[Spacewalk-list] Spacewalk Proxy 1.6 and non-self signed certificates
Scott Worthington
scott.c.worthington at gmail.com
Mon Jan 16 14:49:12 UTC 2012
On Monday, January 16, 2012 7:15:13 AM, Jan Pazdziora wrote:
> On Tue, Jan 10, 2012 at 02:13:40PM -0500, Scott Worthington wrote:
>> On Tuesday, January 10, 2012 10:33:54 AM, Jan Pazdziora wrote:
>>
>> [...]
>>
>>> The error is
>>>
>>> [error] acl fail: user_role(org_admin); system_feature(ftr_proxy_capable); org_channel_family(rhn-proxy); child_channel_candidate(rhn-proxy) at /usr/lib/perl5/vendor_perl/5.8.8/PXT/ApacheAuth.pm line 141.
>>>
>>> in /var/log/httpd/error_log.
>>>
>>> Mirek, can you investigate?
>>>
>>>> Since the Spacewalk Proxy successfully activated to Spacewalk, I
>>>> assumed all was go.
>>>
>>> Yes, your Proxy should be good to go, you just won't be able to see it
>>> on the WebUI.
>>>
>>>> Any idea where else I should look to find out why I am getting a
>>>> permission error?
>>>
>>> It's a .pxt page, so under /var/log/httpd.
>>
>> Yes, just as you said, I found the errors the /var/log/httpd/error_log
>> as:
>>
>> acl fail: user_role(org_admin); system_feature(ftr_proxy_capable);
>> org_channel_family(rhn-prdidate(rhn-proxy) at
>> /usr/share/perl5/vendor_perl/PXT/ApacheAuth.pm line 141
>
> Could you please apply the following patch to
> /etc/httpd/conf.d/zz-spacewalk-www.conf, restart httpd and see
> if it fixes the problem for you?
>
> diff --git a/spacewalk/config/etc/httpd/conf.d/zz-spacewalk-www.conf b/spacewalk/config/etc/httpd/conf.d/zz-spacewalk-www.conf
> index cde64a3..33fcaeb 100644
> --- a/spacewalk/config/etc/httpd/conf.d/zz-spacewalk-www.conf
> +++ b/spacewalk/config/etc/httpd/conf.d/zz-spacewalk-www.conf
> @@ -161,7 +161,7 @@ PerlModule PXT::ApacheAuth
> <Files proxy.pxt>
> ForceType text/pxt
> SetHandler perl-script
> - require acl mixin RHN::Access::System user_role(org_admin); system_feature(ftr_proxy_capable); org_channel_family(rhn-proxy); child_channel_candidate(rhn-proxy)
> + require acl mixin RHN::Access::System user_role(org_admin); system_feature(ftr_proxy_capable) or system_is_proxy(); org_channel_family(rhn-proxy) or system_is_proxy(); child_channel_candidate(rhn-proxy) or system_is_proxy()
> </Files>
>
> <Files activation.pxt>
>
Jan,
I applied the diff above (effectively replacing line 164) in my
/etc/httpd/conf.d/zz-spacewalk-www.conf and then performed a 'service
httpd restart'.
I tried clicking on the "Proxy" link for the System that is a Spacewalk
Proxy and received
the following traceback via e-mail as well as a "500 Error - Internal
Server Error", but this
time only listing one
item: "1. You've found an error in the site. Please report this error
to your local administrator
with details of how you received this message."
The following exception occurred while executing this request:
GET /network/systems/details/proxy.pxt?sid=1000010042 HTTP/1.1 (from
browser) /network/systems/details/proxy.pxt (from Apache)
Date:
Mon Jan 16 09:36:20 2012
Headers:
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Connection: keep-alive
Cookie: pxt-session-cookie=33165x905d9829f5f732eeada9d0bf770694ba
Host: tpa-spacewalk-01.example.local
Referer:
https://tpa-spacewalk-01.example.local/rhn/systems/details/Overview.do?sid=1000010042
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1)
Gecko/20100101 Firefox/9.0.1
X-ClickOnceSupport: ( .NET CLR 3.5.30729; .NET4.0E)
Form variables:
sid => 1000010042
User Information:
User alocaluser (id 2, org_id 1)
Error notes:
(none)
Initial Request:
Yes
Error message:
RHN::Exception: User '2' attempted to access proxy interface without
permission.
Sniglets::Servers /usr/share/perl5/vendor_perl/Sniglets/Servers.pm
150 RHN::Exception::throw
PXT::Parser /usr/share/perl5/vendor_perl/PXT/Parser.pm 160
Sniglets::Servers::proxy_entitlement_form
PXT::Parser /usr/share/perl5/vendor_perl/PXT/Parser.pm 72
PXT::Parser::expand_tag
PXT::ApacheHandler /usr/share/perl5/vendor_perl/PXT/ApacheHandler.pm
500 PXT::Parser::expand_tags
PXT::ApacheHandler /usr/share/perl5/vendor_perl/PXT/ApacheHandler.pm
103 PXT::ApacheHandler::pxt_parse_data
PXT::ApacheHandler /usr/share/perl5/vendor_perl/PXT/ApacheHandler.pm
103 (eval)
main -e 0 PXT::ApacheHandler::handler
main -e 0 (eval)
My account "alocaluser" is an Organizational Administrator.
Thinking that the error may be tied to "Organizational Administrator"
permission, I logged in with
my user that is the "Satellite Administrator". I received the same
e-mail traceback error as above.
The /var/log/httpd/error_log contains:
[Mon Jan 16 09:41:39 2012] [error] Execution of
/var/www/html/network/systems/details/proxy.pxt
failed at Mon Jan 16 09:41:39 2012: RHN::Exception: User '1' attempted
to access proxy interface without
permission.\n Sniglets::Servers
/usr/share/perl5/vendor_perl/Sniglets/Servers.pm 150
RHN::Exception::throw\n
PXT::Parser /usr/share/perl5/vendor_perl/PXT/Parser.pm 160
Sniglets::Servers::proxy_entitlement_form\n
PXT::Parser /usr/share/perl5/vendor_perl/PXT/Parser.pm 72
PXT::Parser::expand_tag\n PXT::ApacheHandler
/usr/share/perl5/vendor_perl/PXT/ApacheHandler.pm 500
PXT::Parser::expand_tags\n PXT::ApacheHandler
/usr/share/perl5/vendor_perl/PXT/ApacheHandler.pm 103
PXT::ApacheHandler::pxt_parse_data\n
PXT::ApacheHandler /usr/share/perl5/vendor_perl/PXT/ApacheHandler.pm
103 (eval)\n main -e 0
PXT::ApacheHandler::handler\n main -e 0 (eval)
Hope this helps uncover the permissions problem.
More information about the Spacewalk-list
mailing list