[Pulp-list] Cannot grant permissions on repositories

Florian Sachs florian.sachs at bmlvs.gv.at
Tue Nov 26 07:44:34 UTC 2013 

Hi,

/* This is the second part of the mail I sent yesterday, which describes 
a new problem that I ran into, which probably went unnoticed... */

I cannot give a user the permission to sync a repository from it's feed:

Now I wanted to give the user 'myuser' the permission to sync the 
repository from it's feed.
First, I start the sync as admin - just to check if the sync actually 
works:

===== Sync from feed as admin =====
myuser at pulp1:~/.pulp # pulp-admin rpm repo sync run 
--repo-id=puppetlabs_puppet-acilaris
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 

Synchronizing Repository [puppetlabs_puppet-acilaris]
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 


This command may be exited by pressing ctrl+c without affecting the 
actual operation on the server.
...
...
Publishing repository over HTTP
[-]
... completed
===== /worked! =====

ok - syncing should work...

===== Grant Permissions to user to sync =====
myuser at pulp1:~/.pulp # pulp-admin auth permission  grant --login=myuser 
--resource="/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/" 
-o read  -o update -o create
Permissions [/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/ : 
['READ', 'UPDATE', 'CREATE']] successfully granted to user [myuser]
===== /worked! =====


===== Sync the Repository as user =====
myuser at t2veke7:~/.pulp # pulp-admin rpm repo sync run 
--repo-id=puppetlabs_puppet-acilaris
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 

Synchronizing Repository [puppetlabs_puppet-acilaris]
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 


Authentication Failed

The session certificate expired on Dec  2 15:40:19 2013 GMT. Use the 
login command to begin a new session.
===== /failed! =====

The .pulp/server_calls.log shows me, the following line:
===== server_calls.log =====
2013-11-25 17:07:17,103 - INFO - GET request to 
/pulp/api/v2/tasks/?tag=pulp%3Arepository%3Apuppetlabs_puppet-acilaris&tag=pulp%3Aaction%3Async 
with parameters None
2013-11-25 17:07:17,104 - INFO - Response status : 401

2013-11-25 17:07:17,104 - INFO - Response body :
  "Permission Denied"
===== /server_calls.log =====

pulp-admin makes a request to /v2/tasks/, so I give the user the Read 
Permissions on this uri.

===== User gets read on the /v2/tasks/ uri =====
myuser at pulp1:~/.pulp # pulp-admin auth permission  grant --login=myuser 
--resource="/v2/tasks/" -o read
Permissions [/v2/tasks/ : ['READ']] successfully granted to user [myuser]
===== /worked! =====

Trying to run 'pulp-admin rpm repo sync 
--repo-id=puppetlabs_puppet-acilaris' again returns again the 
"Authentication Failed" error. The .pulp/server_calls.log reveals, that 
the first call to '/v2/tasks' works,
but the 'Permission Denied' is now issued by the repository-uri.

===== server_calls.log =====
2013-11-25 17:02:45,528 - INFO - GET request to 
/pulp/api/v2/tasks/?tag=pulp%3Arepository%3Apuppetlabs_puppet-acilaris&tag=pulp%3Aaction%3Async 
with parameters None
2013-11-25 17:02:45,529 - INFO - Response status : 200

2013-11-25 17:02:45,529 - INFO - Response body :
  []

2013-11-25 17:02:45,749 - INFO - POST request to 
/pulp/api/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/ with 
parameters {"override_config": null}
2013-11-25 17:02:45,750 - INFO - Response status : 401

2013-11-25 17:02:45,750 - INFO - Response body :
  "Permission Denied"
===== /server_calls.log =====


* Maybe you could take a look at this new problem - if it works in 2.3 - 
that would be ok for me...

regards,
florian

On 11/25/2013 04:25 PM, Michael Hrivnak wrote:
> Florian,
>
> Thanks for being in touch. Please try "/v2/repositories/" with the trailing slash, which I believe will work. I have verified it on pulp 2.3 beta.
>
> As for the "Authentication Failed" message, that is a bug that was fixed in Pulp 2.2. https://bugzilla.redhat.com/show_bug.cgi?id=916729
>
> Your email did cause me to notice an error in our REST API documentation, which I reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1034316
>
> Thanks,
> Michael Hrivnak
>
>
> ----- Original Message -----
> From: "Florian Sachs" <florian.sachs at bmlvs.gv.at>
> To: pulp-list at redhat.com
> Sent: Monday, November 25, 2013 9:39:42 AM
> Subject: [Pulp-list] Cannot grant permissions on repositories
>
> Hi,
>
> Before I begin: I am in the process of building a new serverstructure within my company using all puppet, foreman, devops and all the other buzzwords the fly around and actually work pretty well. The backbone of my (Repository) Release-Management is pulp for which I wrote a rest-client to handle Repository and Release stuff in a defined way and everything works quite well. So a big "Thank you" for building pulp!
>
>
>
> I plan to grant permissions on specific repositories to specific users, so they can sync, upload etc their software without my help.
>
> I want my users, to be able to list all repositories. As admin, I call "pulp-admin rpm repo list".
> According to the .pulp/server_calls, the request is 'GET request to / pulp/api/v2/repositories / with parameters None'.
>
> So here is what I tried:
>
> =========
>
> root at pulpserver:~ # pulp-admin auth permission grant --login=myuser --resource=/repositories -o read
> Permissions [/repositories : ['READ']] successfully granted to user [myuser]
>
> =========
>
> myuser at myserver:~ # pulp-admin rpm repo list
> +--------------------------------------------------------------------------------------------------------+
> RPM Repositories
> +--------------------------------------------------------------------------------------------------------+
>
> Authentication Failed
>
> The session certificate expired on Dec 2 14:18:47 2013 GMT. Use the login command to begin a new session.
>
> =========
>
> myuser at myserver:~ # tail .pulp/admin.log
> self.all_repos_cache = self.context.server.repo.repositories(query_params).response_body
> File "/usr/lib/python2.6/site-packages/pulp/bindings/repository.py", line 33, in repositories
> return self.server.GET(path, query_parameters)
> File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 84, in GET
> return self._request('GET', path, queries)
> File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 142, in _request
> self._handle_exceptions(response_code, response_body)
> File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 183, in _handle_exceptions
> raise code_class_mappings[response_code](response_body)
> PermissionsException: Permission Denied
>
> =========
>
> myuser at myserver:~ # tail .pulp/server_calls.log
>
> 2013-11-25 15:18:54,314 - INFO - Response body :
> "Permission Denied"
>
> 2013-11-25 15:19:15,375 - INFO - GET request to / pulp/api/v2/repositories / with parameters None
> 2013-11-25 15:19:15,375 - INFO - Response status : 401
>
> 2013-11-25 15:19:15,376 - INFO - Response body :
> "Permission Denied"
> =========
>
> The "Authentication Failed" Message is misleading, as the session certificate is valid and it is indeed not a Authentication Failure but a Permission Error. Maybe that can be clarified in future releases.
>
>
> I then tried to widen the permission with
>
> root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource= / repositories / -o read
> Permissions [ / repositories / : ['READ']] successfully granted to user [myuser]
>
> root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource=/v2/repositories -o read
> Permissions [/v2/repositories : ['READ']] successfully granted to user [myuser]
>
> root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource=/api/v2/repositories -o read
> Permissions [/api/v2/repositories : ['READ']] successfully granted to user [myuser]
>
> root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource=/pulp/api/v2/repositories -o read
> Permissions [/pulp/api/v2/repositories : ['READ']] successfully granted to user [myuser]
>
>
> - but the Permissions Error kept going. I was only able to list the repositories as user, when I set the resource to '/'.
>
> * Am I using the correct --resource parameter?
> * Should it work the way I thought?
> * Do you have any hints for me?
>
> I am using pulp 2.1.3 on a RHEL6.3 x86_64
>
> best regards,
> florian

More information about the Pulp-list mailing list