms Tools for RHEL 6 (RPMs)                               26
rhel-6-server-rpms                                   Red Hat Enterprise Linux 6 Server (RPMs)                              8,436
repolist: 16,509


[root@dhcp201-200 ~]# rpm -qav | grep -i katello 
katello-glue-foreman-1.1.10-1.git.31.2fb829c.el6.noarch
katello-1.1.10-1.git.31.2fb829c.el6.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-cli-1.1.6-1.el6.noarch
katello-glue-candlepin-1.1.10-1.git.31.2fb829c.el6.noarch
katello-common-1.1.10-1.git.31.2fb829c.el6.noarch
katello-certs-tools-1.1.8-1.el6.noarch
katello-selinux-1.1.1-1.el6.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-configure-1.1.8-1.git.14.2d383ea.el6.noarch
katello-glue-pulp-1.1.10-1.git.31.2fb829c.el6.noarch
katello-all-1.1.10-1.git.31.2fb829c.el6.noarch
katello-qpid-client-key-pair-1.0-1.noarch
katello-repos-1.1.2-1.el6.noarch
katello-cli-common-1.1.6-1.el6.noarch
Comment 9 Brad Buckingham 2012-09-12 12:49:57 EDT
katello pull request: 
https://github.com/Katello/katello/pull/623

katello commits:
https://github.com/Katello/katello/commit/5a7461ea93c09e5d8982a286b73b77b570ac6605
https://github.com/Katello/katello/commit/b182a8113d402331f5da54230144815bb188c783
https://github.com/Katello/katello/commit/ef84bebb45810cce5a24685705b1f899cd1568fe

The above commits the permissions issue that was mentioned as item 1 in comment #6 above.  We were not able to reproduces item 2; therefore, moving this BZ to 'on_dev'.
Comment 11 Kedar Bidarkar 2012-09-17 08:20:35 EDT
Now a user with a role, which has permissions to administer activation keys can list successfully the activation keys list.


[root@dhcp201-200 ~]# katello -u sa_dev -p sa_dev activation_key list
--------------------------------------------------------------------------------
                             Activation Key List

 Id   Name          Description   Usage   Environment Id   System Template Id  
--------------------------------------------------------------------------------
 1    act_163_key   None          0       3                4                   


Was also able to successfully register systems with an activation key.

[root@dhcp201-163 ~]# subscription-manager register --org redhat --activationkey act_163_key
The system has been registered with id: 6bc508da-3d36-4b98-b1b4-c3617234349b 
[root@dhcp201-163 ~]# yum repolist
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.

Please use yum-config-manager to configure which software
repositories are used with Red Hat Subscription Management.

rhel-6-server-cf-tools-1-rpms                                                                             | 2.8 kB     00:00     
rhel-6-server-rpms                                                                                        | 3.8 kB     00:00     
rhel-6-server-rpms/primary_db                                                                             |  15 MB     00:00     
repo id                                              repo name                                                             status
*epel                                                Extra Packages for Enterprise Linux 6 - x86_64                        7,775
katello-client                                       Katello client tools                                                      1
rhel-6-server-cf-tools-1-rpms                        Red Hat CloudForms Tools for RHEL 6 (RPMs)                               26
rhel-6-server-rpms                                   Red Hat Enterprise Linux 6 Server (RPMs)                              8,479
Comment 13 errata-xmlrpc 2012-12-04 14:44:24 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1543.html
Comment 14 Mike McCune 2013-08-16 14:08:12 EDT
getting rid of 6.0.0 version since that doesn't exist

Note You need to log in before you can comment on or make changes to this bug.