Running cvmanager crashes with "Forbidden" error

Question

Running cvmanager crashes with "Forbidden" error

Opened this issue 8 years ago · 7 comments

I'm trying to use the latest version of katello-cvmanager along with Red Hat Satellite 6.2.8 on EL7 (satellite-6.2.8-4.0.el7sat). When starting the utility I'm receiving the following error:

# ./cvmanager -n --verbose update
/usr/share/gems/gems/rest-client-1.6.7/lib/restclient/abstract_response.rb:48:in `return!': 403 Forbidden (RestClient::Forbidden)
        from /usr/share/gems/gems/rest-client-1.6.7/lib/restclient/request.rb:230:in `process_result'
        from /usr/share/gems/gems/rest-client-1.6.7/lib/restclient/request.rb:178:in `block in transmit'
        from /usr/share/ruby/net/http.rb:852:in `start'
        from /usr/share/gems/gems/rest-client-1.6.7/lib/restclient/request.rb:172:in `transmit'
        from /usr/share/gems/gems/rest-client-1.6.7/lib/restclient/request.rb:64:in `execute'
        from /usr/share/gems/gems/rest-client-1.6.7/lib/restclient/request.rb:33:in `execute'
        from /usr/share/gems/gems/rest-client-1.6.7/lib/restclient/resource.rb:51:in `get'
        from /usr/share/gems/gems/apipie-bindings-0.0.14/lib/apipie_bindings/api.rb:286:in `call_client'
        from /usr/share/gems/gems/apipie-bindings-0.0.14/lib/apipie_bindings/api.rb:217:in `http_call'
        from /usr/share/gems/gems/apipie-bindings-0.0.14/lib/apipie_bindings/api.rb:162:in `call'
        from /usr/share/gems/gems/apipie-bindings-0.0.14/lib/apipie_bindings/resource.rb:14:in `call'
        from ./cvmanager:208:in `update'
        from ./cvmanager:481:in `<main>'

In the Foreman production log I see the following entries when running the utility:

2017-04-07 13:51:30 [app] [I] Started GET "/katello/api/organizations/1/content_views?full_results=true" for ::1 at 2017-04-07 13:51:30 +0200
2017-04-07 13:51:30 [app] [I] Processing by Katello::Api::V2::ContentViewsController#index as JSON
2017-04-07 13:51:30 [app] [I]   Parameters: {"full_results"=>"true", "api_version"=>"v2", "organization_id"=>"1", "content_view"=>{}}
2017-04-07 13:51:30 [app] [I] Authorized user svc-cvmanager(Cedric CVManager)
2017-04-07 13:51:30 [app] [I]   Rendered api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout (0.6ms)
2017-04-07 13:51:30 [app] [I] Filter chain halted as :authorize rendered or redirected
2017-04-07 13:51:30 [app] [I] Completed 403 Forbidden in 26ms (Views: 1.5ms | ActiveRecord: 4.6ms)

I created a dedicated service user for katello-cvmanager within Red Hat Satellite - for testing purposes (to ensure that this error is not forced by missing privileges) I assigned the administrator role to this user. I also ensured that SELinux is not forcing any errors.

Answer 1 · 2017-04-12T08:53:55.000Z

By the way - this seems only to apply to Red Hat Satellite, with Foreman 1.13.4 I don't have these issues at all:

$ ./cvmanager -n --wait publish -v
    [VERBOSE] Checking Content View Default Organization View
    [VERBOSE] Checking Content View CentOS 7
$ rpm -qa|grep -i foreman
foreman-installer-1.13.4-1.el7.noarch
foreman-release-1.13.4-1.el7.noarch
...

Answer 2 · 2017-04-13T14:17:32.000Z

Can you please post screenshots of the user attributes?
It should work just fine with both, Satellite and Foreman/Katello.

Answer 3 · 2017-04-14T13:56:41.000Z

Hey evgeni,
of course - see attached.

Answer 4 · 2017-04-14T14:04:07.000Z

Cool. Thanks. I see the user is a full admin, but not added to the default Organization. This should not make a difference (as the admin flag should override it) but could you please add the org?

Your traceback has orgid 1 in it. And that is most probably the default org. Or try setting the right id of the Stankowic org in the conf.

Answer 5 · 2017-04-18T09:31:42.000Z

Hey evgeni!

Thanks for the hint! Assigning the organization and location fixed the authorization issue.

But unfortunately updating, publishing and promoting the CV does not work at all. I can't see any new versions in the backend. Also, the --verbose parameter is not very useful:

cvmanager --wait publish --verbose
    [VERBOSE] Checking Content View Default Organization View
    [VERBOSE] Checking Content View CentOS Stankowic 7
cvmanager --wait update --verbose
cvmanager --wait promote --verbose

The result for Red Hat Satellite is the same. Even using --force does not update, promote or publish any content views.

Answer 6 · 2017-04-18T09:41:14.000Z

Can you post your config please? I almost bet it is another name vs label issue, see #23

Answer 7 · 2017-04-18T11:43:04.000Z

Here's my config - already thought about the name/label thing:

---
:settings:
  :user: ...
  :pass: ...
  :uri: https://localhost
  :timeout: 300
  :org: 3
  :lifecycle: 3
  :keep: 5
  :promote_cvs: true
  :checkrepos: true
:cv:
  CentOS_7: latest
:publish:
  - CentOS_7
:promote:
  - CentOS_7

I don't have any CCVs, only a CV I want to update and promote automatically to my development environment. Also double-checked all the IDs. Any hints?