[Pulp-list] Cannot grant permissions on repositories
Florian Sachs
florian.sachs at bmlvs.gv.at
Mon Nov 25 14:39:42 UTC 2013
Hi,
Before I begin: I am in the process of building a new serverstructure
within my company using all puppet, foreman, devops and all the other
buzzwords the fly around and actually work pretty well. The backbone of
my (Repository) Release-Management is pulp for which I wrote a
rest-client to handle Repository and Release stuff in a defined way and
everything works quite well. So a big "Thank you" for building pulp!
I plan to grant permissions on specific repositories to specific users,
so they can sync, upload etc their software without my help.
I want my users, to be able to list all repositories. As admin, I call
"pulp-admin rpm repo list".
According to the .pulp/server_calls, the request is 'GET request to
/pulp/api/v2/repositories/ with parameters None'.
So here is what I tried:
=========
root at pulpserver:~ # pulp-admin auth permission grant --login=myuser
--resource=/repositories -o read
Permissions [/repositories : ['READ']] successfully granted to user
[myuser]
=========
myuser at myserver:~ # pulp-admin rpm repo list
+--------------------------------------------------------------------------------------------------------+
RPM Repositories
+--------------------------------------------------------------------------------------------------------+
Authentication Failed
The session certificate expired on Dec 2 14:18:47 2013 GMT. Use the
login command to begin a new session.
=========
myuser at myserver:~ # tail .pulp/admin.log
self.all_repos_cache =
self.context.server.repo.repositories(query_params).response_body
File "/usr/lib/python2.6/site-packages/pulp/bindings/repository.py",
line 33, in repositories
return self.server.GET(path, query_parameters)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line
84, in GET
return self._request('GET', path, queries)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line
142, in _request
self._handle_exceptions(response_code, response_body)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line
183, in _handle_exceptions
raise code_class_mappings[response_code](response_body)
PermissionsException: Permission Denied
=========
myuser at myserver:~ # tail .pulp/server_calls.log
2013-11-25 15:18:54,314 - INFO - Response body :
"Permission Denied"
2013-11-25 15:19:15,375 - INFO - GET request to
/pulp/api/v2/repositories/ with parameters None
2013-11-25 15:19:15,375 - INFO - Response status : 401
2013-11-25 15:19:15,376 - INFO - Response body :
"Permission Denied"
=========
The "Authentication Failed" Message is misleading, as the session
certificate is valid and it is indeed not a Authentication Failure but a
Permission Error. Maybe that can be clarified in future releases.
I then tried to widen the permission with
root at pulp1:~ # pulp-admin auth permission grant --login=myuser
--resource=/repositories/ -o read
Permissions [/repositories/ : ['READ']] successfully granted to user
[myuser]
root at pulp1:~ # pulp-admin auth permission grant --login=myuser
--resource=/v2/repositories -o read
Permissions [/v2/repositories : ['READ']] successfully granted to user
[myuser]
root at pulp1:~ # pulp-admin auth permission grant --login=myuser
--resource=/api/v2/repositories -o read
Permissions [/api/v2/repositories : ['READ']] successfully granted to
user [myuser]
root at pulp1:~ # pulp-admin auth permission grant --login=myuser
--resource=/pulp/api/v2/repositories -o read
Permissions [/pulp/api/v2/repositories : ['READ']] successfully granted
to user [myuser]
- but the Permissions Error kept going. I was only able to list the
repositories as user, when I set the resource to '/'.
* Am I using the correct --resource parameter?
* Should it work the way I thought?
* Do you have any hints for me?
I am using pulp 2.1.3 on a RHEL6.3 x86_64
best regards,
florian
--
Florian Sachs
Austrian Federal Ministry of Defence
Command Support Centre / ICT Engineering Division
Stiftgasse 2a 1070, Wien
Postadresse: Rossauer Lände 1, 1090 Wien
Tel.: +43 50201 10 33466
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20131125/f37826c5/attachment.htm>
More information about the Pulp-list
mailing list