Description of problem: I'm trying to create a user that has minimal permissions to register a consumer and bind to some repositories. I use puppet to provision hosts, so I basically have an exec that looks like the following, and so the password will be visible in my puppet manifest: pulp-consumer -u admin -p password register --consumer-id hostname I'm able to do 'pulp-admin login -u consumer-admin' from the server, so the user seems fine but the permissions not so much. Version-Release number of selected component (if applicable): Iām running pulp 2.3 and CentOS 6.5 on both the server and consumer. Stock install of pulp, except I did change some SSL certs to use our company's root CA. How reproducible: every time Steps to Reproduce: 1. Create user and role: pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding" pulp-admin auth user create --login consumer-admin --name "Consumer registration admin" pulp-admin auth role user add --login consumer-admin --role-id consumer-admin pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -execute 2. Attempt to register new consumer: me@test04:~> sudo pulp-consumer -u consumer-admin -p password register --consumer-id test04 Actual results: me@test04:~> sudo pulp-consumer -u consumer-admin -p password register --consumer-id test04 Authentication Failed A valid Pulp user is required to register a new consumer. Please double check the username and password and attempt the request again. Expected results: successful registration of consumer Additional info: me@pulpserver:~> pulp-admin auth role list --details +----------------------------------------------------------------------+ Roles +----------------------------------------------------------------------+ Id: super-users Display Name: Super Users Description: Role indicates users with admin privileges Users: admin Permissions: /: CREATE, READ, UPDATE, DELETE, EXECUTE Id: consumer-admin Display Name: Consumer Admins Description: Consumer registration and repo binding Users: consumer-admin Permissions: /consumers: CREATE, READ, UPDATE, DELETE, EXECUTE Here is the last bit of /var/log/pulp/pulp.log from the server: ...snip... File "/usr/lib/python2.6/site-packages/pulp/server/webservices/controllers/decorators.py", line 224, in _auth_decorator raise AuthenticationFailed(auth_utils.CODE_PERMISSION) AuthenticationFailed: Pulp exception occurred: AuthenticationFailed Also, the "Authentication failed" error message on the consumer should probably say "permission denied". Thanks for the help.
typo above. Step 1's last line should read: pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -o execute
The resource needed to be '/v2/consumers/'. Both v2 and trailing slash are important. We probably need to clarify that in our documentation.
Document in user guide that: - "/v2" is required - what are the possible resource identifiers - when is a trailing slash required, and mention this in the troubleshooting section
Thanks, I was able to grant the minimal permissions with this: pulp-admin auth permission grant --resource='/v2/consumers/' --role-id=consumer-admin -o create -o read -o update -o delete -o execute Regarding the trailing slash, could you put in a check for it and add the trailing slash if the user did not supply it in the --resource argument? Or would there be situations where a trailing slash is not desired or would cause breakage? Perhaps checking the supplied resource argument against "what are the possible resource identifiers" list and spitting out an error message with possible resource identifiers would be helpful.
I filed a separate issue[0] to track the use of the word authentication here. [0] https://bugzilla.redhat.com/show_bug.cgi?id=1150128
In order to fix this issue, we will need to combine our dev and user guides into a single Sphinx project so that we can link from one to the other. We don't want to do that at this moment, so I am delaying working on this for now.
The docs are all merged on our master branch, but there are higher priority issues for me to work on at the moment so I'm putting this down.
https://github.com/pulp/pulp/pull/1324
Had to change the branch to which the pull request was issued to https://github.com/pulp/pulp/pull/1325
This is fixed in 2.4.4-0.1.beta.
Failed QA >> rpm -qa | grep pulp-server pulp-server-2.4.4-0.1.beta.el7.noarch >> pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding" Role [consumer-admin] successfully created >> pulp-admin auth user create --login consumer-admin --name "Consumer registration admin" Enter password for user [consumer-admin] : Re-enter password for user [consumer-admin]: User [consumer-admin] successfully created >> pulp-admin auth role user add --login consumer-admin --role-id consumer-admin User [consumer-admin] successfully added to role [consumer-admin] >> pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -o execute Permissions [/consumers : ['CREATE', 'READ', 'UPDATE', 'DELETE', 'EXECUTE']] successfully granted to role [consumer-admin] >> sudo pulp-consumer -u consumer-admin -p admin register --consumer-id test04 Authentication Failed A valid Pulp user is required to register a new consumer. Please double check the username and password and attempt the request again. >> pulp-admin auth role list --details +----------------------------------------------------------------------+ Roles +----------------------------------------------------------------------+ Id: super-users Display Name: Super Users Description: Role indicates users with admin privileges Users: admin Permissions: /: CREATE, READ, UPDATE, DELETE, EXECUTE Id: consumer-admin Display Name: Consumer registration and repo binding Description: None Users: consumer-admin Permissions: /consumers: CREATE, READ, UPDATE, DELETE, EXECUTE >> less ./.pulp/consumer.log 2014-12-07 17:58:33,337 - ERROR - Client-side exception occurred Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/pulp/client/extensions/core.py", line 478, in run exit_code = Cli.run(self, args) File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run exit_code = command_or_section.execute(self.prompt, remaining_args) File "/usr/lib/python2.7/site-packages/pulp/client/extensions/extensions.py", line 224, in execute return self.method(*arg_list, **clean_kwargs) File "/usr/lib/python2.7/site-packages/pulp/client/consumer/cli.py", line 190, in register rsa_pub=rsa_pub) File "/usr/lib/python2.7/site-packages/pulp/bindings/consumer.py", line 47, in register return self.server.POST(path, body) File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 99, in POST return self._request('POST', path, body=body, ensure_encoding=ensure_encoding) File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 151, in _request self._handle_exceptions(response_code, response_body) File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 192, in _handle_exceptions raise code_class_mappings[response_code](response_body) PermissionsException: RequestException: POST request on /pulp/api/v2/consumers/ failed with 401 - Pulp exception occurred: AuthenticationFailed
Hi Irina! According to the PR docs and Sayli's comments, it looks like the permissions need to be granted on /v2/consumers/ and not /consumers. Can you re-check it with /v2/consumers/?
Hi Randy! My bad I didn't read comments carefully. Sorry! Right, I remember a doc bug on trailing slashes. Here it is for /v2/consumers/ >> rpm -qa | grep pulp-server pulp-server-2.4.4-0.4.rc.el7.noarch >> pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding" Role [consumer-admin] successfully created >> pulp-admin auth user create --login consumer-admin --name "Consumer registration admin" Enter password for user [consumer-admin] : Re-enter password for user [consumer-admin]: Passwords do not match Enter password for user [consumer-admin] : Re-enter password for user [consumer-admin]: User [consumer-admin] successfully created >> pulp-admin auth role user add --login consumer-admin --role-id consumer-admin User [consumer-admin] successfully added to role [consumer-admin] >> pulp-admin auth permission grant --resource /v2/consumers/ --role-id consumer-admin -o create -o read -o update -o delete -o execute Permissions [/v2/consumers/ : ['CREATE', 'READ', 'UPDATE', 'DELETE', 'EXECUTE']] successfully granted to role [consumer-admin] >> sudo pulp-consumer -u consumer-admin -p admin register --consumer-id KESHA Authentication Failed A valid Pulp user is required to register a new consumer. Please double check the username and password and attempt the request again. >> sudo pulp-consumer -u consumer-admin -p 123456 register --consumer-id KESHA Consumer [KESHA] successfully registered >> pulp-admin auth role list --details +----------------------------------------------------------------------+ Roles +----------------------------------------------------------------------+ Id: super-users Display Name: Super Users Description: Role indicates users with admin privileges Users: admin Permissions: /: CREATE, READ, UPDATE, DELETE, EXECUTE Id: consumer-admin Display Name: Consumer registration and repo binding Description: None Users: consumer-admin Permissions: /v2/consumers/: CREATE, READ, UPDATE, DELETE, EXECUTE >> pulp-consumer status This consumer is registered to the server [ip-XXX] with the ID [KESHA].
Moved to https://pulp.plan.io/issues/411