Bug 1081534
Summary: | authentication failed for user with a consumer admin role | ||
---|---|---|---|
Product: | [Retired] Pulp | Reporter: | Jason <ashbyj> |
Component: | documentation | Assignee: | pulp-bugs |
Status: | CLOSED UPSTREAM | QA Contact: | Irina Gulina <igulina> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 2.3 | CC: | cduryee, dkliban, igulina, mhrivnak, rbarlow, skarmark |
Target Milestone: | --- | Keywords: | Documentation, Triaged |
Target Release: | 2.4.3 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-28 22:04:24 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jason
2014-03-27 14:21:47 UTC
typo above. Step 1's last line should read: pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -o execute The resource needed to be '/v2/consumers/'. Both v2 and trailing slash are important. We probably need to clarify that in our documentation. Document in user guide that: - "/v2" is required - what are the possible resource identifiers - when is a trailing slash required, and mention this in the troubleshooting section Thanks, I was able to grant the minimal permissions with this: pulp-admin auth permission grant --resource='/v2/consumers/' --role-id=consumer-admin -o create -o read -o update -o delete -o execute Regarding the trailing slash, could you put in a check for it and add the trailing slash if the user did not supply it in the --resource argument? Or would there be situations where a trailing slash is not desired or would cause breakage? Perhaps checking the supplied resource argument against "what are the possible resource identifiers" list and spitting out an error message with possible resource identifiers would be helpful. I filed a separate issue[0] to track the use of the word authentication here. [0] https://bugzilla.redhat.com/show_bug.cgi?id=1150128 In order to fix this issue, we will need to combine our dev and user guides into a single Sphinx project so that we can link from one to the other. We don't want to do that at this moment, so I am delaying working on this for now. The docs are all merged on our master branch, but there are higher priority issues for me to work on at the moment so I'm putting this down. Had to change the branch to which the pull request was issued to https://github.com/pulp/pulp/pull/1325 This is fixed in 2.4.4-0.1.beta. Failed QA >> rpm -qa | grep pulp-server pulp-server-2.4.4-0.1.beta.el7.noarch >> pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding" Role [consumer-admin] successfully created >> pulp-admin auth user create --login consumer-admin --name "Consumer registration admin" Enter password for user [consumer-admin] : Re-enter password for user [consumer-admin]: User [consumer-admin] successfully created >> pulp-admin auth role user add --login consumer-admin --role-id consumer-admin User [consumer-admin] successfully added to role [consumer-admin] >> pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -o execute Permissions [/consumers : ['CREATE', 'READ', 'UPDATE', 'DELETE', 'EXECUTE']] successfully granted to role [consumer-admin] >> sudo pulp-consumer -u consumer-admin -p admin register --consumer-id test04 Authentication Failed A valid Pulp user is required to register a new consumer. Please double check the username and password and attempt the request again. >> pulp-admin auth role list --details +----------------------------------------------------------------------+ Roles +----------------------------------------------------------------------+ Id: super-users Display Name: Super Users Description: Role indicates users with admin privileges Users: admin Permissions: /: CREATE, READ, UPDATE, DELETE, EXECUTE Id: consumer-admin Display Name: Consumer registration and repo binding Description: None Users: consumer-admin Permissions: /consumers: CREATE, READ, UPDATE, DELETE, EXECUTE >> less ./.pulp/consumer.log 2014-12-07 17:58:33,337 - ERROR - Client-side exception occurred Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/pulp/client/extensions/core.py", line 478, in run exit_code = Cli.run(self, args) File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run exit_code = command_or_section.execute(self.prompt, remaining_args) File "/usr/lib/python2.7/site-packages/pulp/client/extensions/extensions.py", line 224, in execute return self.method(*arg_list, **clean_kwargs) File "/usr/lib/python2.7/site-packages/pulp/client/consumer/cli.py", line 190, in register rsa_pub=rsa_pub) File "/usr/lib/python2.7/site-packages/pulp/bindings/consumer.py", line 47, in register return self.server.POST(path, body) File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 99, in POST return self._request('POST', path, body=body, ensure_encoding=ensure_encoding) File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 151, in _request self._handle_exceptions(response_code, response_body) File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 192, in _handle_exceptions raise code_class_mappings[response_code](response_body) PermissionsException: RequestException: POST request on /pulp/api/v2/consumers/ failed with 401 - Pulp exception occurred: AuthenticationFailed Hi Irina! According to the PR docs and Sayli's comments, it looks like the permissions need to be granted on /v2/consumers/ and not /consumers. Can you re-check it with /v2/consumers/? Hi Randy! My bad I didn't read comments carefully. Sorry! Right, I remember a doc bug on trailing slashes. Here it is for /v2/consumers/ >> rpm -qa | grep pulp-server pulp-server-2.4.4-0.4.rc.el7.noarch >> pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding" Role [consumer-admin] successfully created >> pulp-admin auth user create --login consumer-admin --name "Consumer registration admin" Enter password for user [consumer-admin] : Re-enter password for user [consumer-admin]: Passwords do not match Enter password for user [consumer-admin] : Re-enter password for user [consumer-admin]: User [consumer-admin] successfully created >> pulp-admin auth role user add --login consumer-admin --role-id consumer-admin User [consumer-admin] successfully added to role [consumer-admin] >> pulp-admin auth permission grant --resource /v2/consumers/ --role-id consumer-admin -o create -o read -o update -o delete -o execute Permissions [/v2/consumers/ : ['CREATE', 'READ', 'UPDATE', 'DELETE', 'EXECUTE']] successfully granted to role [consumer-admin] >> sudo pulp-consumer -u consumer-admin -p admin register --consumer-id KESHA Authentication Failed A valid Pulp user is required to register a new consumer. Please double check the username and password and attempt the request again. >> sudo pulp-consumer -u consumer-admin -p 123456 register --consumer-id KESHA Consumer [KESHA] successfully registered >> pulp-admin auth role list --details +----------------------------------------------------------------------+ Roles +----------------------------------------------------------------------+ Id: super-users Display Name: Super Users Description: Role indicates users with admin privileges Users: admin Permissions: /: CREATE, READ, UPDATE, DELETE, EXECUTE Id: consumer-admin Display Name: Consumer registration and repo binding Description: None Users: consumer-admin Permissions: /v2/consumers/: CREATE, READ, UPDATE, DELETE, EXECUTE >> pulp-consumer status This consumer is registered to the server [ip-XXX] with the ID [KESHA]. Moved to https://pulp.plan.io/issues/411 |