[Pulp-list] Cannot grant permissions on repositories

Florian Sachs florian.sachs at bmlvs.gv.at
Thu Nov 28 13:18:13 UTC 2013 

Hi,

Your suggestion got me a few steps further...

== AS ADMIN ==
pulp-admin auth user create --login myuser --password myuser
pulp-admin auth permission  grant --login=myuser --resource="/v2/tasks/" 
-o read
pulp-admin auth permission  grant --login=myuser 
--resource="/v2/repositories/se2ve-test/actions/sync/" -o read -o update 
-o create -o execute

== AS USER "MYUSER" ==
pulp-admin login -u myuser -p myuser
Successfully logged in. Session certificate will expire at Dec  5 
13:09:07 2013 GMT.

pulp-admin rpm repo sync run --repo-id=se2ve-test
+--------------------------------------------------------------------------------------------------------+
                                   Synchronizing Repository [se2ve-test]
+--------------------------------------------------------------------------------------------------------+

Authentication Failed

The session certificate expired on Dec  5 13:09:07 2013 GMT. Use the 
login command to begin a new session.
===================

Looking in the logfiles, I can see that the importer actually synched, 
but the user was not allowed to Make a call to 
"/pulp/api/v2/task_groups/19d47c8c-cef3-4209-bbb2-5463547bfcee/" afterwards.

I will include the server_calls.log and admin.log from the 
pulp-admin-client and the pulp.log from the pulpserver as attachements.

regards,
florian


On 11/26/2013 05:56 PM, Michael Hrivnak wrote:
> Florian,
>
> In order to initiate a sync, you need "execute" permission. Try adding that to the user, and let us know if it works.
>
> Michael
>
> ----- Original Message -----
> From: "Florian Sachs" <florian.sachs at bmlvs.gv.at>
> To: "Michael Hrivnak" <mhrivnak at redhat.com>
> Cc: "Florian Sachs" <florian.sachs at bmlvs.gv.at>, pulp-list at redhat.com
> Sent: Tuesday, November 26, 2013 2:44:34 AM
> Subject: Re: [Pulp-list] Cannot grant permissions on repositories
>
> Hi,
>
> /* This is the second part of the mail I sent yesterday, which describes
> a new problem that I ran into, which probably went unnoticed... */
>
> I cannot give a user the permission to sync a repository from it's feed:
>
> Now I wanted to give the user 'myuser' the permission to sync the
> repository from it's feed.
> First, I start the sync as admin - just to check if the sync actually
> works:
>
> ===== Sync from feed as admin =====
> myuser at pulp1:~/.pulp # pulp-admin rpm repo sync run
> --repo-id=puppetlabs_puppet-acilaris
> +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>
> Synchronizing Repository [puppetlabs_puppet-acilaris]
> +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>
>
> This command may be exited by pressing ctrl+c without affecting the
> actual operation on the server.
> ...
> ...
> Publishing repository over HTTP
> [-]
> ... completed
> ===== /worked! =====
>
> ok - syncing should work...
>
> ===== Grant Permissions to user to sync =====
> myuser at pulp1:~/.pulp # pulp-admin auth permission  grant --login=myuser
> --resource="/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/"
> -o read  -o update -o create
> Permissions [/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/ :
> ['READ', 'UPDATE', 'CREATE']] successfully granted to user [myuser]
> ===== /worked! =====
>
>
> ===== Sync the Repository as user =====
> myuser at t2veke7:~/.pulp # pulp-admin rpm repo sync run
> --repo-id=puppetlabs_puppet-acilaris
> +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>
> Synchronizing Repository [puppetlabs_puppet-acilaris]
> +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>
>
> Authentication Failed
>
> The session certificate expired on Dec  2 15:40:19 2013 GMT. Use the
> login command to begin a new session.
> ===== /failed! =====
>
> The .pulp/server_calls.log shows me, the following line:
> ===== server_calls.log =====
> 2013-11-25 17:07:17,103 - INFO - GET request to
> /pulp/api/v2/tasks/?tag=pulp%3Arepository%3Apuppetlabs_puppet-acilaris&tag=pulp%3Aaction%3Async
> with parameters None
> 2013-11-25 17:07:17,104 - INFO - Response status : 401
>
> 2013-11-25 17:07:17,104 - INFO - Response body :
>    "Permission Denied"
> ===== /server_calls.log =====
>
> pulp-admin makes a request to /v2/tasks/, so I give the user the Read
> Permissions on this uri.
>
> ===== User gets read on the /v2/tasks/ uri =====
> myuser at pulp1:~/.pulp # pulp-admin auth permission  grant --login=myuser
> --resource="/v2/tasks/" -o read
> Permissions [/v2/tasks/ : ['READ']] successfully granted to user [myuser]
> ===== /worked! =====
>
> Trying to run 'pulp-admin rpm repo sync
> --repo-id=puppetlabs_puppet-acilaris' again returns again the
> "Authentication Failed" error. The .pulp/server_calls.log reveals, that
> the first call to '/v2/tasks' works,
> but the 'Permission Denied' is now issued by the repository-uri.
>
> ===== server_calls.log =====
> 2013-11-25 17:02:45,528 - INFO - GET request to
> /pulp/api/v2/tasks/?tag=pulp%3Arepository%3Apuppetlabs_puppet-acilaris&tag=pulp%3Aaction%3Async
> with parameters None
> 2013-11-25 17:02:45,529 - INFO - Response status : 200
>
> 2013-11-25 17:02:45,529 - INFO - Response body :
>    []
>
> 2013-11-25 17:02:45,749 - INFO - POST request to
> /pulp/api/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/ with
> parameters {"override_config": null}
> 2013-11-25 17:02:45,750 - INFO - Response status : 401
>
> 2013-11-25 17:02:45,750 - INFO - Response body :
>    "Permission Denied"
> ===== /server_calls.log =====
>
>
> * Maybe you could take a look at this new problem - if it works in 2.3 -
> that would be ok for me...
>
> regards,
> florian
>
> On 11/25/2013 04:25 PM, Michael Hrivnak wrote:
>> Florian,
>>
>> Thanks for being in touch. Please try "/v2/repositories/" with the trailing slash, which I believe will work. I have verified it on pulp 2.3 beta.
>>
>> As for the "Authentication Failed" message, that is a bug that was fixed in Pulp 2.2. https://bugzilla.redhat.com/show_bug.cgi?id=916729
>>
>> Your email did cause me to notice an error in our REST API documentation, which I reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1034316
>>
>> Thanks,
>> Michael Hrivnak
>>
>>
>> ----- Original Message -----
>> From: "Florian Sachs" <florian.sachs at bmlvs.gv.at>
>> To: pulp-list at redhat.com
>> Sent: Monday, November 25, 2013 9:39:42 AM
>> Subject: [Pulp-list] Cannot grant permissions on repositories
>>
>> Hi,
>>
>> Before I begin: I am in the process of building a new serverstructure within my company using all puppet, foreman, devops and all the other buzzwords the fly around and actually work pretty well. The backbone of my (Repository) Release-Management is pulp for which I wrote a rest-client to handle Repository and Release stuff in a defined way and everything works quite well. So a big "Thank you" for building pulp!
>>
>>
>>
>> I plan to grant permissions on specific repositories to specific users, so they can sync, upload etc their software without my help.
>>
>> I want my users, to be able to list all repositories. As admin, I call "pulp-admin rpm repo list".
>> According to the .pulp/server_calls, the request is 'GET request to / pulp/api/v2/repositories / with parameters None'.
>>
>> So here is what I tried:
>>
>> =========
>>
>> root at pulpserver:~ # pulp-admin auth permission grant --login=myuser --resource=/repositories -o read
>> Permissions [/repositories : ['READ']] successfully granted to user [myuser]
>>
>> =========
>>
>> myuser at myserver:~ # pulp-admin rpm repo list
>> +--------------------------------------------------------------------------------------------------------+
>> RPM Repositories
>> +--------------------------------------------------------------------------------------------------------+
>>
>> Authentication Failed
>>
>> The session certificate expired on Dec 2 14:18:47 2013 GMT. Use the login command to begin a new session.
>>
>> =========
>>
>> myuser at myserver:~ # tail .pulp/admin.log
>> self.all_repos_cache = self.context.server.repo.repositories(query_params).response_body
>> File "/usr/lib/python2.6/site-packages/pulp/bindings/repository.py", line 33, in repositories
>> return self.server.GET(path, query_parameters)
>> File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 84, in GET
>> return self._request('GET', path, queries)
>> File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 142, in _request
>> self._handle_exceptions(response_code, response_body)
>> File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 183, in _handle_exceptions
>> raise code_class_mappings[response_code](response_body)
>> PermissionsException: Permission Denied
>>
>> =========
>>
>> myuser at myserver:~ # tail .pulp/server_calls.log
>>
>> 2013-11-25 15:18:54,314 - INFO - Response body :
>> "Permission Denied"
>>
>> 2013-11-25 15:19:15,375 - INFO - GET request to / pulp/api/v2/repositories / with parameters None
>> 2013-11-25 15:19:15,375 - INFO - Response status : 401
>>
>> 2013-11-25 15:19:15,376 - INFO - Response body :
>> "Permission Denied"
>> =========
>>
>> The "Authentication Failed" Message is misleading, as the session certificate is valid and it is indeed not a Authentication Failure but a Permission Error. Maybe that can be clarified in future releases.
>>
>>
>> I then tried to widen the permission with
>>
>> root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource= / repositories / -o read
>> Permissions [ / repositories / : ['READ']] successfully granted to user [myuser]
>>
>> root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource=/v2/repositories -o read
>> Permissions [/v2/repositories : ['READ']] successfully granted to user [myuser]
>>
>> root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource=/api/v2/repositories -o read
>> Permissions [/api/v2/repositories : ['READ']] successfully granted to user [myuser]
>>
>> root at pulp1:~ # pulp-admin auth permission grant --login=myuser --resource=/pulp/api/v2/repositories -o read
>> Permissions [/pulp/api/v2/repositories : ['READ']] successfully granted to user [myuser]
>>
>>
>> - but the Permissions Error kept going. I was only able to list the repositories as user, when I set the resource to '/'.
>>
>> * Am I using the correct --resource parameter?
>> * Should it work the way I thought?
>> * Do you have any hints for me?
>>
>> I am using pulp 2.1.3 on a RHEL6.3 x86_64
>>
>> best regards,
>> florian


-- 
Florian Sachs
Bundesministerium für Landesverteidigung und Sport
Führungsunterstützungszentrum / IKT-Te / HW&SysSW / SE2VE
Stiftgasse 2a 1070, Wien
Postadresse: Rossauer Lände 1, 1090 Wien
Tel.: +43 50201 10 33466

-------------- next part --------------
A non-text attachment was scrubbed...
Name: admin.log
Type: text/x-log
Size: 1500 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20131128/0b84d647/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server_calls.log
Type: text/x-log
Size: 2504 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20131128/0b84d647/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pulp.log
Type: text/x-log
Size: 7198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20131128/0b84d647/attachment-0002.bin>

More information about the Pulp-list mailing list