Project

Profile

Help

Issue #433

closed

Permission Grant : Role-id Issue

Added by bstromski@jumptrading.com about 9 years ago. Updated almost 4 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.7.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Description of problem:
A repository with a '.' in the repo-id will fail when trying to grant permission to a role-id to that repository.

Version-Release number of selected component (if applicable):
pulp 2.3.1-1.el6.noarch

How reproducible:
Everytime

Steps to Reproduce:
1. create a repo with a '.' in the name (i.e. rhel6.3-production)
2. create a new user & role (i.e. test/test)
3. pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role-id="test"

Actual results:
An internal error occurred on the Pulp server. More information can be found in
the client log file ~/.pulp/admin.log.

-- From log --
"exception": [
"InvalidDocument: key '/v2/repositories/rhel6.2-qa-staging/' must not contain '.'\n"
],

Expected results:
This works when a --login=test is specified, but fails when --role-id is specified.

Additional info:

+ This bug was cloned from Bugzilla Bug #1099649 +


Related issues

Related to Pulp - Issue #1057: CLI returns unclear error for nonexistant role-id in permission grant/revokeCLOSED - WONTFIXActions
Actions #1

Updated by skarmark@redhat.com about 9 years ago

I was able to reproduce this problem. Looking at the code, it looks like we are storing permissions for roles in the Roles collection as opposed to in the permissions collection. They are stored with resource as the key and tuple of allowed operations as the value. Since keys in mongo cannot have "." in them, we are seeing the error. We should do what we do for Users which is saving permissions for them in the permissions collection.

+ This comment was cloned from Bugzilla #1099649 comment 1 +

Actions #3

Updated by skarmark@redhat.com about 9 years ago

Reviewed and merged https://github.com/pulp/pulp/pull/1394 submitted by a community member. Moving to modified

+ This comment was cloned from Bugzilla #1099649 comment 3 +

Actions #4

Updated by bmbouter about 9 years ago

  • Severity changed from Medium to 2. Medium
Actions #5

Updated by dkliban@redhat.com almost 9 years ago

  • Platform Release set to 2.7.0
Actions #6

Updated by dkliban@redhat.com almost 9 years ago

  • Status changed from MODIFIED to 5
Actions #7

Updated by pthomas@redhat.com over 8 years ago

  • Status changed from 5 to ASSIGNED

fails-qa

[root@mgmt4 ~]# rpm -qa  pulp-server
pulp-server-2.7.0-0.4.beta.el6.noarch
[root@mgmt4 ~]# 
[root@mgmt4 ~]# 
[root@mgmt4 ~]#  pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role-id="test"
Invalid properties: ['role_id']

[root@mgmt4 ~]#  pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role_id="test"
Command: grant
Description: grants resource permissions to given user or given role
Usage: you can specify either login or role-id in this command; both cannot be
specified at the same time

Available Arguments:

  --resource - (required) resource REST API path whose permissions are being
               manipulated
  --login    - login of the user to which access to given resource is being
               granted
  --role-id  - id of the role to which access to given resource is being granted
  -o         - (required) type of permissions being granted, valid permissions:
               create, read, update, delete, execute
The following options were specified but do not exist on the command:
  --role_id
Actions #8

Updated by amacdona@redhat.com over 8 years ago

  • Assignee changed from skarmark@redhat.com to amacdona@redhat.com
Actions #9

Updated by amacdona@redhat.com over 8 years ago

  • Related to Issue #1057: CLI returns unclear error for nonexistant role-id in permission grant/revoke added
Actions #10

Updated by amacdona@redhat.com over 8 years ago

  • Status changed from ASSIGNED to 5

I got the same results:

(pulp)[vagrant@dev pulp]$ pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role-id="test" 
Invalid properties: ['role_id']

This is due to the fact that "test" is not a valid role.

(pulp)[vagrant@dev pulp]$ pulp-admin auth role list
+----------------------------------------------------------------------+
                                 Roles
+----------------------------------------------------------------------+

Id:     super-users
Users:  admin

Using an existing role works as expected:


(pulp)[vagrant@dev pulp]$ pulp-admin auth role create --role-id test
Role [test] successfully created

(pulp)[vagrant@dev pulp]$ pulp-admin auth permission grant --resource="/v2/repositories/rhel6.3-production/" -o execute -o update -o read -o delete --role-id="test" Permissions [/v2/repositories/rhel6.3-production/ : ['EXECUTE', 'UPDATE',
'READ', 'DELETE']] successfully granted to role [test]

The error message is not great, but we already have a bug open that addresses that:
https://pulp.plan.io/issues/1057

Actions #11

Updated by amacdona@redhat.com over 8 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #12

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added
Actions #13

Updated by bmbouter almost 4 years ago

  • Category deleted (14)

We are removing the 'API' category per open floor discussion June 16, 2020.

Added by dkliban@redhat.com over 2 years ago

Revision 98d8f844 | View on GitHub

Adds an optional 'before_script' parameter to the release worklow.

This parameter should be used when re-running a release workflow in order to publish updated docs.

fixes: #433

Also available in: Atom PDF