This service will be undergoing non-disruptive maintenance at 07:20 UTC, 2018-12-14. It is expected to last approximately 30 minutes
Bug 972915 - spacewalk-splice-checkin should run as "splice" user, not "root"
Summary: spacewalk-splice-checkin should run as "splice" user, not "root"
Status: CLOSED ERRATA
Alias: None
Product: Subscription Asset Manager
Classification: Red Hat
Component: Splice (Show other bugs)
(Show other bugs)
Version: 1.3
Hardware: Unspecified Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: James Slagle
QA Contact: mkovacik
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: sam13-tracker
TreeView+ depends on / blocked
 
Reported: 2013-06-10 19:39 UTC by Chris Duryee
Modified: 2013-10-01 10:55 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-01 10:55:35 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2013:1390 normal SHIPPED_LIVE Release 1.3 of Subscription Asset Manager 2013-10-01 14:43:14 UTC

Description Chris Duryee 2013-06-10 19:39:09 UTC
Description of problem: Currently, subscription-splice-checkin must run as root in order to access splice log files along with katello log files.


Version-Release number of selected component (if applicable): 0.19


How reproducible: every time


Steps to Reproduce:
1. attempt to run spacewalk-splice-checkin as splice user

Actual results:
[root@dhcp129-162 ~]# su - splice -s /bin/bash
-bash-4.1$ spacewalk-splice-checkin --splice-sync
Traceback (most recent call last):
  File "/usr/bin/spacewalk-splice-checkin", line 21, in <module>
    from spacewalk_splice_tool import checkin, utils, constants
  File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/checkin.py", line 33, in <module>
    from spacewalk_splice_tool.katello_connect import KatelloConnection, NotFoundException
  File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/katello_connect.py", line 16, in <module>
    from katello.client.api.organization import OrganizationAPI
  File "/usr/lib/python2.6/site-packages/katello/client/api/organization.py", line 16, in <module>
    from katello.client.api.base import KatelloAPI
  File "/usr/lib/python2.6/site-packages/katello/client/api/base.py", line 16, in <module>
    from katello.client import server
  File "/usr/lib/python2.6/site-packages/katello/client/server.py", line 48, in <module>
    class AuthenticationStrategy(object):
  File "/usr/lib/python2.6/site-packages/katello/client/server.py", line 50, in AuthenticationStrategy
    _log = getLogger('katello')
  File "/usr/lib/python2.6/site-packages/katello/client/logutil.py", line 62, in getLogger
    os.mkdir(logdir)
OSError: [Errno 13] Permission denied: '/var/lib/splice/.katello'


Expected results: successful run of sst


Additional info: this may requires changes to katello-cli to support using the API bindings as users besides katello and root, not sure.

Comment 1 James Slagle 2013-06-18 21:47:45 UTC
commit f0caa010762b5a13387da4eae05c8e8f20442cc7

i fixed the packaging to also set the owner and permissions on /var/lib/splice so that sst can run as a different user.  Additionally, if it is running as a different user, I updated the ssh connection to always connect as root to the satellite (previously it was using the current user).

However, spacewalk-splice-tool is still configured to run as root.

Comment 2 Vitaly Kuznetsov 2013-06-21 12:37:10 UTC
I'm still having permission issues running sst under 'splice' user:
[Errno 13] Permission denied: '/var/log/splice/report_server.log'

Comment 3 Vitaly Kuznetsov 2013-06-21 13:06:55 UTC
BTW in spacewalk-splice-tool-0.24-1.el6sam.x86_64 cron jobs are still running under 'root' user:
# cat /etc/cron.d/sp*
# Sync data from spacewalk to candlepin every 4 hours, 9 min past the hour
9 */4 * * * root /usr/bin/spacewalk-splice-checkin --spacewalk-sync
# Sync data from candlepin to splice every 10 minutes
*/10 * * * * root /usr/bin/spacewalk-splice-checkin --splice-sync

maybe they're responsible for screwing the permissions.

Comment 4 James Slagle 2013-06-21 17:08:17 UTC
commit 31106c110bc8636c05c97ed5e51a8c899ffb6883

switched sst to run as splice user.  this should resolve the issue.

Comment 5 Vitaly Kuznetsov 2013-06-24 14:12:20 UTC
Verified in spacewalk-splice-tool-0.25-1.el6sam:

# sudo -u splice /usr/bin/spacewalk-splice-checkin 
2013-06-24 10:11:13,973 INFO splice.common.connect connect:_request: Sending 'POST' to '/splice/api//v1/spliceserver/' 
	with headers '{'Content-type': 'application/json', 'Accept': 'application/json'}'
2013-06-24 10:11:14,073 INFO splice.common.connect connect:_request: Received '204' from 'POST /splice/api//v1/spliceserver/'
2013-06-24 10:11:14,075 INFO splice.common.connect connect:_request: Sending 'POST' to '/splice/api//v1/marketingproductusage/' 
	with headers '{'Content-type': 'application/json', 'Accept': 'application/json'}'
2013-06-24 10:11:14,174 INFO splice.common.connect connect:_request: Received '204' from 'POST /splice/api//v1/marketingproductusage/'
Upload was successful

# cat /etc/cron.d/sp*
# Sync data from spacewalk to candlepin every 4 hours, 9 min past the hour
9 */4 * * * splice /usr/bin/spacewalk-splice-checkin --spacewalk-sync
# Sync data from candlepin to splice every 10 minutes
*/10 * * * * splice /usr/bin/spacewalk-splice-checkin --splice-sync

Nothing suspicious in /var/log/splice/spacewalk_splice_tool.log

Comment 8 errata-xmlrpc 2013-10-01 10:55:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1390.html


Note You need to log in before you can comment on or make changes to this bug.