Issue #411
closedauthentication failed for user with a consumer admin role
Description
Description of problem:
I'm trying to create a user that has minimal permissions to register a consumer and bind to some repositories. I use puppet to provision hosts, so I basically have an exec that looks like the following, and so the password will be visible in my puppet manifest:
pulp-consumer -u admin -p password register --consumer-id hostname
I'm able to do 'pulp-admin login -u consumer-admin' from the server, so the user seems fine but the permissions not so much.
Version-Release number of selected component (if applicable):
I’m running pulp 2.3 and CentOS 6.5 on both the server and consumer. Stock install of pulp, except I did change some SSL certs to use our company's root CA.
How reproducible:
every time
Steps to Reproduce:
1. Create user and role:
pulp-admin auth role create --role-id consumer-admin --display-name "Consumer registration and repo binding"
pulp-admin auth user create --login consumer-admin --name "Consumer registration admin"
pulp-admin auth role user add --login consumer-admin --role-id consumer-admin
pulp-admin auth permission grant --resource /consumers --role-id consumer-admin -o create -o read -o update -o delete -execute
2. Attempt to register new consumer:
me@test04:~> sudo pulp-consumer -u consumer-admin -p password register --consumer-id test04
Actual results:
me@test04:~> sudo pulp-consumer -u consumer-admin -p password register --consumer-id test04
Authentication Failed
A valid Pulp user is required to register a new consumer. Please double check
the username and password and attempt the request again.
Expected results:
successful registration of consumer
Additional info:
me@pulpserver:~> pulp-admin auth role list --details
--------------------------------------------------------------------
Roles
--------------------------------------------------------------------
Id: super-users
Display Name: Super Users
Description: Role indicates users with admin privileges
Users: admin
Permissions:
/: CREATE, READ, UPDATE, DELETE, EXECUTE
Id: consumer-admin
Display Name: Consumer Admins
Description: Consumer registration and repo binding
Users: consumer-admin
Permissions:
/consumers: CREATE, READ, UPDATE, DELETE, EXECUTE
Here is the last bit of /var/log/pulp/pulp.log from the server:
...snip...
File "/usr/lib/python2.6/site-packages/pulp/server/webservices/controllers/decorators.py", line 224, in _auth_decorator
raise AuthenticationFailed(auth_utils.CODE_PERMISSION)
AuthenticationFailed: Pulp exception occurred: AuthenticationFailed
Also, the "Authentication failed" error message on the consumer should probably say "permission denied". Thanks for the help.
+ This bug was cloned from Bugzilla Bug #1081534 +