Pulp: Issueshttps://pulp.plan.io/https://pulp.plan.io/favicon.ico2021-12-21T15:05:31ZPulp
Planio Pulp - Issue #9654 (CLOSED - CURRENTRELEASE): backport 9642 to 3.17.1: Migration 081 was incompat...https://pulp.plan.io/issues/96542021-12-21T15:05:31Zdkliban@redhat.comRPM Support - Issue #9627 (MODIFIED): publish fails on MD5-checksummed repos, on FIPShttps://pulp.plan.io/issues/96272021-12-09T18:59:35Zggainey
<p>See associated BZ for details, reproducer</p> RPM Support - Test #9622 (MODIFIED): Add a repo signed using 'sha' as alias for 'sha1'https://pulp.plan.io/issues/96222021-12-08T19:00:00Zggainey
<p>'sha' support exists in the wild, is the same as 'sha1', and has broken us several times now, Let's make it possible to write tests for it.</p> Pulp - Story #9621 (CLOSED - CURRENTRELEASE): As a user I can pass environment variables to the s...https://pulp.plan.io/issues/96212021-12-08T18:14:33Zipanova@redhat.comipanova@redhat.comContainer Support - Task #9618 (CLOSED - CURRENTRELEASE): Adjust code to work wiht recent group p...https://pulp.plan.io/issues/96182021-12-08T16:34:14ZmdellwegMigration Plugin - Backport #9612 (MODIFIED): Backport #8968 "'NoneType' object has no attribute ...https://pulp.plan.io/issues/96122021-12-07T18:13:47Zttereshcttereshc@redhat.com
<p>Backtrace:</p>
<pre>
"error"=>
{"traceback"=>
" File \"/usr/lib/python3.6/site-packages/rq/worker.py\", line 936, in perform_job\n" +
" rv = job.perform()\n" +
" File \"/usr/lib/python3.6/site-packages/rq/job.py\", line 684, in perform\n" +
" self._result = self._execute()\n" +
" File \"/usr/lib/python3.6/site-packages/rq/job.py\", line 690, in _execute\n" +
" return self.func(*self.args, **self.kwargs)\n" +
" File \"/usr/lib/python3.6/site-packages/pulp_2to3_migration/app/tasks/migrate.py\", line 76, in migrate_from_pulp2\n" +
" pre_migrate_all_without_content(plan)\n" +
" File \"/usr/lib/python3.6/site-packages/pulp_2to3_migration/app/pre_migration.py\", line 493, in pre_migrate_all_without_content\n" +
" pre_migrate_importer(repo_id, importer_types)\n" +
" File \"/usr/lib/python3.6/site-packages/pulp_2to3_migration/app/pre_migration.py\", line 601, in pre_migrate_importer\n" +
" importer.pulp3_remote.delete()\n",
"description"=>"'NoneType' object has no attribute 'delete'"},
"worker"=>"/pulp/api/v3/workers/fc6ba1d6-ddc6-494d-9385-2368544a09ef/",
</pre>
<p>This happened on Katello 3.18.3 which uses:</p>
<pre>
pulp-2to3-migration (0.11.1)
pulp-certguard (1.0.3)
pulp-container (2.1.2)
pulp-deb (2.7.0)
pulp-file (1.3.0)
pulp-rpm (3.10.0)
pulpcore (3.7.6)
</pre> Pulp - Issue #9608 (CLOSED - CURRENTRELEASE): Deprecation warning in Roles doesn't include enough...https://pulp.plan.io/issues/96082021-12-06T20:16:41Zbmbouterbmbouter@redhat.com
<p>When running pclean (or a user at upgrade time) on <code>pulp:main</code> would see this warning:</p>
<p><code>pulp [None]: pulpcore.deprecation:WARNING: The 'permissions' field in 'creation_hooks' is deprecated and may be removed with pulpcore 3.20. Use the 'parameters' field instead.</code></p>
<p>This is telling us that we haven't ported the AcessPolicy for ContentGuard, except that it doesn't indicate that it's about ContentGuard. These messages should be improved.</p> Pulp - Task #9604 (CLOSED - CURRENTRELEASE): As a developer, I can easily add add/remove/list Rol...https://pulp.plan.io/issues/96042021-12-03T17:33:08Zbmbouterbmbouter@redhat.com
<a name="Problem"></a>
<h2 >Problem<a href="#Problem" class="wiki-anchor">¶</a></h2>
<p>Now that pulpcore knows about Roles, and users can define their own, we need to allow users to manage the role assignments to specific objects and "model level" permissions.</p>
<a name="Design"></a>
<h2 >Design<a href="#Design" class="wiki-anchor">¶</a></h2>
<p>Create the following API calls that would be nested under any given viewset, e.g. TaskViewset.</p>
<ul>
<li>
<p><code> add_role</code> - If on a detail view, add the role the user specifies to the group or groups and/or user or users the user specifies to the specific object. If not on a detail view, add the role the user specifies to the group or gorups and/or user or users the user specifies as a model level role. The role is required. At least one group or user must be specified. If the Role does not have a permission applicable to this object type an error is expected.</p>
</li>
<li>
<p><code>remove_role</code> - If on a detail view, remove the role the user specifies from the group or groups and/or user or users the user specifies to the specific object. If not on a detail view, remove the role the user specifies from the group or gorups and/or user or users the user specifies as a model level role. The role is required. At least one group or user must be specified. If the Role does not have a permission applicable to this object type an error is expected. If no users or groups had that role no error is expected.</p>
</li>
<li>
<p><code>list_roles</code> - List the roles that could have at least one permission that is meaningful for this object type.</p>
</li>
<li>
<p><code>my_permissions</code> - If on a detail view, lists the effective object-level permissions a user has through both direct and group-based membership. If not on a detail view, lists the effective model level permissions a user has through both direct and group-based membership.</p>
</li>
</ul>
<p>Create a <code>RoleMixin</code> that allows developers to add ^ endpoint to any Viewset easily.</p>
<a name="Authorization-details"></a>
<h2 >Authorization details<a href="#Authorization-details" class="wiki-anchor">¶</a></h2>
<ul>
<li>
<p>The developer is expected to define a new "manage permissions" permission that is specific to that object type. For example, <code>core.manage_roles_task</code> would be a reasonable name for managing the permissions of a <code>Task</code>.</p>
</li>
<li>
<p>The developer needs to add to their access policy the specific calls to use that new permission to authorize only users who have these calls to make the calls to <code>list_roles</code>, <code>add_roles</code>, and <code>remove_role</code>. For example for <code>core.manage_roles_task</code> that would look like:</p>
</li>
</ul>
<pre><code> {
"action": ["list_roles", "add_role", "remove_role"],
"principal": "authenticated",
"effect": "allow",
"condition": "has_model_or_obj_perms:core.manage_roles_task",
},
</code></pre>
<p>It is expected the drf-access-policy would allow any authenticated user to list <code>my_permissions</code>.</p> Pulp - Issue #9595 (CLOSED - CURRENTRELEASE): HEAD requests on the artefacts from S3 storage reci...https://pulp.plan.io/issues/95952021-12-01T13:01:52Zipanova@redhat.comipanova@redhat.com
<pre><code>(pulp) [vagrant@pulp3-source-fedora34 _scripts]$ http https://pulp3-source-fedora34.fluffy.example.com/pulp/api/v3/distributions/file/file/9034d885-babb-4d19-81b3-091bd9f63a7f/
HTTP/1.1 200 OK
Access-Control-Expose-Headers: Correlation-ID
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Connection: keep-alive
Content-Length: 398
Content-Type: application/json
Correlation-ID: c5d10e5eaf7c40518b04130e3a2b22d3
Date: Wed, 01 Dec 2021 12:41:05 GMT
Referrer-Policy: same-origin
Server: nginx/1.20.1
Strict-Transport-Security: max-age=15768000
Vary: Accept, Cookie
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
{
"base_path": "vewtf",
"base_url": "https://pulp3-source-fedora34.fluffy.example.com/pulp/content/vewtf/",
"content_guard": null,
"name": "cizwr",
"publication": "/pulp/api/v3/publications/file/file/10c34224-83ff-40b5-a47e-1453a13cbc88/",
"pulp_created": "2021-12-01T12:34:22.111939Z",
"pulp_href": "/pulp/api/v3/distributions/file/file/9034d885-babb-4d19-81b3-091bd9f63a7f/",
"pulp_labels": {},
"repository": null
}
(pulp) [vagrant@pulp3-source-fedora34 _scripts]$ http https://pulp3-source-fedora34.fluffy.example.com/pulp/content/vewtf/
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 343
Content-Type: text/html; charset=utf-8
Date: Wed, 01 Dec 2021 12:41:14 GMT
Server: nginx/1.20.1
Strict-Transport-Security: max-age=15768000
X-PULP-CACHE: HIT
<!DOCTYPE html>
<html>
<body>
<ul>
<li><a href="PULP_MANIFEST">PULP_MANIFEST</a></li>
<li><a href="test_upload.txt">test_upload.txt</a></li>
</ul>
</body>
</html>
(pulp) [vagrant@pulp3-source-fedora34 _scripts]$ http --follow HEAD https://pulp3-source-fedora34.fluffy.example.com/pulp/content/vewtf/test_upload.txt
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Content-Length: 0
Content-Security-Policy: block-all-mixed-content
Date: Wed, 01 Dec 2021 12:41:20 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin, Accept-Encoding
X-Amz-Request-Id: 16BCA1FED0CD6B9E
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
(pulp) [vagrant@pulp3-source-fedora34 _scripts]$ http --follow GET https://pulp3-source-fedora34.fluffy.example.com/pulp/content/vewtf/test_upload.txt
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Disposition: attachment;filename=test_upload.txt
Content-Length: 11
Content-Security-Policy: block-all-mixed-content
Content-Type: text/plain
Date: Wed, 01 Dec 2021 12:41:28 GMT
ETag: "eef16594e73fc257de8125c7f1727a95"
Last-Modified: Wed, 01 Dec 2021 12:34:12 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
X-Amz-Request-Id: 16BCA200B53E2618
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
rzwdbspfbe
(pulp) [vagrant@pulp3-source-fedora34 _scripts]$
</code></pre>
<p>Presigned URLs allow one type of HTTP request method, which is defined at their creation time. By default, Boto3 creates presigned URLs that <a href="https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-presigned-urls.html#presigned-urls" class="external">permit only the HTTP GET method</a> however, the request method can be <a href="https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-presigned-urls.html#using-presigned-urls-to-perform-other-s3-operations" class="external">specified</a>. This is exposed in <code>django-storages</code> <code>S3Boto3Storage.url</code> as <a href="https://github.com/jschneier/django-storages/blob/master/storages/backends/s3boto3.py#L567" class="external">http_method</a>.</p> Pulp - Issue #9590 (MODIFIED): Pulp CI badges are no longer validhttps://pulp.plan.io/issues/95902021-11-30T15:50:22Zlmjachky
<p>Current Pulp CI status badges are no longer valid after merging the commit <a href="https://github.com/pulp/pulpcore/commit/dae72fa404de50b347d877c89c1a269937ab27b0#diff-b803fcb7f17ed9235f1e5cb1fcd2f5d3b2838429d4368ae4c57ce4436577f03fL13-L15" class="external">https://github.com/pulp/pulpcore/commit/dae72fa404de50b347d877c89c1a269937ab27b0#diff-b803fcb7f17ed9235f1e5cb1fcd2f5d3b2838429d4368ae4c57ce4436577f03fL13-L15</a> (we did not want to run the CI pipeline once again after merging changes).</p>
<p>Removing status badges from all repositories should be sufficient to resolve the problem. Having only Pulp Nightly CI/CD badges available is good enough (<a href="https://github.com/pulp/pulp-ci" class="external">https://github.com/pulp/pulp-ci</a>).</p> Pulp - Issue #9588 (CLOSED - CURRENTRELEASE): RBAC: Groups cannot use creation_hookshttps://pulp.plan.io/issues/95882021-11-26T08:28:47Zmdellweg
<p>As <code>Group</code> is not a pulpcore model, it does not inherit from <code>DjangoLifecycleMixin</code> and <code>AutoAddObjPermsMixin</code>. Therefore, the <code>creation_hooks</code> are not executed.</p>
<p>Possible solution: Create a proxy model that does not add another database table.</p> Pulp - Task #9498 (CLOSED - CURRENTRELEASE): Rework RBAC content guard to work with roleshttps://pulp.plan.io/issues/94982021-10-07T13:05:52ZmdellwegRPM Support - Story #8741 (CLOSED - CURRENTRELEASE): Full support for "static_context" in modulem...https://pulp.plan.io/issues/87412021-05-13T01:13:31Zdalleydalley@redhat.com
<p>In libmodulemd, it is planned to introduce an extension to version 2 of modulemd documents which differ slightly from the current v2. A new, optional field is added, called "static_context", described thusly:</p>
<pre><code> # context:
# Module context flag
# The context flag serves to distinguish module builds with the
# same name, stream and version and plays an important role in
# automatic module stream name expansion.
#
# If 'static_context' is unset or equal to FALSE:
# Filled in by the buildsystem. A short hash of the module's name,
# stream, version and its expanded runtime dependencies. The exact
# mechanism for generating the hash is unspecified.
#
# Type: AUTOMATIC
#
# Mandatory for module metadata in a yum/dnf repository.
#
# If 'static_context' is set to True:
# The context flag is a string of up to thirteen [a-zA-Z0-9_] characters
# representing a build and runtime configuration for this stream. This
# string is arbitrary but must be unique in this module stream.
#
# Type: MANDATORY
static_context: false
context: c0ffee43
</code></pre>
<p>Source: <a href="https://github.com/fedora-modularity/libmodulemd/commit/2000e88d48a7b8d9fba1f7866d3709035dd2b957#diff-f693f5c1bd57e7782999ed7d59a4e2cdb1548c6d5e2e4663265f2165a949effeR81-R96" class="external">https://github.com/fedora-modularity/libmodulemd/commit/2000e88d48a7b8d9fba1f7866d3709035dd2b957#diff-f693f5c1bd57e7782999ed7d59a4e2cdb1548c6d5e2e4663265f2165a949effeR81-R96</a></p>
<p>(see that commit also for document examples, and the names of libmodulmd functions)</p>
<p>See also: <a href="https://github.com/fedora-modularity/libmodulemd/commit/0132015b5729b6077d49fc5beb2c662a563c6e6d#diff-f693f5c1bd57e7782999ed7d59a4e2cdb1548c6d5e2e4663265f2165a949effe" class="external">https://github.com/fedora-modularity/libmodulemd/commit/0132015b5729b6077d49fc5beb2c662a563c6e6d#diff-f693f5c1bd57e7782999ed7d59a4e2cdb1548c6d5e2e4663265f2165a949effe</a></p>
<p>Basic support is added in a previous issue (linked).</p>
<p>For full support, we need to analyze the impacts of this new flag on dependency solving, and ensure that we do the correct thing, and potentially implement the new behavior</p> Maven Plugin - Issue #8678 (MODIFIED): Provide 'view_name' warning when using the all in one cont...https://pulp.plan.io/issues/86782021-04-30T19:17:03Zgerrod
<p>A user from pulp-dev was worried about this warning message appearing after changing the admin password to the all in one container. Pretty sure it's harmless, but it can scare users thinking that their installation isn't correct.</p>
<p><code>pulpcore.app.serializers.base:WARNING: Please provide either 'view_name' or 'view_name_pattern' for DetailRelatedField on _call_with_frames_removed.</code></p> Pulp - Issue #8610 (CLOSED - CURRENTRELEASE): PulpImporter assumes tempfiles can always go to /tmphttps://pulp.plan.io/issues/86102021-04-21T19:44:37Zggainey
<p>importer.pulp_import uses tempfile.TemporaryDirectory() in places like this:</p>
<p><a href="https://github.com/pulp/pulpcore/blob/master/pulpcore/app/tasks/importer.py#L118" class="external">https://github.com/pulp/pulpcore/blob/master/pulpcore/app/tasks/importer.py#L118</a></p>
<p>If your /tmp is small, and your export is Large, this can cause Bad Things to happen.</p>
<p>We should perhas set dir= to the workers work-directory?</p>