Bug 823740 - Read valid admin list from /etc/pulpdist/site.conf
Summary: Read valid admin list from /etc/pulpdist/site.conf
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: PulpDist
Classification: Community
Component: Web App
Version: unspecified
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: 0.1.0
Assignee: Nick Coghlan
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-22 03:08 UTC by Sage Grigull
Modified: 2012-05-23 05:46 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-23 05:46:01 UTC
Embargoed:


Attachments (Terms of Use)

Description Sage Grigull 2012-05-22 03:08:07 UTC
Description of problem:
not accepting admin access when listed only in that file

Version-Release number of selected component (if applicable):
0.0.15-1


Additional info:
It is blocking the ability to roll out to stage for preliminary evaluation.

Comment 1 Nick Coghlan 2012-05-22 03:14:46 UTC
Note that the existing scheme should already automatically flag a user as an administrator based on the [admin] section in site.conf if they haven't logged into the site before.

It's only the case where someone changes from being a normal user to an admin user that currently requires a manual workaround:

1. Log into the site as an existing admin user
2. Click on the Site Admin link
3. Use the Django Admin UI to find the User entry for the new administrator
4. Change their status to mark them as a staff member and super user

I agree that this is annoying and the authentication backend should just update their user status automatically next time they log in, but it shouldn't be a blocker for anything.

The auto update will be in place for 0.0.16, but running a staging instance on 0.0.15 should be quite feasible.

Comment 2 Nick Coghlan 2012-05-22 03:25:58 UTC
As a potentially simpler workaround, it's possible to nuke all existing user entries, so they get recreated based on site.conf at next login:

$ python -m pulpdist.manage_site dbshell
SQLite version 3.6.20
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> delete from auth_user;

The recreation of the user with the correct permissions will then happen automatically next time the user logs in.

Comment 3 Nick Coghlan 2012-05-22 09:25:06 UTC
Dynamic updates have been added for 0.0.16, but it's still necessary to clear any active Django sessions to ensure that affected users are reauthenticated even if they have been logged into the web UI recently.

The relevant command is:

echo "delete from django_session;" | sudo python -m globalsync.manage_site dbshell

Leaving as modified until docs have been updated appropriately.

Comment 4 Nick Coghlan 2012-05-23 05:46:01 UTC
Rather than adjusting the docs, pulpdist-httpd has been updated to use memory backed sessions instead of database backed ones. This means restarting the web server will automatically drop any sessions, ensuring that permissions changes are picked up immediately.

The assumed use of Kerberos authentication with pulpdist-httpd means that end users shouldn't notice anything. For other usage scenarios, people can consult the Django docs to decide for themselves how they want to handle authentication, sessions, permissions and caching.


Note You need to log in before you can comment on or make changes to this bug.