Issue #411
closed
authentication failed for user with a consumer admin role
Description
Description of problem:
I'm trying to create a user that has minimal permissions to register a consumer and bind to some repositories. I use puppet to provision hosts, so I basically have an exec that looks like the following, and so the password will be visible in my puppet manifest:
pulp-consumer -u admin -p password register --consumer-id hostname
I'm able to do 'pulp-admin login -u consumer-admin' from the server, so the user seems fine but the permissions not so much.
Version-Release number of selected component (if applicable):
I’m running pulp 2.3 and CentOS 6.5 on both the server and consumer. Stock install of pulp, except I did change some SSL certs to use our company's root CA.
How reproducible:
every time
Steps to Reproduce:
1. Create user and role:
pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding"
pulp-admin auth user create --login consumer-admin --name "Consumer registration admin"
pulp-admin auth role user add --login consumer-admin --role-id consumer-admin
pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -execute
2. Attempt to register new consumer:
me@test04:~> sudo pulp-consumer -u consumer-admin -p password register --consumer-id test04
Actual results:
me@test04:~> sudo pulp-consumer -u consumer-admin -p password register --consumer-id test04
Authentication Failed
A valid Pulp user is required to register a new consumer. Please double check
the username and password and attempt the request again.
Expected results:
successful registration of consumer
Additional info:
me@pulpserver:~> pulp-admin auth role list --details
--------------------------------------------------------------------
Roles
--------------------------------------------------------------------
Id: super-users
Display Name: Super Users
Description: Role indicates users with admin privileges
Users: admin
Permissions:
/: CREATE, READ, UPDATE, DELETE, EXECUTE
Id: consumer-admin
Display Name: Consumer Admins
Description: Consumer registration and repo binding
Users: consumer-admin
Permissions:
/consumers: CREATE, READ, UPDATE, DELETE, EXECUTE
Here is the last bit of /var/log/pulp/pulp.log from the server:
...snip...
File "/usr/lib/python2.6/site-packages/pulp/server/webservices/controllers/decorators.py", line 224, in _auth_decorator
raise AuthenticationFailed(auth_utils.CODE_PERMISSION)
AuthenticationFailed: Pulp exception occurred: AuthenticationFailed
Also, the "Authentication failed" error message on the consumer should probably say "permission denied". Thanks for the help.
+ This bug was cloned from Bugzilla Bug #1081534 +
Updated by ashbyj@imsweb.com about 9 years ago
typo above. Step 1's last line should read:
pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -o execute
+ This comment was cloned from Bugzilla #1081534 comment 1 +
Updated by skarmark@redhat.com about 9 years ago
The resource needed to be '/v2/consumers/'. Both v2 and trailing slash are important. We probably need to clarify that in our documentation.
+ This comment was cloned from Bugzilla #1081534 comment 2 +
Updated by mhrivnak about 9 years ago
Document in user guide that:
- "/v2" is required
- what are the possible resource identifiers
- when is a trailing slash required, and mention this in the troubleshooting section
+ This comment was cloned from Bugzilla #1081534 comment 3 +
Updated by ashbyj@imsweb.com about 9 years ago
Thanks, I was able to grant the minimal permissions with this:
pulp-admin auth permission grant --resource='/v2/consumers/' --role-id=consumer-admin -o create -o read -o update -o delete -o execute
Regarding the trailing slash, could you put in a check for it and add the trailing slash if the user did not supply it in the --resource argument? Or would there be situations where a trailing slash is not desired or would cause breakage?
Perhaps checking the supplied resource argument against "what are the possible resource identifiers" list and spitting out an error message with possible resource identifiers would be helpful.
+ This comment was cloned from Bugzilla #1081534 comment 4 +
Updated by rbarlow about 9 years ago
I filed a separate issue[0] to track the use of the word authentication here.
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1150128
+ This comment was cloned from Bugzilla #1081534 comment 5 +
Updated by rbarlow about 9 years ago
In order to fix this issue, we will need to combine our dev and user guides into a single Sphinx project so that we can link from one to the other. We don't want to do that at this moment, so I am delaying working on this for now.
+ This comment was cloned from Bugzilla #1081534 comment 6 +
Updated by rbarlow about 9 years ago
The docs are all merged on our master branch, but there are higher priority issues for me to work on at the moment so I'm putting this down.
+ This comment was cloned from Bugzilla #1081534 comment 7 +
Updated by dkliban@redhat.com about 9 years ago
https://github.com/pulp/pulp/pull/1324
+ This comment was cloned from Bugzilla #1081534 comment 8 +
Updated by dkliban@redhat.com about 9 years ago
Had to change the branch to which the pull request was issued to
https://github.com/pulp/pulp/pull/1325
+ This comment was cloned from Bugzilla #1081534 comment 9 +
Updated by rbarlow about 9 years ago
This is fixed in 2.4.4-0.1.beta.
+ This comment was cloned from Bugzilla #1081534 comment 10 +
Updated by igulina@redhat.com about 9 years ago
Failed QA
rpm -qa | grep pulp-server
pulp-server-2.4.4-0.1.beta.el7.noarch
pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding"
Role [consumer-admin] successfully created
pulp-admin auth user create --login consumer-admin --name "Consumer registration admin"
Enter password for user [consumer-admin] :
Re-enter password for user [consumer-admin]:
User [consumer-admin] successfully created
pulp-admin auth role user add --login consumer-admin --role-id consumer-admin
User [consumer-admin] successfully added to role [consumer-admin]
pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -o execute
Permissions [/consumers : ['CREATE', 'READ', 'UPDATE', 'DELETE', 'EXECUTE']]
successfully granted to role [consumer-admin]
sudo pulp-consumer -u consumer-admin -p admin register --consumer-id test04
Authentication Failed
A valid Pulp user is required to register a new consumer. Please double check
the username and password and attempt the request again.
pulp-admin auth role list --details
--------------------------------------------------------------------
Roles
--------------------------------------------------------------------
Id: super-users
Display Name: Super Users
Description: Role indicates users with admin privileges
Users: admin
Permissions:
/: CREATE, READ, UPDATE, DELETE, EXECUTE
Id: consumer-admin
Display Name: Consumer registration and repo binding
Description: None
Users: consumer-admin
Permissions:
/consumers: CREATE, READ, UPDATE, DELETE, EXECUTE
less ./.pulp/consumer.log
2014-12-07 17:58:33,337 - ERROR - Client-side exception occurred
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pulp/client/extensions/core.py", line 478, in run
exit_code = Cli.run(self, args)
File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run
exit_code = command_or_section.execute(self.prompt, remaining_args)
File "/usr/lib/python2.7/site-packages/pulp/client/extensions/extensions.py", line 224, in execute
return self.method(*arg_list, **clean_kwargs)
File "/usr/lib/python2.7/site-packages/pulp/client/consumer/cli.py", line 190, in register
rsa_pub=rsa_pub)
File "/usr/lib/python2.7/site-packages/pulp/bindings/consumer.py", line 47, in register
return self.server.POST (path, body)
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 99, in POST
return self._request('POST', path, body=body, ensure_encoding=ensure_encoding)
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 151, in _request
self._handle_exceptions(response_code, response_body)
File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 192, in _handle_exceptions
raise code_class_mappings[response_code](response_body)
PermissionsException: RequestException: POST request on /pulp/api/v2/consumers/ failed with 401 - Pulp exception occurred: AuthenticationFailed
+ This comment was cloned from Bugzilla #1081534 comment 11 +
Updated by rbarlow about 9 years ago
Hi Irina!
According to the PR docs and Sayli's comments, it looks like the permissions need to be granted on /v2/consumers/ and not /consumers. Can you re-check it with /v2/consumers/?
+ This comment was cloned from Bugzilla #1081534 comment 12 +
Updated by igulina@redhat.com about 9 years ago
Hi Randy!
My bad I didn't read comments carefully. Sorry! Right, I remember a doc bug on trailing slashes.
Here it is for /v2/consumers/
rpm -qa | grep pulp-server
pulp-server-2.4.4-0.4.rc.el7.noarch
pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding"
Role [consumer-admin] successfully created
pulp-admin auth user create --login consumer-admin --name "Consumer registration admin"
Enter password for user [consumer-admin] :
Re-enter password for user [consumer-admin]:
Passwords do not match
Enter password for user [consumer-admin] :
Re-enter password for user [consumer-admin]:
User [consumer-admin] successfully created
pulp-admin auth role user add --login consumer-admin --role-id consumer-admin
User [consumer-admin] successfully added to role [consumer-admin]
pulp-admin auth permission grant --resource /v2/consumers/ --role-id consumer-admin -o create -o read -o update -o delete -o execute
Permissions [/v2/consumers/ : ['CREATE', 'READ', 'UPDATE', 'DELETE', 'EXECUTE']]
successfully granted to role [consumer-admin]
sudo pulp-consumer -u consumer-admin -p admin register --consumer-id KESHA
Authentication Failed
A valid Pulp user is required to register a new consumer. Please double check
the username and password and attempt the request again.
sudo pulp-consumer -u consumer-admin -p 123456 register --consumer-id KESHA
Consumer [KESHA] successfully registered
pulp-admin auth role list --details
--------------------------------------------------------------------
Roles
--------------------------------------------------------------------
Id: super-users
Display Name: Super Users
Description: Role indicates users with admin privileges
Users: admin
Permissions:
/: CREATE, READ, UPDATE, DELETE, EXECUTE
Id: consumer-admin
Display Name: Consumer registration and repo binding
Description: None
Users: consumer-admin
Permissions:
/v2/consumers/: CREATE, READ, UPDATE, DELETE, EXECUTE
pulp-consumer status
This consumer is registered to the server
[ip-XXX] with the ID [KESHA].
+ This comment was cloned from Bugzilla #1081534 comment 13 +
Updated by bmbouter about 9 years ago
- Category deleted (
1) - Tags Documentation added
Documentation is now a Tag not a Category.
Updated by bmbouter about 9 years ago
- Severity changed from Medium to 2. Medium
Updated by dkliban@redhat.com over 8 years ago
- Status changed from 6 to CLOSED - CURRENTRELEASE
.