Re: [Pulp-list] Cannot grant permissions on repositories

Mon, 25 Nov 2013 23:49:56 -0800 

Hi,
/* This is the second part of the mail I sent yesterday, which describes a new problem that I ran into, which probably went unnoticed... */ 

I cannot give a user the permission to sync a repository from it's feed:


Now I wanted to give the user 'myuser' the permission to sync the 
repository from it's feed.
First, I start the sync as admin - just to check if the sync actually 
works:


===== Sync from feed as admin =====

myuser@pulp1:~/.pulp # pulp-admin rpm repo sync run 
--repo-id=puppetlabs_puppet-acilaris
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 


Synchronizing Repository [puppetlabs_puppet-acilaris]

+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 




This command may be exited by pressing ctrl+c without affecting the 
actual operation on the server.

...
...
Publishing repository over HTTP
[-]
... completed
===== /worked! =====

ok - syncing should work...

===== Grant Permissions to user to sync =====

myuser@pulp1:~/.pulp # pulp-admin auth permission  grant --login=myuser 
--resource="/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/" 
-o read  -o update -o create
Permissions [/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/ : 
['READ', 'UPDATE', 'CREATE']] successfully granted to user [myuser]

===== /worked! =====


===== Sync the Repository as user =====

myuser@t2veke7:~/.pulp # pulp-admin rpm repo sync run 
--repo-id=puppetlabs_puppet-acilaris
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 


Synchronizing Repository [puppetlabs_puppet-acilaris]

+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 



Authentication Failed


The session certificate expired on Dec  2 15:40:19 2013 GMT. Use the 
login command to begin a new session.

===== /failed! =====

The .pulp/server_calls.log shows me, the following line:
===== server_calls.log =====

2013-11-25 17:07:17,103 - INFO - GET request to 
/pulp/api/v2/tasks/?tag=pulp%3Arepository%3Apuppetlabs_puppet-acilaris&tag=pulp%3Aaction%3Async 
with parameters None

2013-11-25 17:07:17,104 - INFO - Response status : 401

2013-11-25 17:07:17,104 - INFO - Response body :
 "Permission Denied"
===== /server_calls.log =====


pulp-admin makes a request to /v2/tasks/, so I give the user the Read 
Permissions on this uri.


===== User gets read on the /v2/tasks/ uri =====

myuser@pulp1:~/.pulp # pulp-admin auth permission  grant --login=myuser 
--resource="/v2/tasks/" -o read

Permissions [/v2/tasks/ : ['READ']] successfully granted to user [myuser]
===== /worked! =====


Trying to run 'pulp-admin rpm repo sync 
--repo-id=puppetlabs_puppet-acilaris' again returns again the 
"Authentication Failed" error. The .pulp/server_calls.log reveals, that 
the first call to '/v2/tasks' works,

but the 'Permission Denied' is now issued by the repository-uri.

===== server_calls.log =====

2013-11-25 17:02:45,528 - INFO - GET request to 
/pulp/api/v2/tasks/?tag=pulp%3Arepository%3Apuppetlabs_puppet-acilaris&tag=pulp%3Aaction%3Async 
with parameters None

2013-11-25 17:02:45,529 - INFO - Response status : 200

2013-11-25 17:02:45,529 - INFO - Response body :
 []


2013-11-25 17:02:45,749 - INFO - POST request to 
/pulp/api/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/ with 
parameters {"override_config": null}

2013-11-25 17:02:45,750 - INFO - Response status : 401

2013-11-25 17:02:45,750 - INFO - Response body :
 "Permission Denied"
===== /server_calls.log =====



* Maybe you could take a look at this new problem - if it works in 2.3 - 
that would be ok for me...


regards,
florian

On 11/25/2013 04:25 PM, Michael Hrivnak wrote:

Florian,

Thanks for being in touch. Please try "/v2/repositories/" with the trailing 
slash, which I believe will work. I have verified it on pulp 2.3 beta.

As for the "Authentication Failed" message, that is a bug that was fixed in 
Pulp 2.2. https://bugzilla.redhat.com/show_bug.cgi?id=916729

Your email did cause me to notice an error in our REST API documentation, which 
I reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1034316

Thanks,
Michael Hrivnak


----- Original Message -----
From: "Florian Sachs" <[email protected]>
To: [email protected]
Sent: Monday, November 25, 2013 9:39:42 AM
Subject: [Pulp-list] Cannot grant permissions on repositories

Hi,

Before I begin: I am in the process of building a new serverstructure within my company 
using all puppet, foreman, devops and all the other buzzwords the fly around and actually 
work pretty well. The backbone of my (Repository) Release-Management is pulp for which I 
wrote a rest-client to handle Repository and Release stuff in a defined way and 
everything works quite well. So a big "Thank you" for building pulp!



I plan to grant permissions on specific repositories to specific users, so they 
can sync, upload etc their software without my help.

I want my users, to be able to list all repositories. As admin, I call "pulp-admin 
rpm repo list".
According to the .pulp/server_calls, the request is 'GET request to / 
pulp/api/v2/repositories / with parameters None'.

So here is what I tried:

=========

root@pulpserver:~ # pulp-admin auth permission grant --login=myuser 
--resource=/repositories -o read
Permissions [/repositories : ['READ']] successfully granted to user [myuser]

=========

myuser@myserver:~ # pulp-admin rpm repo list
+--------------------------------------------------------------------------------------------------------+
RPM Repositories
+--------------------------------------------------------------------------------------------------------+

Authentication Failed

The session certificate expired on Dec 2 14:18:47 2013 GMT. Use the login 
command to begin a new session.

=========

myuser@myserver:~ # tail .pulp/admin.log
self.all_repos_cache = 
self.context.server.repo.repositories(query_params).response_body
File "/usr/lib/python2.6/site-packages/pulp/bindings/repository.py", line 33, 
in repositories
return self.server.GET(path, query_parameters)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 84, in GET
return self._request('GET', path, queries)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 142, in 
_request
self._handle_exceptions(response_code, response_body)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 183, in 
_handle_exceptions
raise code_class_mappings[response_code](response_body)
PermissionsException: Permission Denied

=========

myuser@myserver:~ # tail .pulp/server_calls.log

2013-11-25 15:18:54,314 - INFO - Response body :
"Permission Denied"

2013-11-25 15:19:15,375 - INFO - GET request to / pulp/api/v2/repositories / 
with parameters None
2013-11-25 15:19:15,375 - INFO - Response status : 401

2013-11-25 15:19:15,376 - INFO - Response body :
"Permission Denied"
=========

The "Authentication Failed" Message is misleading, as the session certificate 
is valid and it is indeed not a Authentication Failure but a Permission Error. Maybe that 
can be clarified in future releases.


I then tried to widen the permission with

root@pulp1:~ # pulp-admin auth permission grant --login=myuser --resource= / 
repositories / -o read
Permissions [ / repositories / : ['READ']] successfully granted to user [myuser]

root@pulp1:~ # pulp-admin auth permission grant --login=myuser 
--resource=/v2/repositories -o read
Permissions [/v2/repositories : ['READ']] successfully granted to user [myuser]

root@pulp1:~ # pulp-admin auth permission grant --login=myuser 
--resource=/api/v2/repositories -o read
Permissions [/api/v2/repositories : ['READ']] successfully granted to user 
[myuser]

root@pulp1:~ # pulp-admin auth permission grant --login=myuser 
--resource=/pulp/api/v2/repositories -o read
Permissions [/pulp/api/v2/repositories : ['READ']] successfully granted to user 
[myuser]


- but the Permissions Error kept going. I was only able to list the 
repositories as user, when I set the resource to '/'.

* Am I using the correct --resource parameter?
* Should it work the way I thought?
* Do you have any hints for me?

I am using pulp 2.1.3 on a RHEL6.3 x86_64

best regards,
florian


_______________________________________________
Pulp-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pulp-list






















					Reply via email to