Project

Profile

Help

Issue #411

closed

authentication failed for user with a consumer admin role

Added by ashbyj@imsweb.com about 7 years ago. Updated about 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
2.3
Platform Release:
2.4.3
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Documentation, Pulp 2
Sprint:
Quarter:

Description

Description of problem:

I'm trying to create a user that has minimal permissions to register a consumer and bind to some repositories. I use puppet to provision hosts, so I basically have an exec that looks like the following, and so the password will be visible in my puppet manifest:

pulp-consumer -u admin -p password register --consumer-id hostname

I'm able to do 'pulp-admin login -u consumer-admin' from the server, so the user seems fine but the permissions not so much.

Version-Release number of selected component (if applicable):

I’m running pulp 2.3 and CentOS 6.5 on both the server and consumer. Stock install of pulp, except I did change some SSL certs to use our company's root CA.

How reproducible:
every time

Steps to Reproduce:
1. Create user and role:

pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding"
pulp-admin auth user create --login consumer-admin --name "Consumer registration admin"
pulp-admin auth role user add --login consumer-admin --role-id consumer-admin
pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -execute

2. Attempt to register new consumer:

me@test04:~> sudo pulp-consumer -u consumer-admin -p password register --consumer-id test04

Actual results:
me@test04:~> sudo pulp-consumer -u consumer-admin -p password register --consumer-id test04
Authentication Failed

A valid Pulp user is required to register a new consumer. Please double check
the username and password and attempt the request again.

Expected results:
successful registration of consumer

Additional info:

me@pulpserver:~> pulp-admin auth role list --details
--------------------------------------------------------------------
Roles
--------------------------------------------------------------------

Id: super-users
Display Name: Super Users
Description: Role indicates users with admin privileges
Users: admin
Permissions:
/: CREATE, READ, UPDATE, DELETE, EXECUTE

Id: consumer-admin
Display Name: Consumer Admins
Description: Consumer registration and repo binding
Users: consumer-admin
Permissions:
/consumers: CREATE, READ, UPDATE, DELETE, EXECUTE

Here is the last bit of /var/log/pulp/pulp.log from the server:

...snip...
File "/usr/lib/python2.6/site-packages/pulp/server/webservices/controllers/decorators.py", line 224, in _auth_decorator
raise AuthenticationFailed(auth_utils.CODE_PERMISSION)
AuthenticationFailed: Pulp exception occurred: AuthenticationFailed

Also, the "Authentication failed" error message on the consumer should probably say "permission denied". Thanks for the help.

+ This bug was cloned from Bugzilla Bug #1081534 +

Actions #1

Updated by ashbyj@imsweb.com about 7 years ago

typo above. Step 1's last line should read:

pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -o execute

+ This comment was cloned from Bugzilla #1081534 comment 1 +

Actions #2

Updated by skarmark@redhat.com about 7 years ago

The resource needed to be '/v2/consumers/'. Both v2 and trailing slash are important. We probably need to clarify that in our documentation.

+ This comment was cloned from Bugzilla #1081534 comment 2 +

Actions #3

Updated by mhrivnak about 7 years ago

Document in user guide that:
- "/v2" is required
- what are the possible resource identifiers
- when is a trailing slash required, and mention this in the troubleshooting section

+ This comment was cloned from Bugzilla #1081534 comment 3 +

Actions #4

Updated by ashbyj@imsweb.com about 7 years ago

Thanks, I was able to grant the minimal permissions with this:

pulp-admin auth permission grant --resource='/v2/consumers/' --role-id=consumer-admin  -o create -o read -o update -o delete -o execute

Regarding the trailing slash, could you put in a check for it and add the trailing slash if the user did not supply it in the --resource argument? Or would there be situations where a trailing slash is not desired or would cause breakage?

Perhaps checking the supplied resource argument against "what are the possible resource identifiers" list and spitting out an error message with possible resource identifiers would be helpful.

+ This comment was cloned from Bugzilla #1081534 comment 4 +

Actions #5

Updated by rbarlow about 7 years ago

I filed a separate issue[0] to track the use of the word authentication here.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1150128

+ This comment was cloned from Bugzilla #1081534 comment 5 +

Actions #6

Updated by rbarlow about 7 years ago

In order to fix this issue, we will need to combine our dev and user guides into a single Sphinx project so that we can link from one to the other. We don't want to do that at this moment, so I am delaying working on this for now.

+ This comment was cloned from Bugzilla #1081534 comment 6 +

Actions #7

Updated by rbarlow about 7 years ago

The docs are all merged on our master branch, but there are higher priority issues for me to work on at the moment so I'm putting this down.

+ This comment was cloned from Bugzilla #1081534 comment 7 +

Actions #9

Updated by dkliban@redhat.com about 7 years ago

Had to change the branch to which the pull request was issued to

https://github.com/pulp/pulp/pull/1325

+ This comment was cloned from Bugzilla #1081534 comment 9 +

Actions #10

Updated by rbarlow about 7 years ago

This is fixed in 2.4.4-0.1.beta.

+ This comment was cloned from Bugzilla #1081534 comment 10 +

Actions #11

Updated by igulina@redhat.com about 7 years ago

Failed QA

rpm -qa | grep pulp-server

pulp-server-2.4.4-0.1.beta.el7.noarch

pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding"

Role [consumer-admin] successfully created

pulp-admin auth user create --login consumer-admin --name "Consumer registration admin"

Enter password for user [consumer-admin] :
Re-enter password for user [consumer-admin]:
User [consumer-admin] successfully created

pulp-admin auth role user add --login consumer-admin --role-id consumer-admin

User [consumer-admin] successfully added to role [consumer-admin]

pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -o execute

Permissions [/consumers : ['CREATE', 'READ', 'UPDATE', 'DELETE', 'EXECUTE']]
successfully granted to role [consumer-admin]

sudo pulp-consumer -u consumer-admin -p admin register --consumer-id test04

Authentication Failed

A valid Pulp user is required to register a new consumer. Please double check
the username and password and attempt the request again.

pulp-admin auth role list --details

--------------------------------------------------------------------
Roles
--------------------------------------------------------------------

Id: super-users
Display Name: Super Users
Description: Role indicates users with admin privileges
Users: admin
Permissions:
/: CREATE, READ, UPDATE, DELETE, EXECUTE

Id: consumer-admin
Display Name: Consumer registration and repo binding
Description: None
Users: consumer-admin
Permissions:
/consumers: CREATE, READ, UPDATE, DELETE, EXECUTE

less ./.pulp/consumer.log

2014-12-07 17:58:33,337 - ERROR - Client-side exception occurred
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pulp/client/extensions/core.py", line 478, in run
exit_code = Cli.run(self, args)
File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run
exit_code = command_or_section.execute(self.prompt, remaining_args)
File "/usr/lib/python2.7/site-packages/pulp/client/extensions/extensions.py", line 224, in execute
return self.method(*arg_list, **clean_kwargs)
File "/usr/lib/python2.7/site-packages/pulp/client/consumer/cli.py", line 190, in register
rsa_pub=rsa_pub)
File "/usr/lib/python2.7/site-packages/pulp/bindings/consumer.py", line 47, in register
return self.server.POST (path, body)
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 99, in POST
return self._request('POST', path, body=body, ensure_encoding=ensure_encoding)
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 151, in _request
self._handle_exceptions(response_code, response_body)
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 192, in _handle_exceptions
raise code_class_mappings[response_code](response_body)
PermissionsException: RequestException: POST request on /pulp/api/v2/consumers/ failed with 401 - Pulp exception occurred: AuthenticationFailed

+ This comment was cloned from Bugzilla #1081534 comment 11 +

Actions #12

Updated by rbarlow about 7 years ago

Hi Irina!

According to the PR docs and Sayli's comments, it looks like the permissions need to be granted on /v2/consumers/ and not /consumers. Can you re-check it with /v2/consumers/?

+ This comment was cloned from Bugzilla #1081534 comment 12 +

Actions #13

Updated by igulina@redhat.com about 7 years ago

Hi Randy!

My bad I didn't read comments carefully. Sorry! Right, I remember a doc bug on trailing slashes.

Here it is for /v2/consumers/

rpm -qa | grep pulp-server

pulp-server-2.4.4-0.4.rc.el7.noarch

pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding"

Role [consumer-admin] successfully created

pulp-admin auth user create --login consumer-admin --name "Consumer registration admin"

Enter password for user [consumer-admin] :
Re-enter password for user [consumer-admin]:
Passwords do not match

Enter password for user [consumer-admin] :
Re-enter password for user [consumer-admin]:
User [consumer-admin] successfully created

pulp-admin auth role user add --login consumer-admin --role-id consumer-admin

User [consumer-admin] successfully added to role [consumer-admin]

pulp-admin auth permission grant --resource /v2/consumers/ --role-id consumer-admin -o create -o read -o update -o delete -o execute

Permissions [/v2/consumers/ : ['CREATE', 'READ', 'UPDATE', 'DELETE', 'EXECUTE']]
successfully granted to role [consumer-admin]

sudo pulp-consumer -u consumer-admin -p admin register --consumer-id KESHA

Authentication Failed

A valid Pulp user is required to register a new consumer. Please double check
the username and password and attempt the request again.

sudo pulp-consumer -u consumer-admin -p 123456 register --consumer-id KESHA

Consumer [KESHA] successfully registered

pulp-admin auth role list --details

--------------------------------------------------------------------
Roles
--------------------------------------------------------------------

Id: super-users
Display Name: Super Users
Description: Role indicates users with admin privileges
Users: admin
Permissions:
/: CREATE, READ, UPDATE, DELETE, EXECUTE

Id: consumer-admin
Display Name: Consumer registration and repo binding
Description: None
Users: consumer-admin
Permissions:
/v2/consumers/: CREATE, READ, UPDATE, DELETE, EXECUTE

pulp-consumer status

This consumer is registered to the server
[ip-XXX] with the ID [KESHA].

+ This comment was cloned from Bugzilla #1081534 comment 13 +

Actions #14

Updated by bmbouter about 7 years ago

  • Category deleted (1)
  • Tags Documentation added

Documentation is now a Tag not a Category.

Actions #15

Updated by bmbouter about 7 years ago

  • Severity changed from Medium to 2. Medium
Actions #16

Updated by dkliban@redhat.com over 6 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE
Actions #18

Updated by bmbouter about 3 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF