Bug 1132609
| Summary: | Pulp cannot use MongoDB authentication with its task result backend | ||
|---|---|---|---|
| Product: | [Retired] Pulp | Reporter: | Randy Barlow <rbarlow> |
| Component: | async/tasks | Assignee: | Michael Hrivnak <mhrivnak> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Preethi Thomas <pthomas> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 2.4.0 | CC: | bmbouter, mhrivnak, pthomas |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | 2.5.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-11-24 21:33:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1132607 | ||
For users encountering this issue, there is a simple workaround: 1) Edit your /etc/pulp/server.conf 2) Add a new "user" setting in your [database] section with the same value as you used in your "username" setting. 3) Save the file. Once we fix this issue, you should remove the "user" field as it will be extraneous. build: 2.5.0-0.6.beta Preethi, Since we moved this from 2.4 to 2.5, I believe we can change step 2 to say that Pulp needs dbAdmin and readWrite, instead of dbOwner. Here is a tutorial about how to add users to databases: http://docs.mongodb.org/manual/tutorial/add-user-to-database/ Here is the documentation about the various roles available: http://docs.mongodb.org/manual/reference/built-in-roles/#dbOwner verified Configured MongoDB for authenticated access, and disallow anonymous connections. Followed the above docs And this http://docs.mongodb.org/manual/tutorial/enable-authentication-without-bypass/ used this to add [root@cloud-qe-12 ~]# mongo pulp_database MongoDB shell version: 2.4.6 connecting to: pulp_database > db.addUser({user: "pulpuser", pwd:"pulppass", roles: [ "readWrite", "dbAdmin" ]}) { "user" : "pulpuser", "pwd" : "1b512d0236d75c586c5d65423f59b225", "roles" : [ "readWrite", "dbAdmin" ], "_id" : ObjectId("543d383dab7f088df0756127") } > ^C bye [root@cloud-qe-12 ~]# vi /etc/pulp/server.conf update database section with the above pulpuser restart services Repo create/sync works fine. [root@cloud-qe-12 ~]# rpm -qa pulp-server pulp-server-2.5.0-0.7.beta.el6.noarch [root@cloud-qe-12 ~]# |
Description of problem: Pulp uses MongoDB for its task result backend*. Pulp itself can authenticate to MongoDB, but it uses the wrong config key ("user" instead of "username") from server.conf for the username when configuring Celery to use Mongo as a result backend. This means that Celery gets an authentication failure whenever Mongo is configured to require permissions on the Pulp database. * The task result backend is what stores return values for tasks that need to return something. For example, all of Pulp's tasks that reserve resources rely on this to know which queue to put the work in. This means that many important tasks, such as sync, cannot work with MongoDB authentication. Version-Release number of selected component (if applicable): 2.4.0-1 and greater How reproducible: Very Steps to Reproduce: 1. Configure MongoDB for authenticated access, and disallow anonymous connections. 2. Configure the pulp user as the DB owner for full access 3. Restart Pulp. 4. Try to sync a repo Actual results: Observe that the sync fails, with a Mongo permission traceback in the server logs. Other tasks that do not use the results backend (like a repo list) will still work. Expected results: The sync should succeed.