[Spacewalk-list] Spacewalk Proxy 1.6 and non-self signed certificates

Scott Worthington scott.c.worthington at gmail.com
Mon Jan 16 14:49:12 UTC 2012 

On Monday, January 16, 2012 7:15:13 AM, Jan Pazdziora wrote:
> On Tue, Jan 10, 2012 at 02:13:40PM -0500, Scott Worthington wrote:
>> On Tuesday, January 10, 2012 10:33:54 AM, Jan Pazdziora wrote:
>>
>> [...]
>>
>>> The error is
>>>
>>> 	[error] acl fail: user_role(org_admin); system_feature(ftr_proxy_capable); org_channel_family(rhn-proxy); child_channel_candidate(rhn-proxy) at /usr/lib/perl5/vendor_perl/5.8.8/PXT/ApacheAuth.pm line 141.
>>>
>>> in /var/log/httpd/error_log.
>>>
>>> Mirek, can you investigate?
>>>
>>>> Since the Spacewalk Proxy successfully activated to Spacewalk, I
>>>> assumed all was go.
>>>
>>> Yes, your Proxy should be good to go, you just won't be able to see it
>>> on the WebUI.
>>>
>>>> Any idea where else I should look to find out why I am getting a
>>>> permission error?
>>>
>>> It's a .pxt page, so under /var/log/httpd.
>>
>> Yes, just as you said, I found the errors  the /var/log/httpd/error_log 
>> as:
>>
>> acl fail: user_role(org_admin); system_feature(ftr_proxy_capable); 
>> org_channel_family(rhn-prdidate(rhn-proxy) at 
>> /usr/share/perl5/vendor_perl/PXT/ApacheAuth.pm line 141
>
> Could you please apply the following patch to
> /etc/httpd/conf.d/zz-spacewalk-www.conf, restart httpd and see
> if it fixes the problem for you?
>
> diff --git a/spacewalk/config/etc/httpd/conf.d/zz-spacewalk-www.conf b/spacewalk/config/etc/httpd/conf.d/zz-spacewalk-www.conf
> index cde64a3..33fcaeb 100644
> --- a/spacewalk/config/etc/httpd/conf.d/zz-spacewalk-www.conf
> +++ b/spacewalk/config/etc/httpd/conf.d/zz-spacewalk-www.conf
> @@ -161,7 +161,7 @@ PerlModule PXT::ApacheAuth
>  	<Files proxy.pxt>
>  		ForceType text/pxt
>  		SetHandler perl-script
> -		require acl mixin RHN::Access::System user_role(org_admin); system_feature(ftr_proxy_capable); org_channel_family(rhn-proxy); child_channel_candidate(rhn-proxy)
> +		require acl mixin RHN::Access::System user_role(org_admin); system_feature(ftr_proxy_capable) or system_is_proxy(); org_channel_family(rhn-proxy) or system_is_proxy(); child_channel_candidate(rhn-proxy) or system_is_proxy()
>  	</Files>
>  
>  	<Files activation.pxt>
>

Jan, 

I applied the diff above (effectively replacing line 164) in my 
/etc/httpd/conf.d/zz-spacewalk-www.conf and then performed a 'service 
httpd restart'.

I tried clicking on the "Proxy" link for the System that is a Spacewalk 
Proxy and received
the following traceback via e-mail as well as a "500 Error - Internal 
Server Error", but this
time only listing one
item: "1. You've found an error in the site. Please report this error 
to your local administrator
with details of how you received this message."

The following exception occurred while executing this request:
 GET /network/systems/details/proxy.pxt?sid=1000010042 HTTP/1.1 (from 
browser)  /network/systems/details/proxy.pxt (from Apache)

Date:
  Mon Jan 16 09:36:20 2012

Headers:
  Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Accept-Encoding: gzip, deflate
  Accept-Language: en-us,en;q=0.5
  Connection: keep-alive
  Cookie: pxt-session-cookie=33165x905d9829f5f732eeada9d0bf770694ba
  Host: tpa-spacewalk-01.example.local
  Referer: 
https://tpa-spacewalk-01.example.local/rhn/systems/details/Overview.do?sid=1000010042
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) 
Gecko/20100101 Firefox/9.0.1
  X-ClickOnceSupport: ( .NET CLR 3.5.30729; .NET4.0E)

Form variables:
  sid => 1000010042

User Information:
  User alocaluser (id 2, org_id 1)

Error notes:
  (none)

Initial Request:
  Yes

Error message:
  RHN::Exception: User '2' attempted to access proxy interface without 
permission.
  Sniglets::Servers /usr/share/perl5/vendor_perl/Sniglets/Servers.pm 
150 RHN::Exception::throw
  PXT::Parser /usr/share/perl5/vendor_perl/PXT/Parser.pm 160 
Sniglets::Servers::proxy_entitlement_form
  PXT::Parser /usr/share/perl5/vendor_perl/PXT/Parser.pm 72 
PXT::Parser::expand_tag
  PXT::ApacheHandler /usr/share/perl5/vendor_perl/PXT/ApacheHandler.pm 
500 PXT::Parser::expand_tags
  PXT::ApacheHandler /usr/share/perl5/vendor_perl/PXT/ApacheHandler.pm 
103 PXT::ApacheHandler::pxt_parse_data
  PXT::ApacheHandler /usr/share/perl5/vendor_perl/PXT/ApacheHandler.pm 
103 (eval)
  main -e 0 PXT::ApacheHandler::handler
  main -e 0 (eval)
    
My account "alocaluser" is an Organizational Administrator.

Thinking that the error may be tied to "Organizational Administrator" 
permission, I logged in with
my user that is the "Satellite Administrator".  I received the same 
e-mail traceback error as above.

The /var/log/httpd/error_log contains:

[Mon Jan 16 09:41:39 2012] [error] Execution of 
/var/www/html/network/systems/details/proxy.pxt
failed at Mon Jan 16 09:41:39 2012: RHN::Exception: User '1' attempted 
to access proxy interface without
permission.\n  Sniglets::Servers 
/usr/share/perl5/vendor_perl/Sniglets/Servers.pm 150 
RHN::Exception::throw\n
PXT::Parser /usr/share/perl5/vendor_perl/PXT/Parser.pm 160 
Sniglets::Servers::proxy_entitlement_form\n
PXT::Parser /usr/share/perl5/vendor_perl/PXT/Parser.pm 72 
PXT::Parser::expand_tag\n  PXT::ApacheHandler
/usr/share/perl5/vendor_perl/PXT/ApacheHandler.pm 500 
PXT::Parser::expand_tags\n  PXT::ApacheHandler
/usr/share/perl5/vendor_perl/PXT/ApacheHandler.pm 103 
PXT::ApacheHandler::pxt_parse_data\n
PXT::ApacheHandler /usr/share/perl5/vendor_perl/PXT/ApacheHandler.pm 
103 (eval)\n  main -e 0
PXT::ApacheHandler::handler\n  main -e 0 (eval)

Hope this helps uncover the permissions problem.

More information about the Spacewalk-list mailing list