Project

Profile

Help

Issue #433

Permission Grant : Role-id Issue

Added by bstromski@jumptrading.com over 6 years ago. Updated over 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.7.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Description of problem:
A repository with a '.' in the repo-id will fail when trying to grant permission to a role-id to that repository.

Version-Release number of selected component (if applicable):
pulp 2.3.1-1.el6.noarch

How reproducible:
Everytime

Steps to Reproduce:
1. create a repo with a '.' in the name (i.e. rhel6.3-production)
2. create a new user & role (i.e. test/test)
3. pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role-id="test"

Actual results:
An internal error occurred on the Pulp server. More information can be found in
the client log file ~/.pulp/admin.log.

-- From log --
"exception": [
"InvalidDocument: key '/v2/repositories/rhel6.2-qa-staging/' must not contain '.'\n"
],

Expected results:
This works when a --login=test is specified, but fails when --role-id is specified.

Additional info:

+ This bug was cloned from Bugzilla Bug #1099649 +


Related issues

Related to Pulp - Issue #1057: CLI returns unclear error for nonexistant role-id in permission grant/revokeCLOSED - WONTFIX<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

Associated revisions

Revision 98d8f844 View on GitHub
Added by dkliban@redhat.com 4 months ago

Adds an optional 'before_script' parameter to the release worklow.

This parameter should be used when re-running a release workflow in order to publish updated docs.

fixes: #433

History

#1 Updated by skarmark@redhat.com over 6 years ago

I was able to reproduce this problem. Looking at the code, it looks like we are storing permissions for roles in the Roles collection as opposed to in the permissions collection. They are stored with resource as the key and tuple of allowed operations as the value. Since keys in mongo cannot have "." in them, we are seeing the error. We should do what we do for Users which is saving permissions for them in the permissions collection.

+ This comment was cloned from Bugzilla #1099649 comment 1 +

#3 Updated by skarmark@redhat.com over 6 years ago

Reviewed and merged https://github.com/pulp/pulp/pull/1394 submitted by a community member. Moving to modified

+ This comment was cloned from Bugzilla #1099649 comment 3 +

#4 Updated by bmbouter over 6 years ago

  • Severity changed from Medium to 2. Medium

#5 Updated by dkliban@redhat.com over 6 years ago

  • Platform Release set to 2.7.0

#6 Updated by dkliban@redhat.com over 6 years ago

  • Status changed from MODIFIED to 5

#7 Updated by pthomas@redhat.com over 6 years ago

  • Status changed from 5 to ASSIGNED

fails-qa

[root@mgmt4 ~]# rpm -qa  pulp-server
pulp-server-2.7.0-0.4.beta.el6.noarch
[root@mgmt4 ~]# 
[root@mgmt4 ~]# 
[root@mgmt4 ~]#  pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role-id="test"
Invalid properties: ['role_id']

[root@mgmt4 ~]#  pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role_id="test"
Command: grant
Description: grants resource permissions to given user or given role
Usage: you can specify either login or role-id in this command; both cannot be
specified at the same time

Available Arguments:

  --resource - (required) resource REST API path whose permissions are being
               manipulated
  --login    - login of the user to which access to given resource is being
               granted
  --role-id  - id of the role to which access to given resource is being granted
  -o         - (required) type of permissions being granted, valid permissions:
               create, read, update, delete, execute
The following options were specified but do not exist on the command:
  --role_id

#8 Updated by amacdona@redhat.com about 6 years ago

  • Assignee changed from skarmark@redhat.com to amacdona@redhat.com

#9 Updated by amacdona@redhat.com about 6 years ago

  • Related to Issue #1057: CLI returns unclear error for nonexistant role-id in permission grant/revoke added

#10 Updated by amacdona@redhat.com about 6 years ago

  • Status changed from ASSIGNED to 5

I got the same results:

(pulp)[vagrant@dev pulp]$ pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role-id="test" 
Invalid properties: ['role_id']

This is due to the fact that "test" is not a valid role.

(pulp)[vagrant@dev pulp]$ pulp-admin auth role list
+----------------------------------------------------------------------+
                                 Roles
+----------------------------------------------------------------------+

Id:     super-users
Users:  admin

Using an existing role works as expected:


(pulp)[vagrant@dev pulp]$ pulp-admin auth role create --role-id test
Role [test] successfully created

(pulp)[vagrant@dev pulp]$ pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role-id="test" Permissions [/v2/repositories/rhel6.3-production/ : ['EXECUTE', 'UPDATE',
'READ', 'DELETE']] successfully granted to role [test]

The error message is not great, but we already have a bug open that addresses that:
https://pulp.plan.io/issues/1057

#11 Updated by amacdona@redhat.com almost 6 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

#12 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

#13 Updated by bmbouter over 1 year ago

  • Category deleted (14)

We are removing the 'API' category per open floor discussion June 16, 2020.

Please register to edit this issue

Also available in: Atom PDF