Project

General

Profile

Bug #20321

Cannot use foreman-rake import:puppet_classes on Foreman 1.15.1/Katello 3.4.2

Added by Mac Reid about 2 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Organizations and Locations
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Foreman 1.15.1 installed on RHEL 7.3 Server. Complete list of Foreman packages (from About page): https://gist.github.com/mac-reid/9a6aa5e2c514f7031c18c8b97108cf91

The smart proxy is installed on the same system with the following features: Pulp, TFTP, Puppet, Puppet CA, Logs, Dynflow, Openscap, and SSH

Plugins are:

foreman-tasks    0.9.2
foreman_docker   3.1.0
foreman_openscap 1.3.1
katello          3.4.2

I am trying to get the foreman-rake import:puppet_classes action working at the command line. Importing puppet classes works from the web interface and also in the web interface, there is a smart proxy with Puppet enabled.

With debug logging enabled in ~foreman/settings.yaml, this is the error output I get:

[root@foreman ~]# foreman-rake puppet:import:puppet_classes --trace
** Invoke puppet:import:puppet_classes (first_time)
** Invoke environment (first_time)
** Execute environment
** Execute puppet:import:puppet_classes
ERROR: We did not find at least one configured Smart Proxy with the Puppet feature

[root@foreman ~]# foreman-tail
==> /var/log/messages <==
Jul 17 09:38:55 foreman su: (to foreman) root on pts/0

==> /var/log/foreman/production.log <==
2017-07-17 09:39:05  [foreman-tasks/dynflow] [I] start terminating throttle_limiter...
2017-07-17 09:39:05  [foreman-tasks/dynflow] [I] start terminating client dispatcher...
2017-07-17 09:39:05  [foreman-tasks/dynflow] [I] stop listening for new events...
2017-07-17 09:39:05  [foreman-tasks/dynflow] [I] start terminating clock...

After setting the sql logger to debug, this the output to /var/log/foreman/production.log:

https://gist.githubusercontent.com/mac-reid/599bb1ff496e7366b63a19361666dbee


Related issues

Related to Foreman - Bug #16982: CVE-2016-7078 - User with no organizations or locations can see all resourcesClosed2016-10-18

Associated revisions

Revision 466a6982 (diff)
Added by Marek Hulán about 2 years ago

Fixes #20321 - run puppet tasks under admin

Revision 3b3aa8a3 (diff)
Added by Marek Hulán about 2 years ago

Fixes #20321 - run puppet tasks under admin

(cherry picked from commit 466a6982a9b3479002ea5aecc1613def98dae777)

History

#1 Updated by Dmitri Dolguikh about 2 years ago

  • Project changed from Smart Proxy to Foreman

#2 Updated by Mac Reid about 2 years ago

The list of installed Foreman packages is actually available here: https://gist.github.com/mac-reid/e4f9ac92a86e9006afa1fdc4ff9b077d

#3 Updated by Marek Hulán about 2 years ago

Double check the proxy is assigned to the right organization and has puppet feature. If you don't see the feature, try refreshing the proxy.

#4 Updated by Mac Reid about 2 years ago

The smart proxy is assigned to the only org, has the Puppet feature, and shows as active in the web interface.

#5 Updated by Marek Hulán about 2 years ago

  • Category set to Organizations and Locations
  • Assignee set to Marek Hulán
  • Legacy Backlogs Release (now unused) set to 276

From the production.log with SQL queries (thanks for providing it), this query likely causes it

SELECT COUNT(*) FROM "smart_proxies" INNER JOIN "features_smart_proxies" ON "features_smart_proxies"."smart_proxy_id" = "smart_proxies"."id" INNER JOIN "features" ON "features"."id" = "features_smart_proxies"."feature_id" WHERE (1=0) AND "features"."name" = 'Puppet'

The 1=0 is usually being added when the user does not have enough permissions or the taxonomies do not match. I believe it's caused by #16982 which was introduced in 1.15. The rake task needs to run under the internal anonymous admin so it can load resources from specific organizations. The fix should be trivial, would you be interested in testing it?

I'm marking as 1.15.3 blocker.

#6 Updated by Marek Hulán about 2 years ago

  • Related to Bug #16982: CVE-2016-7078 - User with no organizations or locations can see all resources added

#7 Updated by Arne Anka about 2 years ago

  • Category deleted (Organizations and Locations)
  • Assignee deleted (Marek Hulán)
  • Legacy Backlogs Release (now unused) deleted (276)

Mac Reid wrote:

The smart proxy is assigned to the only org, has the Puppet feature, and shows as active in the web interface.

I can confirm this bug in Foreman 1.15.2/Katello 3.4.3 running on a freshly installed centos 7.3 + updated packages. In my production setup I run Foreman 1.14.3/Katello 3.3.2 on centos 7.3 + updated packages and it's working there without any problems.

I compared the sql debugging between my setups and suspect this sql statement is problematic. Running this in the database doesn't return anything.
SELECT COUNT(*) FROM "smart_proxies" INNER JOIN "features_smart_proxies" ON "features_smart_proxies"."smart_proxy_id" = "smart_proxies"."id" INNER JOIN "features" ON "features"."id" = "features_smart_proxies"."feature_id" WHERE (1=0) AND "features"."name" = 'Puppet'

This is from my working production system.
SELECT COUNT(*) FROM "smart_proxies" INNER JOIN "features_smart_proxies" ON "features_smart_proxies"."smart_proxy_id" = "smart_proxies"."id" INNER JOIN "features" ON "features"."id" = "features_smart_proxies"."feature_id" WHERE "features"."name" = 'Puppet'

The problem should be related to this part.
...WHERE (1=0) AND...

Hope this helps!

#8 Updated by Arne Anka about 2 years ago

Arne Anka wrote:

Mac Reid wrote:

The smart proxy is assigned to the only org, has the Puppet feature, and shows as active in the web interface.

I can confirm this bug in Foreman 1.15.2/Katello 3.4.3 running on a freshly installed centos 7.3 + updated packages. In my production setup I run Foreman 1.14.3/Katello 3.3.2 on centos 7.3 + updated packages and it's working there without any problems.

I compared the sql debugging between my setups and suspect this sql statement is problematic. Running this in the database doesn't return anything.
SELECT COUNT(*) FROM "smart_proxies" INNER JOIN "features_smart_proxies" ON "features_smart_proxies"."smart_proxy_id" = "smart_proxies"."id" INNER JOIN "features" ON "features"."id" = "features_smart_proxies"."feature_id" WHERE (1=0) AND "features"."name" = 'Puppet'

This is from my working production system.
SELECT COUNT(*) FROM "smart_proxies" INNER JOIN "features_smart_proxies" ON "features_smart_proxies"."smart_proxy_id" = "smart_proxies"."id" INNER JOIN "features" ON "features"."id" = "features_smart_proxies"."feature_id" WHERE "features"."name" = 'Puppet'

The problem should be related to this part.
...WHERE (1=0) AND...

Hope this helps!

Ohh to late...

#9 Updated by Mac Reid about 2 years ago

  • Category set to Organizations and Locations
  • Assignee set to Marek Hulán
  • Legacy Backlogs Release (now unused) set to 276

Sure, I can test the fix.

#10 Updated by Marek Hulán about 2 years ago

I've sent a PR at https://github.com/theforeman/foreman/pull/4681 please try to apply that (you can just download the new version of puppet.rake. Please let us know whether it fixes the issue for you.

#11 Updated by Mac Reid about 2 years ago

Running `foreman-rake puppet:import:puppet_classes` works as expected.

Not sure if this is expected, but running `foreman-rake import:puppet_classes` fails.

mv /usr/share/foreman/lib/tasks/puppet.rake ~
curl https://raw.githubusercontent.com/ares/foreman/3287b167d508715519a772b92a11e8904f504548/lib/tasks/puppet.rake -o /usr/share/foreman/lib/tasks/puppet.rake
touch ~foreman/tmp/restart.txt; sleep 20
foreman-rake import:puppet_classes --trace
rake aborted!
Don't know how to build task 'import:puppet_classes'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/task_manager.rb:62:in `[]'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:149:in `invoke_task'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:106:in `block (2 levels) in top_level'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:106:in `each'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:106:in `block in top_level'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:115:in `run_with_threads'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:100:in `top_level'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:78:in `block in run'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:176:in `standard_exception_handling'
/opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:75:in `run'
/opt/rh/rh-ruby22/root/usr/bin/rake:33:in `<main>'

#12 Updated by The Foreman Bot about 2 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4681 added

#13 Updated by Anonymous about 2 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF