Issue #708
closed
Pulp does not authenticate with mongodb using username with an empty password if specified
Description
Description of problem:
Pulp does not allow authentication with mongodb using username with an empty password if specified in server.conf and shows a traceback, though mongo allows access to pulp_database with an empty pass
Might be connected to BZ 1182335
Version-Release number of selected component (if applicable):
rpm -qa pulp-server
pulp-server-2.6.0-0.7.beta.fc20.noarch
Steps to Reproduce:
mongo
MongoDB shell version: 2.4.6
connecting to: test
use pulp_database
switched to db pulp_database
db.changeUserPassword("gena", "")
exit
bye
mongo pulp_database -u gena
MongoDB shell version: 2.4.6
connecting to: pulp_database
db.repos.find()
{ "_id" : ObjectId("54b7c4cb99cca86045dd3fcb"), "_ns" : "repos", "content_unit_counts" : { "erratum" : 4, "package_category" : 1, "package_group" : 2 }, "description" : null, "display_name" : "zoo_repo", "id" : "zoo_repo", "last_unit_added" : ISODate("2015-01-15T13:47:14.329Z"), "last_unit_removed" : null, "notes" : { "_repo-type" : "rpm-repo" }, "scratchpad" : { "checksum_type" : "sha256" } }
exit
bye
vi /etc/pulp/server.conf
username: gena
password:
for s in {qpidd,pulp_celerybeat,pulp_resource_manager,pulp_workers,httpd}; do sudo systemctl restart $s; done;
pulp-admin login -u admin -p admin
There was an internal server error while trying to access the Pulp application.
One possible cause is that the database needs to be migrated to the latest
version. If this is the case, run pulp-manage-db and restart the services. More
information may be found in Apache's log.
sudo -u apache pulp-manage-db
Database initialization failed: The server config specified username/password authentication but is missing either the username or the password
The server config specified username/password authentication but is missing either the username or the password
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pulp/server/db/manage.py", line 124, in main
connection.initialize(max_timeout=1)
File "/usr/lib/python2.7/site-packages/pulp/server/db/connection.py", line 92, in initialize
raise Exception(_("The server config specified username/password authentication but "
Exception: The server config specified username/password authentication but is missing either the username or the password
mongo
MongoDB shell version: 2.4.6
connecting to: test
use pulp_database
switched to db pulp_database
db.changeUserPassword("gena", "genka")
exit
bye
vi /etc/pulp/server.conf
username: gena
password: genka
for s in {qpidd,pulp_celerybeat,pulp_resource_manager,pulp_workers,httpd}; do sudo systemctl restart $s; done;
pulp-admin rpm repo list
--------------------------------------------------------------------
RPM Repositories
--------------------------------------------------------------------
Id: zoo_repo
Display Name: zoo_repo
Description: None
Content Unit Counts:
Erratum: 4
Package Category: 1
Package Group: 2
+ This bug was cloned from Bugzilla Bug #1194676 +
Updated by bmbouter about 9 years ago
I think this bug is as simple as adjusting this section [0] of code so that if username is not the default (empty string) then both username and password will be included as connection_kwargs. The default password is an empty string so if the user does not adjust the password of server.conf [database] section then an empty password should be allowed.
[0]: https://github.com/pulp/pulp/blob/master/server/pulp/server/db/connection.py#L87-L93
+ This comment was cloned from Bugzilla #1194676 comment 1 +
Updated by cduryee about 9 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to cduryee
Updated by cduryee about 9 years ago
- Assignee changed from cduryee to igulina@redhat.com
Can you give more info about how you created the 'gena' user originally? I am having trouble reproducing this case.
Updated by cduryee about 9 years ago
- Assignee changed from igulina@redhat.com to cduryee
Updated by cduryee about 9 years ago
- Status changed from ASSIGNED to POST
Added by cduryee about 9 years ago
Added by cduryee about 9 years ago
Revision 6fcae917 | View on GitHub
Allow passwordless mongodb connections to be configured
MongoDB allows passwordless logins. However, Pulp was checking that both the username and password were set before attempting a login.
This patch alters the user/pass check to fail only if a password is set sans username. If a username is set sans password, a MongoDB connection will be attempted.
Note that all of the auth still happens in Mongo. This was just a "pre-check" that Pulp was doing to give a clear error message.
fixes #708
Updated by cduryee about 9 years ago
- % Done changed from 0 to 100
Applied in changeset pulp|6fcae917d1f0038611b73c00b02ccc3a73a751d8.
Updated by cduryee almost 9 years ago
- Platform Release changed from 2.6.1 to 2.6.2
Updated by dkliban@redhat.com almost 9 years ago
- Status changed from MODIFIED to 5
Updated by igulina@redhat.com almost 9 years ago
- Status changed from 5 to 6
rpm -qa pulp-server
pulp-server-2.6.2-0.2.beta.fc20.noarch
with
username: gena
password:
in /etc/pulp/server.conf
mongo pulp_database -u gena
MongoDB shell version: 2.4.6
connecting to: pulp_database
^C
bye
sudo -u apache pulp-manage-db
Mongo database for connection is version 2.4.6
Loading content types.
Loading type descriptors [docker.json, rpm_support.json, puppet.json, iso_support.json, nodes.json]
Parsing type descriptors
Validating type descriptor syntactic integrity
Validating type descriptor semantic integrity
Updating the database with types [docker_image, distribution, drpm, erratum, package_group, package_category, package_environment, rpm, srpm, yum_repo_metadata_file, puppet_module, iso, repository, node]
Content types loaded.
Ensuring the admin role and user are in place.
Admin role and user are in place.
Beginning database migrations.
Migration package pulp.server.db.migrations is up to date at version 12
Migration package pulp_puppet.plugins.migrations is up to date at version 2
Migration package pulp_rpm.plugins.migrations is up to date at version 21
Database migrations complete.
for s in {qpidd,pulp_celerybeat,pulp_resource_manager,pulp_workers,httpd}; do sudo systemctl restart $s; done;
pulp-admin -u admin -p admin rpm repo list
--------------------------------------------------------------------
RPM Repositories
--------------------------------------------------------------------
Id: zoo_repo
Display Name: zoo_repo
Description: None
Content Unit Counts:
Erratum: 4
Package Category: 1
Package Group: 2
pulp-admin login -u admin -p admin
Successfully logged in. Session certificate will expire at Jun 1 11:56:14 2015
GMT.
pulp-admin rpm repo create --repo-id test
Successfully created repository [test]
pulp-admin rpm repo delete --repo-id test
This command may be exited via ctrl+c without affecting the request.
[\]
Running...
Repository [test] successfully deleted
Updated by dkliban@redhat.com over 8 years ago
- Status changed from 6 to CLOSED - CURRENTRELEASE
.
Allow passwordless mongodb connections to be configured
MongoDB allows passwordless logins. However, Pulp was checking that both the username and password were set before attempting a login.
This patch alters the user/pass check to fail only if a password is set sans username. If a username is set sans password, a MongoDB connection will be attempted.
Note that all of the auth still happens in Mongo. This was just a "pre-check" that Pulp was doing to give a clear error message.
fixes #708