Running pki securitydomain-get-install-token as admin user fails.
Below is the command being run:
pki -d /opt/rhqa_pki/certs_db/ -u caadmin -w Secret123 -h dhcp201-105.englab.pnq.redhat.com -p 30044 securitydomain-get-install-token --hostname dhcp201-105.englab.pnq.redhat.com --subsystem ca
The command is run as caadmin, who is member of below groups:
[root@dhcp201-105 ~]# pki -d /opt/rhqa_pki/certs_db/ -c Secret123 -p 30044 -n "ROOTCA_adminV" user-membership-find caadmin
Group: Certificate Manager Agents
Group: Subsystem Group
Group: Trusted Managers
Group: Administrators
Group: Security Domain Administrators
Group: Enterprise CA Administrators
Group: Enterprise KRA Administrators
Group: Enterprise OCSP Administrators
Group: Enterprise TKS Administrators
Group: Enterprise RA Administrators
man page of pki-securitydomain(1) doesn't specify as to the user running should be in what group and what authentication mechanism should be used (cert/user based).
How reproducible:
1. Install CA,kra,tks,tps under 1 security domain and 1 tomcat instance. 2. Run pki securitydomain-get-install-token as caadmin: Command; pki -d /opt/rhqa_pki/certs_db/ -u caadmin -w Secret123 -h dhcp201-105.englab.pnq.redhat.com -p 30044 securitydomain-get-install-token --hostname dhcp201-105.englab.pnq.redhat.com --subsystem ca The above command fails with error:UnauthorizedException: Access denied.
Actual results:
[root@dhcp201-105 ~]# pki -d /opt/rhqa_pki/certs_db/ -u caadmin -w Secret123 -h dhcp201-105.englab.pnq.redhat.com -p 30044 securitydomain-get-install-token --hostname dhcp201-105.englab.pnq.redhat.com --subsystem ca UnauthorizedException: Access denied.
Expected results:
Should not result in Access denied.
Additional info:
Could man page give more details as to after getting security domain installation token, how this information can be used ? and what authentication mechanism should be used to run this command.
Per Dogtag 10.2.X TRIAGE meeting of 04/28/2015: 10.2.4
NOTE: Don't expose this command and don't doc it in the man page!
Info on simple fix to come:
The short term solution to this problem was to remove the man page information and all references to the command line module reponsible for this issue.
The installer already has an alternative method to remove a subsystem from the security domain list. We now assume the alternate method and don't even try to find the token at this point.
A user at the command line of the pki command will no longer be able to attempt this as well.
Tested this to verify that the man page for the "securtydomain" command no longer mentions or documents the "get-install-token" variant. Tested to verify that this command can't be manually called from the command line using "pki". This attempt results in an "unknown module". Tested by installing and uninstalling a subsytem. The security domain was kept up to date as expected for each install over remove attempted.
We will file longer term tickets to clean up the python installer code so it does not spawn off command line invocations to contact legacy servlets. Also the legacy servlets in question should be converted to the rest interface design. One all that is done, any remaining command line spawn operations in the python portions of the installer should be redone. Here those command invocations will be replaced by legit python API methods. The code would simply call the appropriate API methods.
Patch approved and pushed to master:
Counting objects: 21, done. Delta compression using up to 8 threads. Compressing objects: 100% (16/16), done. Writing objects: 100% (21/21), 2.04 KiB | 0 bytes/s, done. Total 21 (delta 14), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/pki.git 73fb345e06b70d23a852743e4dc81ef6063e738a master -> master
Metadata Update from @mharmsen: - Issue assigned to jmagne - Issue set to the milestone: 10.2.4
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1913
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.