Bug 1081534 - authentication failed for user with a consumer admin role
Summary: authentication failed for user with a consumer admin role
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Pulp
Classification: Retired
Component: documentation
Version: 2.3
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: 2.4.3
Assignee: pulp-bugs
QA Contact: Irina Gulina
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-27 14:21 UTC by Jason
Modified: 2015-02-28 22:04 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-28 22:04:24 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Pulp Redmine 411 0 None None None Never

Description Jason 2014-03-27 14:21:47 UTC
Description of problem:

I'm trying to create a user that has minimal permissions to register a consumer and bind to some repositories.  I use puppet to provision hosts, so I basically have an exec that looks like the following, and so the password will be visible in my puppet manifest:

    pulp-consumer -u admin -p password register --consumer-id hostname


I'm able to do 'pulp-admin login -u consumer-admin' from the server, so the user seems fine but the permissions not so much.


Version-Release number of selected component (if applicable):

Iā€™m running pulp 2.3 and CentOS 6.5 on both the server and consumer.  Stock install of pulp, except I did change some SSL certs to use our company's root CA.


How reproducible:
every time

Steps to Reproduce:
1. Create user and role:

pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding"
pulp-admin auth user create --login consumer-admin --name "Consumer registration admin"
pulp-admin auth role user add --login consumer-admin --role-id consumer-admin
pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -execute

2. Attempt to register new consumer:

me@test04:~> sudo pulp-consumer -u consumer-admin -p password register --consumer-id test04

Actual results:
    me@test04:~> sudo pulp-consumer -u consumer-admin -p password register --consumer-id test04
    Authentication Failed

    A valid Pulp user is required to register a new consumer. Please double check
    the username and password and attempt the request again.

Expected results:
successful registration of consumer

Additional info:

me@pulpserver:~> pulp-admin auth role list --details
+----------------------------------------------------------------------+
                                 Roles
+----------------------------------------------------------------------+

Id:            super-users
Display Name:  Super Users
Description:   Role indicates users with admin privileges
Users:         admin
Permissions:
  /: CREATE, READ, UPDATE, DELETE, EXECUTE


Id:            consumer-admin
Display Name:  Consumer Admins
Description:   Consumer registration and repo binding
Users:         consumer-admin
Permissions:
  /consumers: CREATE, READ, UPDATE, DELETE, EXECUTE


Here is the last bit of /var/log/pulp/pulp.log from the server:

...snip...
  File "/usr/lib/python2.6/site-packages/pulp/server/webservices/controllers/decorators.py", line 224, in _auth_decorator
    raise AuthenticationFailed(auth_utils.CODE_PERMISSION)
AuthenticationFailed: Pulp exception occurred: AuthenticationFailed


Also, the "Authentication failed" error message on the consumer should probably say "permission denied".  Thanks for the help.

Comment 1 Jason 2014-03-27 14:23:31 UTC
typo above.  Step 1's last line should read:

pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -o execute

Comment 2 Sayli Karmarkar 2014-04-03 21:03:54 UTC
The resource needed to be '/v2/consumers/'. Both v2 and trailing slash are important. We probably need to clarify that in our documentation.

Comment 3 Michael Hrivnak 2014-04-04 16:13:37 UTC
Document in user guide that:
- "/v2" is required
- what are the possible resource identifiers
- when is a trailing slash required, and mention this in the troubleshooting section

Comment 4 Jason 2014-04-07 13:51:36 UTC
Thanks, I was able to grant the minimal permissions with this:

  pulp-admin auth permission grant --resource='/v2/consumers/' --role-id=consumer-admin  -o create -o read -o update -o delete -o execute


Regarding the trailing slash, could you put in a check for it and add the trailing slash if the user did not supply it in the --resource argument?  Or would there be situations where a trailing slash is not desired or would cause breakage?

Perhaps checking the supplied resource argument against "what are the possible resource identifiers" list and spitting out an error message with possible resource identifiers would be helpful.

Comment 5 Randy Barlow 2014-10-07 13:39:15 UTC
I filed a separate issue[0] to track the use of the word authentication here.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1150128

Comment 6 Randy Barlow 2014-10-07 15:18:29 UTC
In order to fix this issue, we will need to combine our dev and user guides into a single Sphinx project so that we can link from one to the other. We don't want to do that at this moment, so I am delaying working on this for now.

Comment 7 Randy Barlow 2014-10-22 20:35:20 UTC
The docs are all merged on our master branch, but there are higher priority issues for me to work on at the moment so I'm putting this down.

Comment 8 Dennis Kliban 2014-11-18 19:24:17 UTC
https://github.com/pulp/pulp/pull/1324

Comment 9 Dennis Kliban 2014-11-18 20:05:03 UTC
Had to change the branch to which the pull request was issued to

https://github.com/pulp/pulp/pull/1325

Comment 10 Randy Barlow 2014-12-04 22:57:35 UTC
This is fixed in 2.4.4-0.1.beta.

Comment 11 Irina Gulina 2014-12-07 23:06:18 UTC
Failed QA 

>> rpm -qa | grep pulp-server
pulp-server-2.4.4-0.1.beta.el7.noarch

>> pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding"
Role [consumer-admin] successfully created

>> pulp-admin auth user create --login consumer-admin --name "Consumer registration admin"
Enter password for user [consumer-admin] :
Re-enter password for user [consumer-admin]:
User [consumer-admin] successfully created

>> pulp-admin auth role user add --login consumer-admin --role-id consumer-admin
User [consumer-admin] successfully added to role [consumer-admin]

>> pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -o execute
Permissions [/consumers : ['CREATE', 'READ', 'UPDATE', 'DELETE', 'EXECUTE']]
successfully granted to role [consumer-admin]

>> sudo pulp-consumer -u consumer-admin -p admin register --consumer-id test04
Authentication Failed

A valid Pulp user is required to register a new consumer. Please double check
the username and password and attempt the request again.


>> pulp-admin auth role list --details
+----------------------------------------------------------------------+
                                 Roles
+----------------------------------------------------------------------+

Id:            super-users
Display Name:  Super Users
Description:   Role indicates users with admin privileges
Users:         admin
Permissions:  
  /: CREATE, READ, UPDATE, DELETE, EXECUTE

Id:            consumer-admin
Display Name:  Consumer registration and repo binding
Description:   None
Users:         consumer-admin
Permissions:  
  /consumers: CREATE, READ, UPDATE, DELETE, EXECUTE

>> less ./.pulp/consumer.log

2014-12-07 17:58:33,337 - ERROR - Client-side exception occurred
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/pulp/client/extensions/core.py", line 478, in run
    exit_code = Cli.run(self, args)
  File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run
    exit_code = command_or_section.execute(self.prompt, remaining_args)
  File "/usr/lib/python2.7/site-packages/pulp/client/extensions/extensions.py", line 224, in execute
    return self.method(*arg_list, **clean_kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/client/consumer/cli.py", line 190, in register
    rsa_pub=rsa_pub)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/consumer.py", line 47, in register
    return self.server.POST(path, body)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 99, in POST
    return self._request('POST', path, body=body, ensure_encoding=ensure_encoding)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 151, in _request
    self._handle_exceptions(response_code, response_body)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 192, in _handle_exceptions
    raise code_class_mappings[response_code](response_body)
PermissionsException: RequestException: POST request on /pulp/api/v2/consumers/ failed with 401 - Pulp exception occurred: AuthenticationFailed

Comment 12 Randy Barlow 2015-02-05 21:31:33 UTC
Hi Irina!

According to the PR docs and Sayli's comments, it looks like the permissions need to be granted on /v2/consumers/ and not /consumers. Can you re-check it with /v2/consumers/?

Comment 13 Irina Gulina 2015-02-06 17:17:01 UTC
Hi Randy!

My bad I didn't read comments carefully. Sorry! Right, I remember a doc bug on trailing slashes.

Here it is for /v2/consumers/ 

>> rpm -qa | grep pulp-server
pulp-server-2.4.4-0.4.rc.el7.noarch

>> pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding"
Role [consumer-admin] successfully created

>> pulp-admin auth user create --login consumer-admin --name "Consumer registration admin"
Enter password for user [consumer-admin] : 
Re-enter password for user [consumer-admin]: 
Passwords do not match

Enter password for user [consumer-admin] : 
Re-enter password for user [consumer-admin]: 
User [consumer-admin] successfully created

>> pulp-admin auth role user add --login consumer-admin --role-id consumer-admin
User [consumer-admin] successfully added to role [consumer-admin]

>> pulp-admin auth permission grant --resource /v2/consumers/ --role-id consumer-admin -o create -o read -o update -o delete -o execute
Permissions [/v2/consumers/ : ['CREATE', 'READ', 'UPDATE', 'DELETE', 'EXECUTE']]
successfully granted to role [consumer-admin]

>> sudo pulp-consumer -u consumer-admin -p admin register --consumer-id KESHA
Authentication Failed

A valid Pulp user is required to register a new consumer. Please double check
the username and password and attempt the request again.

>> sudo pulp-consumer -u consumer-admin -p 123456 register --consumer-id KESHA
Consumer [KESHA] successfully registered

>> pulp-admin auth role list --details
+----------------------------------------------------------------------+
                                 Roles
+----------------------------------------------------------------------+

Id:            super-users
Display Name:  Super Users
Description:   Role indicates users with admin privileges
Users:         admin
Permissions:   
  /: CREATE, READ, UPDATE, DELETE, EXECUTE


Id:            consumer-admin
Display Name:  Consumer registration and repo binding
Description:   None
Users:         consumer-admin
Permissions:   
  /v2/consumers/: CREATE, READ, UPDATE, DELETE, EXECUTE


>> pulp-consumer status
This consumer is registered to the server
[ip-XXX] with the ID [KESHA].

Comment 14 Brian Bouterse 2015-02-28 22:04:24 UTC
Moved to https://pulp.plan.io/issues/411


Note You need to log in before you can comment on or make changes to this bug.