Florian, In order to initiate a sync, you need "execute" permission. Try adding that to the user, and let us know if it works.
Michael ----- Original Message ----- From: "Florian Sachs" <[email protected]> To: "Michael Hrivnak" <[email protected]> Cc: "Florian Sachs" <[email protected]>, [email protected] Sent: Tuesday, November 26, 2013 2:44:34 AM Subject: Re: [Pulp-list] Cannot grant permissions on repositories Hi, /* This is the second part of the mail I sent yesterday, which describes a new problem that I ran into, which probably went unnoticed... */ I cannot give a user the permission to sync a repository from it's feed: Now I wanted to give the user 'myuser' the permission to sync the repository from it's feed. First, I start the sync as admin - just to check if the sync actually works: ===== Sync from feed as admin ===== myuser@pulp1:~/.pulp # pulp-admin rpm repo sync run --repo-id=puppetlabs_puppet-acilaris +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ Synchronizing Repository [puppetlabs_puppet-acilaris] +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ This command may be exited by pressing ctrl+c without affecting the actual operation on the server. ... ... Publishing repository over HTTP [-] ... completed ===== /worked! ===== ok - syncing should work... ===== Grant Permissions to user to sync ===== myuser@pulp1:~/.pulp # pulp-admin auth permission grant --login=myuser --resource="/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/" -o read -o update -o create Permissions [/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/ : ['READ', 'UPDATE', 'CREATE']] successfully granted to user [myuser] ===== /worked! ===== ===== Sync the Repository as user ===== myuser@t2veke7:~/.pulp # pulp-admin rpm repo sync run --repo-id=puppetlabs_puppet-acilaris +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ Synchronizing Repository [puppetlabs_puppet-acilaris] +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ Authentication Failed The session certificate expired on Dec 2 15:40:19 2013 GMT. Use the login command to begin a new session. ===== /failed! ===== The .pulp/server_calls.log shows me, the following line: ===== server_calls.log ===== 2013-11-25 17:07:17,103 - INFO - GET request to /pulp/api/v2/tasks/?tag=pulp%3Arepository%3Apuppetlabs_puppet-acilaris&tag=pulp%3Aaction%3Async with parameters None 2013-11-25 17:07:17,104 - INFO - Response status : 401 2013-11-25 17:07:17,104 - INFO - Response body : "Permission Denied" ===== /server_calls.log ===== pulp-admin makes a request to /v2/tasks/, so I give the user the Read Permissions on this uri. ===== User gets read on the /v2/tasks/ uri ===== myuser@pulp1:~/.pulp # pulp-admin auth permission grant --login=myuser --resource="/v2/tasks/" -o read Permissions [/v2/tasks/ : ['READ']] successfully granted to user [myuser] ===== /worked! ===== Trying to run 'pulp-admin rpm repo sync --repo-id=puppetlabs_puppet-acilaris' again returns again the "Authentication Failed" error. The .pulp/server_calls.log reveals, that the first call to '/v2/tasks' works, but the 'Permission Denied' is now issued by the repository-uri. ===== server_calls.log ===== 2013-11-25 17:02:45,528 - INFO - GET request to /pulp/api/v2/tasks/?tag=pulp%3Arepository%3Apuppetlabs_puppet-acilaris&tag=pulp%3Aaction%3Async with parameters None 2013-11-25 17:02:45,529 - INFO - Response status : 200 2013-11-25 17:02:45,529 - INFO - Response body : [] 2013-11-25 17:02:45,749 - INFO - POST request to /pulp/api/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/ with parameters {"override_config": null} 2013-11-25 17:02:45,750 - INFO - Response status : 401 2013-11-25 17:02:45,750 - INFO - Response body : "Permission Denied" ===== /server_calls.log ===== * Maybe you could take a look at this new problem - if it works in 2.3 - that would be ok for me... regards, florian On 11/25/2013 04:25 PM, Michael Hrivnak wrote: > Florian, > > Thanks for being in touch. Please try "/v2/repositories/" with the trailing > slash, which I believe will work. I have verified it on pulp 2.3 beta. > > As for the "Authentication Failed" message, that is a bug that was fixed in > Pulp 2.2. https://bugzilla.redhat.com/show_bug.cgi?id=916729 > > Your email did cause me to notice an error in our REST API documentation, > which I reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1034316 > > Thanks, > Michael Hrivnak > > > ----- Original Message ----- > From: "Florian Sachs" <[email protected]> > To: [email protected] > Sent: Monday, November 25, 2013 9:39:42 AM > Subject: [Pulp-list] Cannot grant permissions on repositories > > Hi, > > Before I begin: I am in the process of building a new serverstructure within > my company using all puppet, foreman, devops and all the other buzzwords the > fly around and actually work pretty well. The backbone of my (Repository) > Release-Management is pulp for which I wrote a rest-client to handle > Repository and Release stuff in a defined way and everything works quite > well. So a big "Thank you" for building pulp! > > > > I plan to grant permissions on specific repositories to specific users, so > they can sync, upload etc their software without my help. > > I want my users, to be able to list all repositories. As admin, I call > "pulp-admin rpm repo list". > According to the .pulp/server_calls, the request is 'GET request to / > pulp/api/v2/repositories / with parameters None'. > > So here is what I tried: > > ========= > > root@pulpserver:~ # pulp-admin auth permission grant --login=myuser > --resource=/repositories -o read > Permissions [/repositories : ['READ']] successfully granted to user [myuser] > > ========= > > myuser@myserver:~ # pulp-admin rpm repo list > +--------------------------------------------------------------------------------------------------------+ > RPM Repositories > +--------------------------------------------------------------------------------------------------------+ > > Authentication Failed > > The session certificate expired on Dec 2 14:18:47 2013 GMT. Use the login > command to begin a new session. > > ========= > > myuser@myserver:~ # tail .pulp/admin.log > self.all_repos_cache = > self.context.server.repo.repositories(query_params).response_body > File "/usr/lib/python2.6/site-packages/pulp/bindings/repository.py", line 33, > in repositories > return self.server.GET(path, query_parameters) > File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 84, in > GET > return self._request('GET', path, queries) > File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 142, in > _request > self._handle_exceptions(response_code, response_body) > File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 183, in > _handle_exceptions > raise code_class_mappings[response_code](response_body) > PermissionsException: Permission Denied > > ========= > > myuser@myserver:~ # tail .pulp/server_calls.log > > 2013-11-25 15:18:54,314 - INFO - Response body : > "Permission Denied" > > 2013-11-25 15:19:15,375 - INFO - GET request to / pulp/api/v2/repositories / > with parameters None > 2013-11-25 15:19:15,375 - INFO - Response status : 401 > > 2013-11-25 15:19:15,376 - INFO - Response body : > "Permission Denied" > ========= > > The "Authentication Failed" Message is misleading, as the session certificate > is valid and it is indeed not a Authentication Failure but a Permission > Error. Maybe that can be clarified in future releases. > > > I then tried to widen the permission with > > root@pulp1:~ # pulp-admin auth permission grant --login=myuser --resource= / > repositories / -o read > Permissions [ / repositories / : ['READ']] successfully granted to user > [myuser] > > root@pulp1:~ # pulp-admin auth permission grant --login=myuser > --resource=/v2/repositories -o read > Permissions [/v2/repositories : ['READ']] successfully granted to user > [myuser] > > root@pulp1:~ # pulp-admin auth permission grant --login=myuser > --resource=/api/v2/repositories -o read > Permissions [/api/v2/repositories : ['READ']] successfully granted to user > [myuser] > > root@pulp1:~ # pulp-admin auth permission grant --login=myuser > --resource=/pulp/api/v2/repositories -o read > Permissions [/pulp/api/v2/repositories : ['READ']] successfully granted to > user [myuser] > > > - but the Permissions Error kept going. I was only able to list the > repositories as user, when I set the resource to '/'. > > * Am I using the correct --resource parameter? > * Should it work the way I thought? > * Do you have any hints for me? > > I am using pulp 2.1.3 on a RHEL6.3 x86_64 > > best regards, > florian _______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
