Issue #433: Permission Grant : Role-id Issue - Pulp

Actions

Send by e-mail Copy link

Issue #433

closed

Permission Grant : Role-id Issue

Added by bstromski@jumptrading.com about 8 years ago. Updated almost 3 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

Normal

Assignee:

amacdona@redhat.com

Category:

Sprint/Milestone:

Start date:

Due date:

Estimated time:

Severity:

2. Medium

Version:

Platform Release:

2.7.0

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Pulp 2

Sprint:

Quarter:

Description

Description of problem:
A repository with a '.' in the repo-id will fail when trying to grant permission to a role-id to that repository.

Version-Release number of selected component (if applicable):
pulp 2.3.1-1.el6.noarch

How reproducible:
Everytime

Steps to Reproduce:
1. create a repo with a '.' in the name (i.e. rhel6.3-production)
2. create a new user & role (i.e. test/test)
3. pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role-id="test"

Actual results:
An internal error occurred on the Pulp server. More information can be found in
the client log file ~/.pulp/admin.log.

-- From log --
"exception": [
"InvalidDocument: key '/v2/repositories/rhel6.2-qa-staging/' must not contain '.'\n"
],

Expected results:
This works when a --login=test is specified, but fails when --role-id is specified.

Additional info:

+ This bug was cloned from Bugzilla Bug #1099649 +

Related issues

Actions

Copy link

Updated by skarmark@redhat.com about 8 years ago

I was able to reproduce this problem. Looking at the code, it looks like we are storing permissions for roles in the Roles collection as opposed to in the permissions collection. They are stored with resource as the key and tuple of allowed operations as the value. Since keys in mongo cannot have "." in them, we are seeing the error. We should do what we do for Users which is saving permissions for them in the permissions collection.

+ This comment was cloned from Bugzilla #1099649 comment 1 +

Actions

Copy link

Updated by amacdona@redhat.com about 8 years ago

https://bugzilla.redhat.com/show_bug.cgi?id=1099649

+ This comment was cloned from Bugzilla #1099649 comment 2 +

Actions

Copy link

Updated by skarmark@redhat.com about 8 years ago

Reviewed and merged https://github.com/pulp/pulp/pull/1394 submitted by a community member. Moving to modified

+ This comment was cloned from Bugzilla #1099649 comment 3 +

Actions

Copy link

Updated by bmbouter about 8 years ago

Severity changed from Medium to 2. Medium

Actions

Copy link

Updated by dkliban@redhat.com about 8 years ago

Platform Release set to 2.7.0

Actions

Copy link

Updated by dkliban@redhat.com almost 8 years ago

Status changed from MODIFIED to 5

Actions

Copy link

Updated by pthomas@redhat.com almost 8 years ago

Status changed from 5 to ASSIGNED

fails-qa

[root@mgmt4 ~]# rpm -qa  pulp-server
pulp-server-2.7.0-0.4.beta.el6.noarch
[root@mgmt4 ~]#

[root@mgmt4 ~]# 
[root@mgmt4 ~]#  pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role-id="test"
Invalid properties: ['role_id']

[root@mgmt4 ~]#  pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role_id="test"
Command: grant
Description: grants resource permissions to given user or given role
Usage: you can specify either login or role-id in this command; both cannot be
specified at the same time

Available Arguments:

  --resource - (required) resource REST API path whose permissions are being
               manipulated
  --login    - login of the user to which access to given resource is being
               granted
  --role-id  - id of the role to which access to given resource is being granted
  -o         - (required) type of permissions being granted, valid permissions:
               create, read, update, delete, execute
The following options were specified but do not exist on the command:
  --role_id

Actions

Copy link

Updated by amacdona@redhat.com over 7 years ago

Assignee changed from skarmark@redhat.com to amacdona@redhat.com

Actions

Copy link

Updated by amacdona@redhat.com over 7 years ago

Related to Issue #1057: CLI returns unclear error for nonexistant role-id in permission grant/revoke added

Actions

Copy link

#10

Updated by amacdona@redhat.com over 7 years ago

Status changed from ASSIGNED to 5

I got the same results:

(pulp)[vagrant@dev pulp]$ pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role-id="test" 
Invalid properties: ['role_id']

This is due to the fact that "test" is not a valid role.

(pulp)[vagrant@dev pulp]$ pulp-admin auth role list
+----------------------------------------------------------------------+
                                 Roles
+----------------------------------------------------------------------+

Id:     super-users
Users:  admin

Using an existing role works as expected:


(pulp)[vagrant@dev pulp]$ pulp-admin auth role create --role-id test
Role [test] successfully created

(pulp)[vagrant@dev pulp]$ pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role-id="test" Permissions [/v2/repositories/rhel6.3-production/ : ['EXECUTE', 'UPDATE',
'READ', 'DELETE']] successfully granted to role [test]

The error message is not great, but we already have a bug open that addresses that:
https://pulp.plan.io/issues/1057

Actions

Copy link

#11