Red Hat Bugzilla – Bug 809259
System not registering with activation key.
Last modified: 2013-08-16 14:08:12 EDT
Description of problem: I have created an activation key with RHEL and and custom repo included. Both of these have been promoted to the environment (dev) that a user has permissions to register. When the client registers I see: + subscription-manager register --force --org=refarch --activationkey=dev-use-case Guest's host does not match owner of pool: '8a900ce53664f4810136746ced89009e'. I've attached a katello-debug and a tar of the client /var/log. I think this may be an issue with roles/permission becuase: [root@cf-se1 ~]# katello -u sadev -p sadev activation_key list User sadev is not allowed to access api/activation_keys/index [root@cf-se1 ~]# However you can see the user has the ra-sysadm_role, this roll has the permission of ra-keys, and since I can t see how to list info about permsissions using the cli (Is that a bug?) I've attached a screen shot with the info. Notice that verbs is all. I see that On is blank but in the interface I could not modify this. [root@cf-se1 ~]# katello -u admin -p admin user list_roles --username=sadev ------------------------------------------------------------------------------------------------- User Role List Id Name ------------------------------------------------------------------------------------------------- 7 ra-dev-role 5 ra-sysadm-role [root@cf-se1 ~]# katello -u admin -p admin user_role info --name=ra-sysadm-role ------------------------------------------------------------------------------------------------- User Role Information ------------------------------------------------------------------------------------------------- Id: 5 Name: ra-sysadm-role Description: Permissions: ra-env-read-all ra-filt ra-temp ra-org ra-prov ra-keys [root@cf-se1 ~]# Version-Release number of selected component (if applicable): beta 6 [root@cf-se1 ~]# /pub/scripts/post_install_configuration_scripts/cf-versions Red Hat Enterprise Linux Server release 6.2 (Santiago) Linux cf-se1.cloud.lab.eng.bos.redhat.com 2.6.32-220.7.1.el6.x86_64 #1 SMP Fri Feb 10 15:22:22 EST 2012 x86_64 x86_64 x86_64 GNU/Linux postgresql-8.4.9-1.el6_1.1.x86_64 mongodb-1.8.2-4.el6.x86_64 package euca2ools is not installed ruby-1.8.7.352-7.el6_2.x86_64 rubygems-1.8.16-1.el6.noarch package deltacloud-core is not installed package rubygem-deltacloud-client is not installed package libdeltacloud is not installed package hail is not installed puppet-2.6.14-1.el6.noarch package aeolus-configure is not installed package iwhd is not installed package imagefactory is not installed package aeolus-conductor-daemons is not installed package aeolus-conductor is not installed [root@cf-se1 ~]# How reproducible: In my current setup, easily, please let me know if you want access Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 574638 [details] keys permissions screen shot
Created attachment 574639 [details] client logs
Created attachment 574640 [details] katello debug
Since I wasn't sure which user made the key, I went back in as sadev and made a new key. An attempted registration with this new key yielded the same result.
It looks like there could be 2 issues here: 1. The permissions model for listing activation keys using the CLI is not working properly. I was able to recreate the same error mentioned above using an 'sadev' user that has permissions to only activation keys. E.g. katello> activation_key list --org ACME_Corporation User sadev is not allowed to access api/organizations/show 2. Error in the ability to register a client using an activation key. Reported above with behavior like: # subscription-manager register --force --org=refarch --activationkey=dev-use-case Guest's host does not match owner of pool: '8a900ce53664f4810136746ced89009e'. Unfortunately, I have not been able to repro #2. For example, using an activation key created by sadev, I was able to register a client: # subscription-manager register --org ACME_Corporation --activationkey sadevkey The system has been registered with id: f90d8e1b-af1e-4b7b-921a-063a0c372754
It is possible that the second problem has already been solved. Kedar, are you able to reproduce the registration error?
Was away for RHCE training, Brad I agree with you that the issue 1) persits and issue 2) looks already solved now. For activation keys the verbs are (+all) For all the other Permissions the verbs selected are only Administer and Read [root@dhcp201-200 ~]# katello -u sa_dev -p sa_dev activation_key list User sa_dev is not allowed to access api/activation_keys/index [root@dhcp201-200 ~]# katello -u admin -p admin user list_roles --username=sa_dev -------------------------------------------------------------------------------- User Role List Id Name -------------------------------------------------------------------------------- 7 sa_common_role 9 sa_dev_role 14 sa_sysadm_role [root@dhcp201-200 ~]# katello -u admin -p admin user_role info --name=sa_sysadm_role -------------------------------------------------------------------------------- User Role Information -------------------------------------------------------------------------------- Id: 14 Name: sa_sysadm_role Description: Permissions: sa-org sa-prov sa-filt sa-temp sa-read_all-env_all sa-keys Ldap Groups: [root@dhcp201-200 ~]# katello -u admin -p admin user_role info --name=sa_dev_role --------------------------------------------------------------------------------------------------------------------------------- User Role Information --------------------------------------------------------------------------------------------------------------------------------- Id: 9 Name: sa_dev_role Description: None Permissions: sa_dev_libenv_read sa_dev_perm Ldap Groups: [root@dhcp201-200 ~]# katello -u admin -p admin user_role info --name=sa_common_role --------------------------------------------------------------------------------------------------------------------------------- User Role Information --------------------------------------------------------------------------------------------------------------------------------- Id: 7 Name: sa_common_role Description: None Permissions: sa_common_template sa_common_provider sa_common_org sa_common_actkey sa_common_filter Ldap Groups: ################################################## But on the client side, it does get register now. [root@dhcp201-163 ~]# subscription-manager register --org redhat --activationkey sa_dev_163_activation_keys The system has been registered with id: f475be2d-fb81-4250-b3a3-f9864c6589bd [root@dhcp201-163 ~]# yum repolist Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Please use yum-config-manager to configure which software repositories are used with Red Hat Subscription Management. redhat_CFSE_cfse_repo | 2.3 kB 00:00 redhat_CFSE_cfse_repo/primary_db | 102 kB 00:00 rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00 rhel-6-server-rpms | 3.8 kB 00:00 repo id repo name status epel Extra Packages for Enterprise Linux 6 - x86_64 7,765 katello-client Katello client tools 1 redhat_CFSE_cfse_repo cfse_repo 281 rhel-6-server-cf-tools-1-rpms Red Hat CloudForms Tools for RHEL 6 (RPMs) 26 rhel-6-server-rpms Red Hat Enterprise Linux 6 Server (RPMs) 8,436 repolist: 16,509 [root@dhcp201-200 ~]# rpm -qav | grep -i katello katello-glue-foreman-1.1.10-1.git.31.2fb829c.el6.noarch katello-1.1.10-1.git.31.2fb829c.el6.noarch katello-qpid-broker-key-pair-1.0-1.noarch katello-cli-1.1.6-1.el6.noarch katello-glue-candlepin-1.1.10-1.git.31.2fb829c.el6.noarch katello-common-1.1.10-1.git.31.2fb829c.el6.noarch katello-certs-tools-1.1.8-1.el6.noarch katello-selinux-1.1.1-1.el6.noarch katello-candlepin-cert-key-pair-1.0-1.noarch katello-configure-1.1.8-1.git.14.2d383ea.el6.noarch katello-glue-pulp-1.1.10-1.git.31.2fb829c.el6.noarch katello-all-1.1.10-1.git.31.2fb829c.el6.noarch katello-qpid-client-key-pair-1.0-1.noarch katello-repos-1.1.2-1.el6.noarch katello-cli-common-1.1.6-1.el6.noarch
katello pull request: https://github.com/Katello/katello/pull/623 katello commits: https://github.com/Katello/katello/commit/5a7461ea93c09e5d8982a286b73b77b570ac6605 https://github.com/Katello/katello/commit/b182a8113d402331f5da54230144815bb188c783 https://github.com/Katello/katello/commit/ef84bebb45810cce5a24685705b1f899cd1568fe The above commits the permissions issue that was mentioned as item 1 in comment #6 above. We were not able to reproduces item 2; therefore, moving this BZ to 'on_dev'.
Now a user with a role, which has permissions to administer activation keys can list successfully the activation keys list. [root@dhcp201-200 ~]# katello -u sa_dev -p sa_dev activation_key list -------------------------------------------------------------------------------- Activation Key List Id Name Description Usage Environment Id System Template Id -------------------------------------------------------------------------------- 1 act_163_key None 0 3 4 Was also able to successfully register systems with an activation key. [root@dhcp201-163 ~]# subscription-manager register --org redhat --activationkey act_163_key The system has been registered with id: 6bc508da-3d36-4b98-b1b4-c3617234349b [root@dhcp201-163 ~]# yum repolist Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Please use yum-config-manager to configure which software repositories are used with Red Hat Subscription Management. rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00 rhel-6-server-rpms | 3.8 kB 00:00 rhel-6-server-rpms/primary_db | 15 MB 00:00 repo id repo name status *epel Extra Packages for Enterprise Linux 6 - x86_64 7,775 katello-client Katello client tools 1 rhel-6-server-cf-tools-1-rpms Red Hat CloudForms Tools for RHEL 6 (RPMs) 26 rhel-6-server-rpms Red Hat Enterprise Linux 6 Server (RPMs) 8,479
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-1543.html
getting rid of 6.0.0 version since that doesn't exist