Project

Profile

Help

Issue #411

closed

authentication failed for user with a consumer admin role

Added by ashbyj@imsweb.com about 9 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
2.3
Platform Release:
2.4.3
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Documentation, Pulp 2
Sprint:
Quarter:

Description

Description of problem:

I'm trying to create a user that has minimal permissions to register a consumer and bind to some repositories. I use puppet to provision hosts, so I basically have an exec that looks like the following, and so the password will be visible in my puppet manifest:

pulp-consumer -u admin -p password register --consumer-id hostname

I'm able to do 'pulp-admin login -u consumer-admin' from the server, so the user seems fine but the permissions not so much.

Version-Release number of selected component (if applicable):

I’m running pulp 2.3 and CentOS 6.5 on both the server and consumer. Stock install of pulp, except I did change some SSL certs to use our company's root CA.

How reproducible:
every time

Steps to Reproduce:
1. Create user and role:

pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding"
pulp-admin auth user create --login consumer-admin --name "Consumer registration admin"
pulp-admin auth role user add --login consumer-admin --role-id consumer-admin
pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -execute

2. Attempt to register new consumer:

me@test04:~> sudo pulp-consumer -u consumer-admin -p password register --consumer-id test04

Actual results:
me@test04:~> sudo pulp-consumer -u consumer-admin -p password register --consumer-id test04
Authentication Failed

A valid Pulp user is required to register a new consumer. Please double check
the username and password and attempt the request again.

Expected results:
successful registration of consumer

Additional info:

me@pulpserver:~> pulp-admin auth role list --details
--------------------------------------------------------------------
Roles
--------------------------------------------------------------------

Id: super-users
Display Name: Super Users
Description: Role indicates users with admin privileges
Users: admin
Permissions:
/: CREATE, READ, UPDATE, DELETE, EXECUTE

Id: consumer-admin
Display Name: Consumer Admins
Description: Consumer registration and repo binding
Users: consumer-admin
Permissions:
/consumers: CREATE, READ, UPDATE, DELETE, EXECUTE

Here is the last bit of /var/log/pulp/pulp.log from the server:

...snip...
File "/usr/lib/python2.6/site-packages/pulp/server/webservices/controllers/decorators.py", line 224, in _auth_decorator
raise AuthenticationFailed(auth_utils.CODE_PERMISSION)
AuthenticationFailed: Pulp exception occurred: AuthenticationFailed

Also, the "Authentication failed" error message on the consumer should probably say "permission denied". Thanks for the help.

+ This bug was cloned from Bugzilla Bug #1081534 +

Also available in: Atom PDF