Bug #20321

Cannot use foreman-rake import:puppet_classes on Foreman 1.15.1/Katello 3.4.2

Added by Mac Reid 3 months ago. Updated 3 months ago.

Status:Closed
Priority:Normal
Assigned To:Marek Hulán
Category:Organizations and Locations
Target version:-
Difficulty: Bugzilla link:
Found in release:1.15.1 Pull request:https://github.com/theforeman/foreman/pull/4681
Story points-
Velocity based estimate-
Release1.15.3Release relationshipAuto

Description

Foreman 1.15.1 installed on RHEL 7.3 Server. Complete list of Foreman packages (from About page): https://gist.github.com/mac-reid/9a6aa5e2c514f7031c18c8b97108cf91

The smart proxy is installed on the same system with the following features: Pulp, TFTP, Puppet, Puppet CA, Logs, Dynflow, Openscap, and SSH

Plugins are:

foreman-tasks    0.9.2
foreman_docker   3.1.0
foreman_openscap 1.3.1
katello          3.4.2

I am trying to get the foreman-rake import:puppet_classes action working at the command line. Importing puppet classes works from the web interface and also in the web interface, there is a smart proxy with Puppet enabled.

With debug logging enabled in ~foreman/settings.yaml, this is the error output I get:

[root@foreman ~]# foreman-rake puppet:import:puppet_classes --trace
** Invoke puppet:import:puppet_classes (first_time)
** Invoke environment (first_time)
** Execute environment
** Execute puppet:import:puppet_classes
ERROR: We did not find at least one configured Smart Proxy with the Puppet feature

[root@foreman ~]# foreman-tail
==> /var/log/messages <==
Jul 17 09:38:55 foreman su: (to foreman) root on pts/0

==> /var/log/foreman/production.log <==
2017-07-17 09:39:05  [foreman-tasks/dynflow] [I] start terminating throttle_limiter...
2017-07-17 09:39:05  [foreman-tasks/dynflow] [I] start terminating client dispatcher...
2017-07-17 09:39:05  [foreman-tasks/dynflow] [I] stop listening for new events...
2017-07-17 09:39:05  [foreman-tasks/dynflow] [I] start terminating clock...

After setting the sql logger to debug, this the output to /var/log/foreman/production.log:

https://gist.githubusercontent.com/mac-reid/599bb1ff496e7366b63a19361666dbee


Related issues

Related to Foreman - Bug #16982: CVE-2016-7078 - User with no organizations or locations c... Closed 10/18/2016

Associated revisions

Revision 466a6982
Added by Marek Hulán 3 months ago

Fixes #20321 - run puppet tasks under admin

Revision 3b3aa8a3
Added by Marek Hulán 2 months ago

Fixes #20321 - run puppet tasks under admin

(cherry picked from commit 466a6982a9b3479002ea5aecc1613def98dae777)

History

#1 Updated by Dmitri Dolguikh 3 months ago

  • Project changed from Smart Proxy to Foreman

#2 Updated by Mac Reid 3 months ago

The list of installed Foreman packages is actually available here: https://gist.github.com/mac-reid/e4f9ac92a86e9006afa1fdc4ff9b077d

#3 Updated by Marek Hulán 3 months ago

Double check the proxy is assigned to the right organization and has puppet feature. If you don't see the feature, try refreshing the proxy.

#4 Updated by Mac Reid 3 months ago

The smart proxy is assigned to the only org, has the Puppet feature, and shows as active in the web interface.

#5 Updated by Marek Hulán 3 months ago

  • Category set to Organizations and Locations
  • Assigned To set to Marek Hulán
  • Release set to 1.15.3
  • Found in release set to 1.15.1

From the production.log with SQL queries (thanks for providing it), this query likely causes it

SELECT COUNT(*) FROM "smart_proxies" INNER JOIN "features_smart_proxies" ON "features_smart_proxies"."smart_proxy_id" = "smart_proxies"."id" INNER JOIN "features" ON "features"."id" = "features_smart_proxies"."feature_id" WHERE (1=0) AND "features"."name" = 'Puppet'

The 1=0 is usually being added when the user does not have enough permissions or the taxonomies do not match. I believe it's caused by #16982 which was introduced in 1.15. The rake task needs to run under the internal anonymous admin so it can load resources from specific organizations. The fix should be trivial, would you be interested in testing it?

I'm marking as 1.15.3 blocker.

#6 Updated by Marek Hulán 3 months ago

  • Related to Bug #16982: CVE-2016-7078 - User with no organizations or locations can see all resources added

#7 Updated by Arne Anka 3 months ago

  • Category deleted (Organizations and Locations)
  • Assigned To deleted (Marek Hulán)
  • Release deleted (1.15.3)
  • Found in release deleted (1.15.1)

Mac Reid wrote:

The smart proxy is assigned to the only org, has the Puppet feature, and shows as active in the web interface.

I can confirm this bug in Foreman 1.15.2/Katello 3.4.3 running on a freshly installed centos 7.3 + updated packages. In my production setup I run Foreman 1.14.3/Katello 3.3.2 on centos 7.3 + updated packages and it's working there without any problems.

I compared the sql debugging between my setups and suspect this sql statement is problematic. Running this in the database doesn't return anything.
SELECT COUNT(*) FROM "smart_proxies" INNER JOIN "features_smart_proxies" ON "features_smart_proxies"."smart_proxy_id" = "smart_proxies"."id" INNER JOIN "features" ON "features"."id" = "features_smart_proxies"."feature_id" WHERE (1=0) AND "features"."name" = 'Puppet'

This is from my working production system.
SELECT COUNT(*) FROM "smart_proxies" INNER JOIN "features_smart_proxies" ON "features_smart_proxies"."smart_proxy_id" = "smart_proxies"."id" INNER JOIN "features" ON "features"."id" = "features_smart_proxies"."feature_id" WHERE "features"."name" = 'Puppet'

The problem should be related to this part.
...WHERE (1=0) AND...

Hope this helps!

#8 Updated by Arne Anka 3 months ago

Arne Anka wrote:

Mac Reid wrote:

The smart proxy is assigned to the only org, has the Puppet feature, and shows as active in the web interface.

I can confirm this bug in Foreman 1.15.2/Katello 3.4.3 running on a freshly installed centos 7.3 + updated packages. In my production setup I run Foreman 1.14.3/Katello 3.3.2 on centos 7.3 + updated packages and it's working there without any problems.

I compared the sql debugging between my setups and suspect this sql statement is problematic. Running this in the database doesn't return anything.
SELECT COUNT(*) FROM "smart_proxies" INNER JOIN "features_smart_proxies" ON "features_smart_proxies"."smart_proxy_id" = "smart_proxies"."id" INNER JOIN "features" ON "features"."id" = "features_smart_proxies"."feature_id" WHERE (1=0) AND "features"."name" = 'Puppet'

This is from my working production system.
SELECT COUNT(*) FROM "smart_proxies" INNER JOIN "features_smart_proxies" ON "features_smart_proxies"."smart_proxy_id" = "smart_proxies"."id" INNER JOIN "features" ON "features"."id" = "features_smart_proxies"."feature_id" WHERE "features"."name" = 'Puppet'

The problem should be related to this part.
...WHERE (1=0) AND...

Hope this helps!

Ohh to late...

#9 Updated by Mac Reid 3 months ago

  • Category set to Organizations and Locations
  • Assigned To set to Marek Hulán
  • Release set to 1.15.3
  • Found in release set to 1.15.1

Sure, I can test the fix.

#10 Updated by Marek Hulán 3 months ago

I've sent a PR at https://github.com/theforeman/foreman/pull/4681 please try to apply that (you can just download the new version of puppet.rake. Please let us know whether it fixes the issue for you.

#11 Updated by Mac Reid 3 months ago

Running `foreman-rake puppet:import:puppet_classes` works as expected.

Not sure if this is expected, but running `foreman-rake import:puppet_classes` fails.

mv /usr/share/foreman/lib/tasks/puppet.rake ~
curl https://raw.githubusercontent.com/ares/foreman/3287b167d508715519a772b92a11e8904f504548/lib/tasks/puppet.rake -o /usr/share/foreman/lib/tasks/puppet.rake
touch ~foreman/tmp/restart.txt; sleep 20
foreman-rake import:puppet_classes --trace
rake aborted!
Don't know how to build task 'import:puppet_classes'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/task_manager.rb:62:in `[]'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:149:in `invoke_task'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:106:in `block (2 levels) in top_level'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:106:in `each'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:106:in `block in top_level'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:115:in `run_with_threads'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:100:in `top_level'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:78:in `block in run'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:176:in `standard_exception_handling'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:75:in `run'
/opt/rh/rh-ruby22/root/usr/bin/rake:33:in `<main>'

#12 Updated by The Foreman Bot 3 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4681 added

#13 Updated by Anonymous 3 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF