972915 – spacewalk-splice-checkin should run as "splice" user, not "root"

Bug 972915 - spacewalk-splice-checkin should run as "splice" user, not "root"

Summary: spacewalk-splice-checkin should run as "splice" user, not "root"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Subscription Asset Manager
Classification:	Retired
Component:	Splice
Sub Component:
Version:	1.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	James Slagle
QA Contact:	mkovacik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	sam13-tracker
TreeView+	depends on / blocked

Reported:	2013-06-10 19:39 UTC by Chris Duryee
Modified:	2013-10-01 10:55 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-10-01 10:55:35 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2013:1390	0	normal	SHIPPED_LIVE	Release 1.3 of Subscription Asset Manager	2013-10-01 14:43:14 UTC

Description Chris Duryee 2013-06-10 19:39:09 UTC

Description of problem: Currently, subscription-splice-checkin must run as root in order to access splice log files along with katello log files.


Version-Release number of selected component (if applicable): 0.19


How reproducible: every time


Steps to Reproduce:
1. attempt to run spacewalk-splice-checkin as splice user

Actual results:
[root@dhcp129-162 ~]# su - splice -s /bin/bash
-bash-4.1$ spacewalk-splice-checkin --splice-sync
Traceback (most recent call last):
  File "/usr/bin/spacewalk-splice-checkin", line 21, in <module>
    from spacewalk_splice_tool import checkin, utils, constants
  File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/checkin.py", line 33, in <module>
    from spacewalk_splice_tool.katello_connect import KatelloConnection, NotFoundException
  File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/katello_connect.py", line 16, in <module>
    from katello.client.api.organization import OrganizationAPI
  File "/usr/lib/python2.6/site-packages/katello/client/api/organization.py", line 16, in <module>
    from katello.client.api.base import KatelloAPI
  File "/usr/lib/python2.6/site-packages/katello/client/api/base.py", line 16, in <module>
    from katello.client import server
  File "/usr/lib/python2.6/site-packages/katello/client/server.py", line 48, in <module>
    class AuthenticationStrategy(object):
  File "/usr/lib/python2.6/site-packages/katello/client/server.py", line 50, in AuthenticationStrategy
    _log = getLogger('katello')
  File "/usr/lib/python2.6/site-packages/katello/client/logutil.py", line 62, in getLogger
    os.mkdir(logdir)
OSError: [Errno 13] Permission denied: '/var/lib/splice/.katello'


Expected results: successful run of sst


Additional info: this may requires changes to katello-cli to support using the API bindings as users besides katello and root, not sure.

Comment 1 James Slagle 2013-06-18 21:47:45 UTC

commit f0caa010762b5a13387da4eae05c8e8f20442cc7

i fixed the packaging to also set the owner and permissions on /var/lib/splice so that sst can run as a different user.  Additionally, if it is running as a different user, I updated the ssh connection to always connect as root to the satellite (previously it was using the current user).

However, spacewalk-splice-tool is still configured to run as root.

Comment 2 Vitaly Kuznetsov 2013-06-21 12:37:10 UTC

I'm still having permission issues running sst under 'splice' user:
[Errno 13] Permission denied: '/var/log/splice/report_server.log'

Comment 3 Vitaly Kuznetsov 2013-06-21 13:06:55 UTC

BTW in spacewalk-splice-tool-0.24-1.el6sam.x86_64 cron jobs are still running under 'root' user:
# cat /etc/cron.d/sp*
# Sync data from spacewalk to candlepin every 4 hours, 9 min past the hour
9 */4 * * * root /usr/bin/spacewalk-splice-checkin --spacewalk-sync
# Sync data from candlepin to splice every 10 minutes
*/10 * * * * root /usr/bin/spacewalk-splice-checkin --splice-sync

maybe they're responsible for screwing the permissions.

Comment 4 James Slagle 2013-06-21 17:08:17 UTC

commit 31106c110bc8636c05c97ed5e51a8c899ffb6883

switched sst to run as splice user.  this should resolve the issue.

Comment 5 Vitaly Kuznetsov 2013-06-24 14:12:20 UTC

Verified in spacewalk-splice-tool-0.25-1.el6sam:

# sudo -u splice /usr/bin/spacewalk-splice-checkin 
2013-06-24 10:11:13,973 INFO splice.common.connect connect:_request: Sending 'POST' to '/splice/api//v1/spliceserver/' 
	with headers '{'Content-type': 'application/json', 'Accept': 'application/json'}'
2013-06-24 10:11:14,073 INFO splice.common.connect connect:_request: Received '204' from 'POST /splice/api//v1/spliceserver/'
2013-06-24 10:11:14,075 INFO splice.common.connect connect:_request: Sending 'POST' to '/splice/api//v1/marketingproductusage/' 
	with headers '{'Content-type': 'application/json', 'Accept': 'application/json'}'
2013-06-24 10:11:14,174 INFO splice.common.connect connect:_request: Received '204' from 'POST /splice/api//v1/marketingproductusage/'
Upload was successful

# cat /etc/cron.d/sp*
# Sync data from spacewalk to candlepin every 4 hours, 9 min past the hour
9 */4 * * * splice /usr/bin/spacewalk-splice-checkin --spacewalk-sync
# Sync data from candlepin to splice every 10 minutes
*/10 * * * * splice /usr/bin/spacewalk-splice-checkin --splice-sync

Nothing suspicious in /var/log/splice/spacewalk_splice_tool.log

Comment 8 errata-xmlrpc 2013-10-01 10:55:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1390.html

Note You need to log in before you can comment on or make changes to this bug.