[Pulp-list] Cannot grant permissions on repositories

Michael Hrivnak mhrivnak at redhat.com
Mon Nov 25 15:25:54 UTC 2013 

Florian,

Thanks for being in touch. Please try "/v2/repositories/" with the trailing slash, which I believe will work. I have verified it on pulp 2.3 beta.

As for the "Authentication Failed" message, that is a bug that was fixed in Pulp 2.2. https://bugzilla.redhat.com/show_bug.cgi?id=916729

Your email did cause me to notice an error in our REST API documentation, which I reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1034316

Thanks,
Michael Hrivnak


----- Original Message -----
From: "Florian Sachs" <florian.sachs at bmlvs.gv.at>
To: pulp-list at redhat.com
Sent: Monday, November 25, 2013 9:39:42 AM
Subject: [Pulp-list] Cannot grant permissions on repositories

Hi, 

Before I begin: I am in the process of building a new serverstructure within my company using all puppet, foreman, devops and all the other buzzwords the fly around and actually work pretty well. The backbone of my (Repository) Release-Management is pulp for which I wrote a rest-client to handle Repository and Release stuff in a defined way and everything works quite well. So a big "Thank you" for building pulp! 



I plan to grant permissions on specific repositories to specific users, so they can sync, upload etc their software without my help. 

I want my users, to be able to list all repositories. As admin, I call "pulp-admin rpm repo list". 
According to the .pulp/server_calls, the request is 'GET request to / pulp/api/v2/repositories / with parameters None'. 

So here is what I tried: 

========= 

root at pulpserver:~ # pulp-admin auth permission grant --login=myuser --resource=/repositories -o read 
Permissions [/repositories : ['READ']] successfully granted to user [myuser] 

========= 

myuser at myserver:~ # pulp-admin rpm repo list 
+--------------------------------------------------------------------------------------------------------+ 
RPM Repositories 
+--------------------------------------------------------------------------------------------------------+ 

Authentication Failed 

The session certificate expired on Dec 2 14:18:47 2013 GMT. Use the login command to begin a new session. 

========= 

myuser at myserver:~ # tail .pulp/admin.log 
self.all_repos_cache = self.context.server.repo.repositories(query_params).response_body 
File "/usr/lib/python2.6/site-packages/pulp/bindings/repository.py", line 33, in repositories 
return self.server.GET(path, query_parameters) 
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 84, in GET 
return self._request('GET', path, queries) 
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 142, in _request 
self._handle_exceptions(response_code, response_body) 
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 183, in _handle_exceptions 
raise code_class_mappings[response_code](response_body) 
PermissionsException: Permission Denied 

========= 

myuser at myserver:~ # tail .pulp/server_calls.log 

2013-11-25 15:18:54,314 - INFO - Response body : 
"Permission Denied" 

2013-11-25 15:19:15,375 - INFO - GET request to / pulp/api/v2/repositories / with parameters None 
2013-11-25 15:19:15,375 - INFO - Response status : 401 

2013-11-25 15:19:15,376 - INFO - Response body : 
"Permission Denied" 
========= 

The "Authentication Failed" Message is misleading, as the session certificate is valid and it is indeed not a Authentication Failure but a Permission Error. Maybe that can be clarified in future releases. 


I then tried to widen the permission with 

root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource= / repositories / -o read 
Permissions [ / repositories / : ['READ']] successfully granted to user [myuser] 

root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource=/v2/repositories -o read 
Permissions [/v2/repositories : ['READ']] successfully granted to user [myuser] 

root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource=/api/v2/repositories -o read 
Permissions [/api/v2/repositories : ['READ']] successfully granted to user [myuser] 

root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource=/pulp/api/v2/repositories -o read 
Permissions [/pulp/api/v2/repositories : ['READ']] successfully granted to user [myuser] 


- but the Permissions Error kept going. I was only able to list the repositories as user, when I set the resource to '/'. 

* Am I using the correct --resource parameter? 
* Should it work the way I thought? 
* Do you have any hints for me? 

I am using pulp 2.1.3 on a RHEL6.3 x86_64 

best regards, 
florian 

-- 
Florian Sachs 
Austrian Federal Ministry of Defence 
Command Support Centre / ICT Engineering Division 
Stiftgasse 2a 1070, Wien 
Postadresse: Rossauer Lände 1, 1090 Wien 
Tel.: +43 50201 10 33466 



_______________________________________________
Pulp-list mailing list
Pulp-list at redhat.com
https://www.redhat.com/mailman/listinfo/pulp-list

More information about the Pulp-list mailing list