Issue #1078
closed
Unable to remove a remove a user from "super-users" role
Description
try the following sequence of commands on a clean pulp install
$ pulp-admin auth user create --login=brian --password=redhat
User [brian] successfully created
$ pulp-admin auth role user add --role-id=super-users --login=brian
User [brian] successfully added to role [super-users]
$ pulp-admin auth role user remove --role-id=super-users --login=brian
An internal error occurred on the Pulp server:
RequestException: DELETE request
on /pulp/api/v2/roles/super-users/users/brian/ failed with 500 - 'permission'
When the -vv option was used I got
$ pulp-admin -vv auth role user remove --role-id=super-users --login=brian
2015-06-23 15:53:51,574 - DEBUG - sending DELETE request to /pulp/api/v2/roles/super-users/users/brian/
2015-06-23 15:53:51,642 - INFO - DELETE request to /pulp/api/v2/roles/super-users/users/brian/ with parameters None
2015-06-23 15:53:51,642 - INFO - Response status : 500
2015-06-23 15:53:51,642 - INFO - Response body :
{
"exception": [
"KeyError: 'permission'\n"
],
"traceback": [
" File \"/usr/lib/python2.7/site-packages/django/core/handlers/base.py\", line 112, in get_response\n response = wrapped_callback(request, *callback_args, **callback_kwargs)\n",
" File \"/usr/lib/python2.7/site-packages/django/views/generic/base.py\", line 69, in view\n return self.dispatch(request, *args, **kwargs)\n",
" File \"/usr/lib/python2.7/site-packages/django/views/generic/base.py\", line 87, in dispatch\n return handler(request, *args, **kwargs)\n",
" File \"/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py\", line 237, in _auth_decorator\n return _verify_auth(self, operation, super_user_only, method, *args, **kwargs)\n",
" File \"/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py\", line 191, in _verify_auth\n value = method(self, *args, **kwargs)\n",
" File \"/usr/lib/python2.7/site-packages/pulp/server/webservices/views/roles.py\", line 228, in delete\n remove_user = role_manager.remove_user_from_role(role_id, login)\n",
" File \"/usr/lib/python2.7/site-packages/pulp/server/managers/auth/role/cud.py\", line 304, in remove_user_from_role\n item['permission'],\n"
],
"_href": "/pulp/api/v2/roles/super-users/users/brian/",
"error_message": "'permission'",
"http_request_method": "DELETE",
"http_status": 500
}
2015-06-23 15:53:51,643 - ERROR - Exception occurred:
href: /pulp/api/v2/roles/super-users/users/brian/
method: DELETE
status: 500
error: 'permission'
traceback: [u' File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 112, in get_response\n response = wrapped_callback(request, *callback_args, **callback_kwargs)\n', u' File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 69, in view\n return self.dispatch(request, *args, **kwargs)\n', u' File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 87, in dispatch\n return handler(request, *args, **kwargs)\n', u' File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 237, in _auth_decorator\n return _verify_auth(self, operation, super_user_only, method, *args, **kwargs)\n', u' File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 191, in _verify_auth\n value = method(self, *args, **kwargs)\n', u' File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/roles.py", line 228, in delete\n remove_user = role_manager.remove_user_from_role(role_id, login)\n', u' File "/usr/lib/python2.7/site-packages/pulp/server/managers/auth/role/cud.py", line 304, in remove_user_from_role\n item[\'permission\'],\n']
data: {}
An internal error occurred on the Pulp server:
RequestException: DELETE request
on /pulp/api/v2/roles/super-users/users/brian/ failed with 500 - 'permission'
Here is the /var/log/messages
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: Unhandled Exception
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) 'permission'
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) Traceback (most recent call last):
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 112, in get_response
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) response = wrapped_callback(request, *callback_args, **callback_kwargs)
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 69, in view
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) return self.dispatch(request, *args, **kwargs)
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 87, in dispatch
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) return handler(request, *args, **kwargs)
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 237, in _auth_decorator
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) return _verify_auth(self, operation, super_user_only, method, *args, **kwargs)
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 191, in _verify_auth
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) value = method(self, *args, **kwargs)
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/roles.py", line 228, in delete
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) remove_user = role_manager.remove_user_from_role(role_id, login)
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) File "/usr/lib/python2.7/site-packages/pulp/server/managers/auth/role/cud.py", line 304, in remove_user_from_role
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) item['permission'],
Jun 23 15:55:21 katello-kant pulp: pulp.server.webservices.middleware.exception:ERROR: (23037-04096) KeyError: 'permission'
Updated by dkliban@redhat.com over 9 years ago
It looks like there is a typo here [0]. The database has 'permissions' and the code is looking for 'permission'.
[0] https://github.com/pulp/pulp/blob/2.7-testing/server/pulp/server/managers/auth/role/cud.py#L304
Updated by dkliban@redhat.com over 9 years ago
Now that I have had a closer look, it seems like all the references to reading that field use the singular version. So perhaps the better fix is modifying the code that writes it to the database.
Updated by bcourt over 9 years ago
- Priority changed from Normal to High
- Severity changed from 2. Medium to 3. High
- Triaged changed from No to Yes
Updated by ipanova@redhat.com over 9 years ago
the role looks like this in database
> db.roles.find()
{ "_id" : ObjectId("5576929045ef480de503ce9a"), "display_name" : "Super Users", "description" : "Role indicates users with admin privileges", "_ns" : "roles", "id" : "super-users", "permissions" : [ { "resource" : "/", "permission" : [ 0, 1, 2, 3, 4 ] } ] }
The 'permission' key is correct in the code https://github.com/pulp/pulp/blob/2.7-testing/server/pulp/server/managers/auth/role/cud.py#L304
Strange thing that the reporter of this bug had the 'resource' key but not the 'permission' key. How this happened?
Anyway, i was not able to reproduce the bug:
$ pulp-admin auth role list
+----------------------------------------------------------------------+
Roles
+----------------------------------------------------------------------+
Id: super-users
Users: admin
Id: r1
Users:
Id: test-role
Users:
[ipanova@ina pulp]$ pulp-admin -vv auth role user add --role-id super-users --login ina
2015-06-29 15:31:24,395 - DEBUG - sending POST request to /pulp/api/v2/roles/super-users/users/
2015-06-29 15:31:24,596 - INFO - POST request to /pulp/api/v2/roles/super-users/users/ with parameters {"login": "ina"}
2015-06-29 15:31:24,596 - INFO - Response status : 200
2015-06-29 15:31:24,596 - INFO - Response body :
null
User [ina] successfully added to role [super-users]
[ipanova@ina pulp]$ pulp-admin -vv auth role user remove --role-id super-users --login ina
2015-06-29 15:31:30,614 - DEBUG - sending DELETE request to /pulp/api/v2/roles/super-users/users/ina/
2015-06-29 15:31:30,735 - INFO - DELETE request to /pulp/api/v2/roles/super-users/users/ina/ with parameters None
2015-06-29 15:31:30,735 - INFO - Response status : 200
2015-06-29 15:31:30,735 - INFO - Response body :
null
User [ina] successfully removed from role [super-users]
Updated by dkliban@redhat.com over 9 years ago
I was not able to reproduce on the latest branch either. We should be able to close this bug when the new 2.7.0 beta is released.
Updated by sbhawsin over 9 years ago
- Status changed from NEW to POST
- Assignee set to sbhawsin
Updated by ipanova@redhat.com over 9 years ago
The reason we were not able to reproduce this bug consists in the fact that we already had super user role in db.
Seems like the issue consisted in the fact, that on fresh install when super-user role was created it had wrong key 'permissions' instead of 'permission'. And when you will try to remove the user from super-users, it will be checked that you are not removing the last user from super-user role. And then we will hit this key error.
Added by sbhawsin over 9 years ago
Added by sbhawsin over 9 years ago
Updated by sbhawsin over 9 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulp|d4fb1b28fc16a55cab3536096566e540ded26aa9.
Updated by dkliban@redhat.com about 9 years ago
- Status changed from MODIFIED to 5
Updated by pthomas@redhat.com about 9 years ago
- Status changed from 5 to 6
verified
[root@ibm-x3550m3-06 ~]# pulp-admin auth user create --login=preethi --password=redhat
User [preethi] successfully created
[root@ibm-x3550m3-06 ~]# pulp-admin auth role user add --role-id=super-users --login=preethi
User [preethi] successfully added to role [super-users]
[root@ibm-x3550m3-06 ~]# pulp-admin auth role user remove --role-id=super-users --login=preethi
User [preethi] successfully removed from role [super-users]
Updated by amacdona@redhat.com about 9 years ago
- Status changed from 6 to CLOSED - CURRENTRELEASE
Updated by bmbouter over 4 years ago
- Category deleted (
14)
We are removing the 'API' category per open floor discussion June 16, 2020.
.
Fixed: Unable to remove a user from super-user role
https://pulp.plan.io/issues/1078
closes #1078