[Pulp-list] Cannot grant permissions on repositories
Michael Hrivnak
mhrivnak at redhat.com
Mon Nov 25 15:25:54 UTC 2013
Florian,
Thanks for being in touch. Please try "/v2/repositories/" with the trailing slash, which I believe will work. I have verified it on pulp 2.3 beta.
As for the "Authentication Failed" message, that is a bug that was fixed in Pulp 2.2. https://bugzilla.redhat.com/show_bug.cgi?id=916729
Your email did cause me to notice an error in our REST API documentation, which I reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1034316
Thanks,
Michael Hrivnak
----- Original Message -----
From: "Florian Sachs" <florian.sachs at bmlvs.gv.at>
To: pulp-list at redhat.com
Sent: Monday, November 25, 2013 9:39:42 AM
Subject: [Pulp-list] Cannot grant permissions on repositories
Hi,
Before I begin: I am in the process of building a new serverstructure within my company using all puppet, foreman, devops and all the other buzzwords the fly around and actually work pretty well. The backbone of my (Repository) Release-Management is pulp for which I wrote a rest-client to handle Repository and Release stuff in a defined way and everything works quite well. So a big "Thank you" for building pulp!
I plan to grant permissions on specific repositories to specific users, so they can sync, upload etc their software without my help.
I want my users, to be able to list all repositories. As admin, I call "pulp-admin rpm repo list".
According to the .pulp/server_calls, the request is 'GET request to / pulp/api/v2/repositories / with parameters None'.
So here is what I tried:
=========
root at pulpserver:~ # pulp-admin auth permission grant --login=myuser --resource=/repositories -o read
Permissions [/repositories : ['READ']] successfully granted to user [myuser]
=========
myuser at myserver:~ # pulp-admin rpm repo list
+--------------------------------------------------------------------------------------------------------+
RPM Repositories
+--------------------------------------------------------------------------------------------------------+
Authentication Failed
The session certificate expired on Dec 2 14:18:47 2013 GMT. Use the login command to begin a new session.
=========
myuser at myserver:~ # tail .pulp/admin.log
self.all_repos_cache = self.context.server.repo.repositories(query_params).response_body
File "/usr/lib/python2.6/site-packages/pulp/bindings/repository.py", line 33, in repositories
return self.server.GET(path, query_parameters)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 84, in GET
return self._request('GET', path, queries)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 142, in _request
self._handle_exceptions(response_code, response_body)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 183, in _handle_exceptions
raise code_class_mappings[response_code](response_body)
PermissionsException: Permission Denied
=========
myuser at myserver:~ # tail .pulp/server_calls.log
2013-11-25 15:18:54,314 - INFO - Response body :
"Permission Denied"
2013-11-25 15:19:15,375 - INFO - GET request to / pulp/api/v2/repositories / with parameters None
2013-11-25 15:19:15,375 - INFO - Response status : 401
2013-11-25 15:19:15,376 - INFO - Response body :
"Permission Denied"
=========
The "Authentication Failed" Message is misleading, as the session certificate is valid and it is indeed not a Authentication Failure but a Permission Error. Maybe that can be clarified in future releases.
I then tried to widen the permission with
root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource= / repositories / -o read
Permissions [ / repositories / : ['READ']] successfully granted to user [myuser]
root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource=/v2/repositories -o read
Permissions [/v2/repositories : ['READ']] successfully granted to user [myuser]
root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource=/api/v2/repositories -o read
Permissions [/api/v2/repositories : ['READ']] successfully granted to user [myuser]
root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource=/pulp/api/v2/repositories -o read
Permissions [/pulp/api/v2/repositories : ['READ']] successfully granted to user [myuser]
- but the Permissions Error kept going. I was only able to list the repositories as user, when I set the resource to '/'.
* Am I using the correct --resource parameter?
* Should it work the way I thought?
* Do you have any hints for me?
I am using pulp 2.1.3 on a RHEL6.3 x86_64
best regards,
florian
--
Florian Sachs
Austrian Federal Ministry of Defence
Command Support Centre / ICT Engineering Division
Stiftgasse 2a 1070, Wien
Postadresse: Rossauer Lände 1, 1090 Wien
Tel.: +43 50201 10 33466
_______________________________________________
Pulp-list mailing list
Pulp-list at redhat.com
https://www.redhat.com/mailman/listinfo/pulp-list
More information about the Pulp-list
mailing list