Ivan Necas (inecas) reports: Description of problem: Since this patch in upstream https://github.com/Katello/katello/commit/a8c987213a3fa15bda493802a21594e2c53ad346#L2R21 the calls to katello that are directly proxied to candlepin were skipped for proper authorization. This are mostly the calls that are perforemed by subscription-manager from registered systems (listing available subscriptions, subscribing, unsubscribing etc. Version-Release number of selected component (if applicable): All the versions containing the patch above. Should be only Sat6 MDP1 and SAM 1.3 beta How reproducible: Always Steps to Reproduce: 1. subscription-manager register # against a katello instance 2. subscription-manager identity # note the uuid 3. curl -k -u admin:admin https://localhost/katello/api/consumers/{uuid}/owner Actual results: The user is allowed to access this url with user credentials Expected results: The call should be allowed only for the subscribed system with proper consumer certificate.
This is not a bug on SAM 1.4 [root@bkearney ~]# subscription-manager register Username: admin Password: Organization: ACME_Corporation The system has been registered with ID: e333a1fa-5b00-4682-89c7-0ff8a8ee1c91 [root@bkearney ~]# curl -k -u admin:admin https://ibm-x3250m4-07.lab.eng.rdu2.redhat.com/sam/api/consumers/e333a1fa-5b00-4682-89c7-0ff8a8ee1c91/owner {"displayMessage":"User admin is not allowed to access api/v1/candlepin_proxies/get","errors":["User admin is not allowed to access api/v1/candlepin_proxies/get"]}[ro