[Pulp-list] Cannot grant permissions on repositories

Florian Sachs florian.sachs at bmlvs.gv.at
Mon Nov 25 14:39:42 UTC 2013 

Hi,

Before I begin: I am in the process of building a new serverstructure 
within my company using all puppet, foreman, devops and all the other 
buzzwords the fly around and actually work pretty well. The backbone of 
my (Repository) Release-Management is pulp for which I wrote a 
rest-client to handle Repository and Release stuff in a defined way and 
everything works quite well. So a big "Thank you" for building pulp!



I plan to grant permissions on specific repositories to specific users, 
so they can sync, upload etc their software without my help.

I want my users, to be able to list all repositories. As admin, I call 
"pulp-admin rpm repo list".
According to the .pulp/server_calls, the request is 'GET request to 
/pulp/api/v2/repositories/ with parameters None'.

So here is what I tried:

=========

root at pulpserver:~ # pulp-admin auth permission  grant --login=myuser 
--resource=/repositories -o read
Permissions [/repositories : ['READ']] successfully granted to user 
[myuser]

=========

myuser at myserver:~ # pulp-admin rpm repo list
+--------------------------------------------------------------------------------------------------------+ 

                                              RPM Repositories
+--------------------------------------------------------------------------------------------------------+ 


Authentication Failed

The session certificate expired on Dec  2 14:18:47 2013 GMT. Use the 
login command to begin a new session.

=========

myuser at myserver:~ # tail .pulp/admin.log
     self.all_repos_cache = 
self.context.server.repo.repositories(query_params).response_body
   File "/usr/lib/python2.6/site-packages/pulp/bindings/repository.py", 
line 33, in repositories
     return self.server.GET(path, query_parameters)
   File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 
84, in GET
     return self._request('GET', path, queries)
   File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 
142, in _request
     self._handle_exceptions(response_code, response_body)
   File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 
183, in _handle_exceptions
     raise code_class_mappings[response_code](response_body)
PermissionsException: Permission Denied

=========

myuser at myserver:~ # tail .pulp/server_calls.log

2013-11-25 15:18:54,314 - INFO - Response body :
  "Permission Denied"

2013-11-25 15:19:15,375 - INFO - GET request to 
/pulp/api/v2/repositories/ with parameters None
2013-11-25 15:19:15,375 - INFO - Response status : 401

2013-11-25 15:19:15,376 - INFO - Response body :
  "Permission Denied"
=========

The "Authentication Failed" Message is misleading, as the session 
certificate is valid and it is indeed not a Authentication Failure but a 
Permission Error. Maybe that can be clarified in future releases.


I then tried to widen the permission with

root at pulp1:~ # pulp-admin auth permission  grant --login=myuser 
--resource=/repositories/ -o read
Permissions [/repositories/ : ['READ']] successfully granted to user 
[myuser]

root at pulp1:~ # pulp-admin auth permission  grant --login=myuser 
--resource=/v2/repositories -o read
Permissions [/v2/repositories : ['READ']] successfully granted to user 
[myuser]

root at pulp1:~ # pulp-admin auth permission  grant --login=myuser 
--resource=/api/v2/repositories -o read
Permissions [/api/v2/repositories : ['READ']] successfully granted to 
user [myuser]

root at pulp1:~ # pulp-admin auth permission  grant --login=myuser 
--resource=/pulp/api/v2/repositories -o read
Permissions [/pulp/api/v2/repositories : ['READ']] successfully granted 
to user [myuser]


- but the Permissions Error kept going. I was only able to list the 
repositories as user, when I set the resource to '/'.

* Am I using the correct --resource parameter?
* Should it work the way I thought?
* Do you have any hints for me?

I am using pulp 2.1.3 on a RHEL6.3 x86_64

best regards,
florian

-- 
Florian Sachs
Austrian Federal Ministry of Defence
Command Support Centre / ICT Engineering Division
Stiftgasse 2a 1070, Wien
Postadresse: Rossauer Lände 1, 1090 Wien
Tel.: +43 50201 10 33466


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20131125/f37826c5/attachment.htm>

More information about the Pulp-list mailing list