Hi,
Your suggestion got me a few steps further...
== AS ADMIN ==
pulp-admin auth user create --login myuser --password myuser
pulp-admin auth permission grant --login=myuser --resource="/v2/tasks/"
-o read
pulp-admin auth permission grant --login=myuser
--resource="/v2/repositories/se2ve-test/actions/sync/" -o read -o update
-o create -o execute
== AS USER "MYUSER" ==
pulp-admin login -u myuser -p myuser
Successfully logged in. Session certificate will expire at Dec 5
13:09:07 2013 GMT.
pulp-admin rpm repo sync run --repo-id=se2ve-test
+--------------------------------------------------------------------------------------------------------+
Synchronizing Repository [se2ve-test]
+--------------------------------------------------------------------------------------------------------+
Authentication Failed
The session certificate expired on Dec 5 13:09:07 2013 GMT. Use the
login command to begin a new session.
===================
Looking in the logfiles, I can see that the importer actually synched,
but the user was not allowed to Make a call to
"/pulp/api/v2/task_groups/19d47c8c-cef3-4209-bbb2-5463547bfcee/" afterwards.
I will include the server_calls.log and admin.log from the
pulp-admin-client and the pulp.log from the pulpserver as attachements.
regards,
florian
On 11/26/2013 05:56 PM, Michael Hrivnak wrote:
Florian,
In order to initiate a sync, you need "execute" permission. Try adding that to
the user, and let us know if it works.
Michael
----- Original Message -----
From: "Florian Sachs" <[email protected]>
To: "Michael Hrivnak" <[email protected]>
Cc: "Florian Sachs" <[email protected]>, [email protected]
Sent: Tuesday, November 26, 2013 2:44:34 AM
Subject: Re: [Pulp-list] Cannot grant permissions on repositories
Hi,
/* This is the second part of the mail I sent yesterday, which describes
a new problem that I ran into, which probably went unnoticed... */
I cannot give a user the permission to sync a repository from it's feed:
Now I wanted to give the user 'myuser' the permission to sync the
repository from it's feed.
First, I start the sync as admin - just to check if the sync actually
works:
===== Sync from feed as admin =====
myuser@pulp1:~/.pulp # pulp-admin rpm repo sync run
--repo-id=puppetlabs_puppet-acilaris
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Synchronizing Repository [puppetlabs_puppet-acilaris]
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
This command may be exited by pressing ctrl+c without affecting the
actual operation on the server.
...
...
Publishing repository over HTTP
[-]
... completed
===== /worked! =====
ok - syncing should work...
===== Grant Permissions to user to sync =====
myuser@pulp1:~/.pulp # pulp-admin auth permission grant --login=myuser
--resource="/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/"
-o read -o update -o create
Permissions [/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/ :
['READ', 'UPDATE', 'CREATE']] successfully granted to user [myuser]
===== /worked! =====
===== Sync the Repository as user =====
myuser@t2veke7:~/.pulp # pulp-admin rpm repo sync run
--repo-id=puppetlabs_puppet-acilaris
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Synchronizing Repository [puppetlabs_puppet-acilaris]
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Authentication Failed
The session certificate expired on Dec 2 15:40:19 2013 GMT. Use the
login command to begin a new session.
===== /failed! =====
The .pulp/server_calls.log shows me, the following line:
===== server_calls.log =====
2013-11-25 17:07:17,103 - INFO - GET request to
/pulp/api/v2/tasks/?tag=pulp%3Arepository%3Apuppetlabs_puppet-acilaris&tag=pulp%3Aaction%3Async
with parameters None
2013-11-25 17:07:17,104 - INFO - Response status : 401
2013-11-25 17:07:17,104 - INFO - Response body :
"Permission Denied"
===== /server_calls.log =====
pulp-admin makes a request to /v2/tasks/, so I give the user the Read
Permissions on this uri.
===== User gets read on the /v2/tasks/ uri =====
myuser@pulp1:~/.pulp # pulp-admin auth permission grant --login=myuser
--resource="/v2/tasks/" -o read
Permissions [/v2/tasks/ : ['READ']] successfully granted to user [myuser]
===== /worked! =====
Trying to run 'pulp-admin rpm repo sync
--repo-id=puppetlabs_puppet-acilaris' again returns again the
"Authentication Failed" error. The .pulp/server_calls.log reveals, that
the first call to '/v2/tasks' works,
but the 'Permission Denied' is now issued by the repository-uri.
===== server_calls.log =====
2013-11-25 17:02:45,528 - INFO - GET request to
/pulp/api/v2/tasks/?tag=pulp%3Arepository%3Apuppetlabs_puppet-acilaris&tag=pulp%3Aaction%3Async
with parameters None
2013-11-25 17:02:45,529 - INFO - Response status : 200
2013-11-25 17:02:45,529 - INFO - Response body :
[]
2013-11-25 17:02:45,749 - INFO - POST request to
/pulp/api/v2/repositories/puppetlabs_puppet-acilaris/actions/sync/ with
parameters {"override_config": null}
2013-11-25 17:02:45,750 - INFO - Response status : 401
2013-11-25 17:02:45,750 - INFO - Response body :
"Permission Denied"
===== /server_calls.log =====
* Maybe you could take a look at this new problem - if it works in 2.3 -
that would be ok for me...
regards,
florian
On 11/25/2013 04:25 PM, Michael Hrivnak wrote:
Florian,
Thanks for being in touch. Please try "/v2/repositories/" with the trailing
slash, which I believe will work. I have verified it on pulp 2.3 beta.
As for the "Authentication Failed" message, that is a bug that was fixed in
Pulp 2.2. https://bugzilla.redhat.com/show_bug.cgi?id=916729
Your email did cause me to notice an error in our REST API documentation, which
I reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1034316
Thanks,
Michael Hrivnak
----- Original Message -----
From: "Florian Sachs" <[email protected]>
To: [email protected]
Sent: Monday, November 25, 2013 9:39:42 AM
Subject: [Pulp-list] Cannot grant permissions on repositories
Hi,
Before I begin: I am in the process of building a new serverstructure within my company
using all puppet, foreman, devops and all the other buzzwords the fly around and actually
work pretty well. The backbone of my (Repository) Release-Management is pulp for which I
wrote a rest-client to handle Repository and Release stuff in a defined way and
everything works quite well. So a big "Thank you" for building pulp!
I plan to grant permissions on specific repositories to specific users, so they
can sync, upload etc their software without my help.
I want my users, to be able to list all repositories. As admin, I call "pulp-admin
rpm repo list".
According to the .pulp/server_calls, the request is 'GET request to /
pulp/api/v2/repositories / with parameters None'.
So here is what I tried:
=========
root@pulpserver:~ # pulp-admin auth permission grant --login=myuser
--resource=/repositories -o read
Permissions [/repositories : ['READ']] successfully granted to user [myuser]
=========
myuser@myserver:~ # pulp-admin rpm repo list
+--------------------------------------------------------------------------------------------------------+
RPM Repositories
+--------------------------------------------------------------------------------------------------------+
Authentication Failed
The session certificate expired on Dec 2 14:18:47 2013 GMT. Use the login
command to begin a new session.
=========
myuser@myserver:~ # tail .pulp/admin.log
self.all_repos_cache =
self.context.server.repo.repositories(query_params).response_body
File "/usr/lib/python2.6/site-packages/pulp/bindings/repository.py", line 33,
in repositories
return self.server.GET(path, query_parameters)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 84, in GET
return self._request('GET', path, queries)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 142, in
_request
self._handle_exceptions(response_code, response_body)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 183, in
_handle_exceptions
raise code_class_mappings[response_code](response_body)
PermissionsException: Permission Denied
=========
myuser@myserver:~ # tail .pulp/server_calls.log
2013-11-25 15:18:54,314 - INFO - Response body :
"Permission Denied"
2013-11-25 15:19:15,375 - INFO - GET request to / pulp/api/v2/repositories /
with parameters None
2013-11-25 15:19:15,375 - INFO - Response status : 401
2013-11-25 15:19:15,376 - INFO - Response body :
"Permission Denied"
=========
The "Authentication Failed" Message is misleading, as the session certificate
is valid and it is indeed not a Authentication Failure but a Permission Error. Maybe that
can be clarified in future releases.
I then tried to widen the permission with
root@pulp1:~ # pulp-admin auth permission grant --login=myuser --resource= /
repositories / -o read
Permissions [ / repositories / : ['READ']] successfully granted to user [myuser]
root@pulp1:~ # pulp-admin auth permission grant --login=myuser
--resource=/v2/repositories -o read
Permissions [/v2/repositories : ['READ']] successfully granted to user [myuser]
root@pulp1:~ # pulp-admin auth permission grant --login=myuser
--resource=/api/v2/repositories -o read
Permissions [/api/v2/repositories : ['READ']] successfully granted to user
[myuser]
root@pulp1:~ # pulp-admin auth permission grant --login=myuser
--resource=/pulp/api/v2/repositories -o read
Permissions [/pulp/api/v2/repositories : ['READ']] successfully granted to user
[myuser]
- but the Permissions Error kept going. I was only able to list the
repositories as user, when I set the resource to '/'.
* Am I using the correct --resource parameter?
* Should it work the way I thought?
* Do you have any hints for me?
I am using pulp 2.1.3 on a RHEL6.3 x86_64
best regards,
florian
--
Florian Sachs
Bundesministerium für Landesverteidigung und Sport
Führungsunterstützungszentrum / IKT-Te / HW&SysSW / SE2VE
Stiftgasse 2a 1070, Wien
Postadresse: Rossauer Lände 1, 1090 Wien
Tel.: +43 50201 10 33466
2013-11-28 14:16:05,545 - ERROR - Client-side exception occurred
Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/pulp/client/extensions/core.py", line 478, in run
exit_code = Cli.run(self, args)
File "/usr/lib/python2.6/site-packages/okaara/cli.py", line 966, in run
exit_code = command_or_section.execute(self.prompt, remaining_args)
File "/usr/lib/python2.6/site-packages/pulp/client/extensions/extensions.py", line 224, in execute
return self.method(*arg_list, **clean_kwargs)
File "/usr/lib/python2.6/site-packages/pulp/client/commands/repo/sync_publish.py", line 101, in run
status.display_group_status(self.context, self.renderer, task_group_id)
File "/usr/lib/python2.6/site-packages/pulp/client/commands/repo/status/status.py", line 60, in display_group_status
response = context.server.task_groups.get_task_group(task_group_id)
File "/usr/lib/python2.6/site-packages/pulp/bindings/tasks.py", line 151, in get_task_group
response = self.server.GET(path)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 84, in GET
return self._request('GET', path, queries)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 142, in _request
self._handle_exceptions(response_code, response_body)
File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 183, in _handle_exceptions
raise code_class_mappings[response_code](response_body)
PermissionsException: Permission Denied
2013-11-28 14:16:04,933 - INFO - GET request to /pulp/api/v2/tasks/?tag=pulp%3Arepository%3Ase2ve-test&tag=pulp%3Aaction%3Async with parameters None
2013-11-28 14:16:04,934 - INFO - Response status : 200
2013-11-28 14:16:04,935 - INFO - Response body :
[]
2013-11-28 14:16:05,240 - INFO - POST request to /pulp/api/v2/repositories/se2ve-test/actions/sync/ with parameters {"override_config": null}
2013-11-28 14:16:05,241 - INFO - Response status : 202
2013-11-28 14:16:05,243 - INFO - Response body :
[
{
"task_group_id": "19d47c8c-cef3-4209-bbb2-5463547bfcee",
"call_request_id": "8f54544a-c3ec-4f95-b266-466d3a6f7128",
"exception": null,
"_href": "/pulp/api/v2/task_groups/19d47c8c-cef3-4209-bbb2-5463547bfcee/",
"task_id": "8f54544a-c3ec-4f95-b266-466d3a6f7128",
"call_request_tags": [
"pulp:repository:se2ve-test",
"pulp:action:sync"
],
"reasons": [],
"start_time": null,
"traceback": null,
"schedule_id": null,
"finish_time": null,
"state": "waiting",
"result": null,
"dependency_failures": {},
"call_request_group_id": "19d47c8c-cef3-4209-bbb2-5463547bfcee",
"progress": {},
"principal_login": "myuser",
"response": "accepted",
"tags": [
"pulp:repository:se2ve-test",
"pulp:action:sync"
]
},
{
"task_group_id": "19d47c8c-cef3-4209-bbb2-5463547bfcee",
"call_request_id": "45f266f4-d32a-4226-b6f4-96beb9da927a",
"exception": null,
"_href": "/pulp/api/v2/task_groups/19d47c8c-cef3-4209-bbb2-5463547bfcee/",
"task_id": "45f266f4-d32a-4226-b6f4-96beb9da927a",
"call_request_tags": [
"pulp:repository:se2ve-test",
"pulp:action:auto_publish",
"pulp:action:publish"
],
"reasons": [],
"start_time": null,
"traceback": null,
"schedule_id": null,
"finish_time": null,
"state": "waiting",
"result": null,
"dependency_failures": {},
"call_request_group_id": "19d47c8c-cef3-4209-bbb2-5463547bfcee",
"progress": {},
"principal_login": "myuser",
"response": "accepted",
"tags": [
"pulp:repository:se2ve-test",
"pulp:action:auto_publish",
"pulp:action:publish"
]
}
]
2013-11-28 14:16:05,543 - INFO - GET request to /pulp/api/v2/task_groups/19d47c8c-cef3-4209-bbb2-5463547bfcee/ with parameters None
2013-11-28 14:16:05,544 - INFO - Response status : 401
2013-11-28 14:16:05,544 - INFO - Response body :
"Permission Denied"
2013-11-28 14:16:05,272 pulp.plugins.yum_importer.importer_rpm:INFO: Begin sync of repo <se2ve-test> from feed_url <http://pulp1.3ve.bmlv.at/pulp/repos/releases/upstream/se2ve/>
2013-11-28 14:16:06,247 pulp.plugins.yum_importer.importer_rpm:INFO: 366 rpms are available in the source repo se2ve-test, calculated in 0.000699996948242 seconds
2013-11-28 14:16:06,446 pulp.plugins.yum_importer.importer_rpm:INFO: Repo <se2ve-test> 366 existing rpm units, 0 have been orphaned, 0 new rpms, 0 missing rpms.
2013-11-28 14:16:06,447 pulp.plugins.yum_importer.importer_rpm:INFO: Delta RPMs to sync 0
2013-11-28 14:16:06,450 pulp.plugins.yum_importer.importer_rpm:INFO: 0 drpms are available in the source repo se2ve-test, calculated in 0.00312399864197 seconds
2013-11-28 14:16:06,450 pulp.plugins.yum_importer.importer_rpm:INFO: Repo <se2ve-test> 0 existing drpm units, 0 have been orphaned, 0 new drpms, 0 missing drpms.
2013-11-28 14:16:07,004 pulp.plugins.yum_importer.importer_rpm:INFO: 0 distributions are available in the source repo se2ve-test, calculated in 0.553355932236 seconds
2013-11-28 14:16:07,004 pulp.plugins.yum_importer.importer_rpm:INFO: Repo <se2ve-test> 0 existing distro units, 0 have been orphaned, 0 new distro files, 0 missing distro.
2013-11-28 14:16:07,006 pulp.plugins.yum_importer.importer_rpm:INFO: <se2ve-test> SaveThread starting
2013-11-28 14:16:07,632 pulp.plugins.yum_importer.importer_rpm:INFO: Finished download of se2ve-test in 0.626874923706 seconds. 0 successes, 0 downloads, 0 errors
2013-11-28 14:16:07,644 pulp.plugins.yum_importer.importer_rpm:INFO: checksum type info [{u'checksum_type': u'sha256'}] set to repo scratchpad
2013-11-28 14:16:07,649 pulp.plugins.yum_importer.importer_rpm:INFO: <se2ve-test>Waiting for SaveThread to finish: roughly 0 items on queue
2013-11-28 14:16:07,650 pulp.plugins.yum_importer.importer_rpm:INFO: <se2ve-test> SaveThread: Queue empty will exit
2013-11-28 14:16:07,656 pulp.plugins.yum_importer.importer_rpm:INFO: <se2ve-test> SaveThread: Stopped
2013-11-28 14:16:07,661 pulp.plugins.yum_importer.importer_rpm:INFO: <se2ve-test> SaveThread has finished
2013-11-28 14:16:07,662 pulp.plugins.yum_importer.importer_rpm:INFO: SaveThread saved 0 units, and reported 0 as not_synced
2013-11-28 14:16:07,662 pulp.plugins.yum_importer.drpm:INFO: purging orphaned drpm units
2013-11-28 14:16:07,663 pulp.plugins.yum_importer.importer_rpm:INFO: not_synced = []
2013-11-28 14:16:07,663 pulp.plugins.yum_importer.importer_rpm:INFO: STATUS: True; SUMMARY: {'num_synced_new_rpms': 0, 'num_resynced_distribution_files': 0, 'num_not_synced_srpms': 0, 'num_synced_new_distributions_files': 0, 'num_rpms': 366, 'num_not_synced_drpms': 0, 'time_total_sec': 2.3913028240203857, 'num_orphaned_distributions': 0, 'num_orphaned_rpms': 0, 'num_synced_new_srpms': 0, 'num_synced_new_drpms': 0, 'num_resynced_distributions': 0, 'num_orphaned_srpms': 0, 'num_resynced_rpms': 0, 'num_synced_new_distributions': 0, 'num_orphaned_drpms': 0, 'num_resynced_srpms': 0, 'num_resynced_drpms': 0, 'removal_errors': [], 'num_not_synced_rpms': 0}; DETAILS: {'time_download_sec': 0.62687492370605469, 'not_synced': [], 'time_metadata_sec': 0.9725799560546875, 'size_total': 0, 'sync_report': {'errors': 0, 'size_total': 0, 'successes': 0, 'downloads': 0, 'items_left': 0, 'items_total': 0, 'error_details': [], 'details': {}, 'size_left': 0}}
2013-11-28 14:16:07,671 pulp.plugins.yum_importer.errata:INFO: Unable to find 'updateinfo' in ['filelists', 'primary', 'primary_db', 'other_db', 'other', 'filelists_db']
2013-11-28 14:16:07,671 pulp.plugins.yum_importer.errata:INFO: Available Errata 0
2013-11-28 14:16:07,678 pulp.plugins.yum_importer.errata:INFO: 0 new_errata, 0 new_units
2013-11-28 14:16:08,096 pulp.plugins.yum_importer.errata:INFO: Finished errata sync
2013-11-28 14:16:08,099 pulp.plugins.yum_importer.comps:INFO: No package group/category data found in </var/lib/pulp/working/repos/se2ve-test/importers/yum_importer/se2ve-test>
2013-11-28 14:16:08,100 pulp.plugins.yum_importer.comps:INFO: Parsed comps data from </var/lib/pulp/working/repos/se2ve-test/importers/yum_importer/se2ve-test>: 0 groups and 0 categories are available in <se2ve-test>
2013-11-28 14:16:08,111 pulp.plugins.yum_importer.comps:INFO: Existing package groups/categories from <se2ve-test>: 0 groups, 0 categories
2013-11-28 14:16:08,112 pulp.plugins.yum_importer.comps:INFO: Comps Summary: {'time_total_sec': 0.014615058898925781, 'num_orphaned_groups': 0, 'num_available_groups': 0, 'num_new_groups': 0, 'num_new_categories': 0, 'num_orphaned_categories': 0, 'num_available_categories': 0}
Details: {}
2013-11-28 14:16:08,124 pulp.server.dispatch.task:INFO: SUCCESS: Task 8f54544a-c3ec-4f95-b266-466d3a6f7128: CallRequest: RepoSyncManager.sync(u'se2ve-test', sync_config_override=None)
2013-11-28 14:16:08,819 pulp.plugins.pulp_rpm.yum_plugin.metadata:INFO: existing metadata found; taking backup.
2013-11-28 14:16:09,545 pulp.plugins.pulp_rpm.yum_plugin.metadata:INFO: generate_yum_metadata processing 366 units of type rpm, 0 total units have already been processed
2013-11-28 14:16:09,546 pulp.plugins.pulp_rpm.yum_plugin.metadata:INFO: Performing per unit metadata merge on 366 units
2013-11-28 14:16:09,716 pulp.plugins.pulp_rpm.yum_plugin.metadata:INFO: per unit metadata merge completed in 0.169503927231 seconds
2013-11-28 14:16:09,818 pulp.plugins.pulp_rpm.yum_plugin.metadata:INFO: generate_yum_metadata finished processing 366 units
2013-11-28 14:16:10,456 pulp.plugins.pulp_rpm.yum_plugin.metadata:INFO: comps xml path does not exist; skipping merge
2013-11-28 14:16:10,456 pulp.plugins.pulp_rpm.yum_plugin.metadata:INFO: updateinfo xml path does not exist; skipping merge
2013-11-28 14:16:10,457 pulp.plugins.pulp_rpm.yum_plugin.metadata:INFO: check scratchpad for any repodata
2013-11-28 14:16:10,457 pulp.plugins.pulp_rpm.yum_plugin.metadata:INFO: Metadata generation finished in 1.63937187195 seconds
2013-11-28 14:16:10,457 pulp.plugins.yum_distributor.distributor:INFO: HTTPS Publishing repo <se2ve-test> to </var/lib/pulp/published/https/repos/releases/upstream/se2ve-test>
2013-11-28 14:16:10,457 pulp.plugins.yum_distributor.distributor:INFO: HTTP Publishing repo <se2ve-test> to </var/lib/pulp/published/http/repos/releases/upstream/se2ve-test>
2013-11-28 14:16:10,458 pulp.plugins.yum_distributor.distributor:INFO: Publish complete: summary = <{'num_package_units_errors': 0, 'https_publish_dir': u'/var/lib/pulp/published/https/repos/releases/upstream/se2ve-test', 'num_package_categories_published': 0, 'http_publish_dir': u'/var/lib/pulp/published/http/repos/releases/upstream/se2ve-test', 'skip_metadata_update': False, 'num_distribution_units_published': 0, 'num_package_groups_published': 0, 'num_package_units_attempted': 366, 'num_package_units_published': 366, 'num_distribution_units_attempted': 0, 'num_distribution_units_errors': 0, 'relative_path': u'releases/upstream/se2ve-test'}>, details = <{'errors': [], 'time_metadata_sec': 1.6479339599609375}>
2013-11-28 14:16:10,465 pulp.server.dispatch.task:INFO: SUCCESS: Task 45f266f4-d32a-4226-b6f4-96beb9da927a: CallRequest: RepoPublishManager.publish(u'se2ve-test', u'yum_distributor')
_______________________________________________
Pulp-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pulp-list
