Bug 972915 - spacewalk-splice-checkin should run as "splice" user, not "root"
spacewalk-splice-checkin should run as "splice" user, not "root"
Status: CLOSED ERRATA
Product: Subscription Asset Manager
Classification: Red Hat
Component: Splice (Show other bugs)
1.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: James Slagle
mkovacik
:
Depends On:
Blocks: sam13-tracker
  Show dependency treegraph
 
Reported: 2013-06-10 15:39 EDT by Chris Duryee
Modified: 2013-10-01 06:55 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-01 06:55:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Duryee 2013-06-10 15:39:09 EDT
Description of problem: Currently, subscription-splice-checkin must run as root in order to access splice log files along with katello log files.


Version-Release number of selected component (if applicable): 0.19


How reproducible: every time


Steps to Reproduce:
1. attempt to run spacewalk-splice-checkin as splice user

Actual results:
[root@dhcp129-162 ~]# su - splice -s /bin/bash
-bash-4.1$ spacewalk-splice-checkin --splice-sync
Traceback (most recent call last):
  File "/usr/bin/spacewalk-splice-checkin", line 21, in <module>
    from spacewalk_splice_tool import checkin, utils, constants
  File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/checkin.py", line 33, in <module>
    from spacewalk_splice_tool.katello_connect import KatelloConnection, NotFoundException
  File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/katello_connect.py", line 16, in <module>
    from katello.client.api.organization import OrganizationAPI
  File "/usr/lib/python2.6/site-packages/katello/client/api/organization.py", line 16, in <module>
    from katello.client.api.base import KatelloAPI
  File "/usr/lib/python2.6/site-packages/katello/client/api/base.py", line 16, in <module>
    from katello.client import server
  File "/usr/lib/python2.6/site-packages/katello/client/server.py", line 48, in <module>
    class AuthenticationStrategy(object):
  File "/usr/lib/python2.6/site-packages/katello/client/server.py", line 50, in AuthenticationStrategy
    _log = getLogger('katello')
  File "/usr/lib/python2.6/site-packages/katello/client/logutil.py", line 62, in getLogger
    os.mkdir(logdir)
OSError: [Errno 13] Permission denied: '/var/lib/splice/.katello'


Expected results: successful run of sst


Additional info: this may requires changes to katello-cli to support using the API bindings as users besides katello and root, not sure.
Comment 1 James Slagle 2013-06-18 17:47:45 EDT
commit f0caa010762b5a13387da4eae05c8e8f20442cc7

i fixed the packaging to also set the owner and permissions on /var/lib/splice so that sst can run as a different user.  Additionally, if it is running as a different user, I updated the ssh connection to always connect as root to the satellite (previously it was using the current user).

However, spacewalk-splice-tool is still configured to run as root.
Comment 2 Vitaly Kuznetsov 2013-06-21 08:37:10 EDT
I'm still having permission issues running sst under 'splice' user:
[Errno 13] Permission denied: '/var/log/splice/report_server.log'
Comment 3 Vitaly Kuznetsov 2013-06-21 09:06:55 EDT
BTW in spacewalk-splice-tool-0.24-1.el6sam.x86_64 cron jobs are still running under 'root' user:
# cat /etc/cron.d/sp*
# Sync data from spacewalk to candlepin every 4 hours, 9 min past the hour
9 */4 * * * root /usr/bin/spacewalk-splice-checkin --spacewalk-sync
# Sync data from candlepin to splice every 10 minutes
*/10 * * * * root /usr/bin/spacewalk-splice-checkin --splice-sync

maybe they're responsible for screwing the permissions.
Comment 4 James Slagle 2013-06-21 13:08:17 EDT
commit 31106c110bc8636c05c97ed5e51a8c899ffb6883

switched sst to run as splice user.  this should resolve the issue.
Comment 5 Vitaly Kuznetsov 2013-06-24 10:12:20 EDT
Verified in spacewalk-splice-tool-0.25-1.el6sam:

# sudo -u splice /usr/bin/spacewalk-splice-checkin 
2013-06-24 10:11:13,973 INFO splice.common.connect connect:_request: Sending 'POST' to '/splice/api//v1/spliceserver/' 
	with headers '{'Content-type': 'application/json', 'Accept': 'application/json'}'
2013-06-24 10:11:14,073 INFO splice.common.connect connect:_request: Received '204' from 'POST /splice/api//v1/spliceserver/'
2013-06-24 10:11:14,075 INFO splice.common.connect connect:_request: Sending 'POST' to '/splice/api//v1/marketingproductusage/' 
	with headers '{'Content-type': 'application/json', 'Accept': 'application/json'}'
2013-06-24 10:11:14,174 INFO splice.common.connect connect:_request: Received '204' from 'POST /splice/api//v1/marketingproductusage/'
Upload was successful

# cat /etc/cron.d/sp*
# Sync data from spacewalk to candlepin every 4 hours, 9 min past the hour
9 */4 * * * splice /usr/bin/spacewalk-splice-checkin --spacewalk-sync
# Sync data from candlepin to splice every 10 minutes
*/10 * * * * splice /usr/bin/spacewalk-splice-checkin --splice-sync

Nothing suspicious in /var/log/splice/spacewalk_splice_tool.log
Comment 8 errata-xmlrpc 2013-10-01 06:55:35 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1390.html

Note You need to log in before you can comment on or make changes to this bug.