Project

Profile

Help

Issue #7459

Make the pulp exporter directories rwx for pulp group

Added by paji@redhat.com 10 months ago. Updated 9 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 81
Quarter:

Description

Directories generated via pulp3 while exporting tend to have rwx access for the pulp user but not the pulp group.

$  ls -ld /var/lib/pulp/exports/Default_Organization/kresteva/1.0/bar1/2020-09-04T02-30-40-00-00
drwxr-xr-x. 2 pulp pulp 152 Sep  4 02:30 /var/lib/pulp/exports/Default_Organization/kresteva/1.0/bar1/2020-09-04T02-30-40-00-00

Note that group write is missing for this directory. Katello wants to be able to add additional json files to that directory and hence needs write access to the pulp group.

Temporarily this can be fixed by

sudo setfacl -Rdm 'g:pulp:rwx' /var/lib/pulp/exports/

but I think pulp group write is the better solution.

Associated revisions

Revision 43f50f75 View on GitHub
Added by ggainey 9 months ago

When export creates a dir, make sure the group can write to it.

closes #7459

History

#1 Updated by fao89 10 months ago

  • Triaged changed from No to Yes
  • Sprint set to Sprint 81

#2 Updated by mdepaulo@redhat.com 10 months ago

We were discussing possible solutions on #pulp-meeting:

  1. Setting group write on /var/lib/pulp/exports/ (or whatever dirs for allowed_exports_paths) is not sufficient because it will not apply to created directories under it.
  2. Setting an ACL for group write default (default ACL is like "inherited") in the installer would solve the problem easily, but users using ext2,3,4 will need to have ACLs enabled in /etc/fstab . And NFSv3 won't support it at all.
  3. umask for the process would solve the problem, but is this feasible?
  4. Updating the application logic to set the perms would solve the problem.

#3 Updated by ggainey 10 months ago

wrote:

We were discussing possible solutions on #pulp-meeting:

  1. Setting group write on /var/lib/pulp/exports/ (or whatever dirs for allowed_exports_paths) is not sufficient because it will not apply to created directories under it.
  2. Setting an ACL for group write default (default ACL is like "inherited") in the installer would solve the problem easily, but users using ext2,3,4 will need to have ACLs enabled in /etc/fstab . And NFSv3 won't support it at all.
  3. umask for the process would solve the problem, but is this feasible?
  4. Updating the application logic to set the perms would solve the problem.

exporters write to whatever directory is specified for them at creation/update time - we don't know it at install-time, it's entirely possible to define ALLOWED_EXPORT_DIRS as ['/']

It "makes sense" (for whatever that is worth :) ) to me that the application insures that, if it has to createa directory to export-to, it insures that the end result is a directory that both the app-owner and app-group have write-access to.

#4 Updated by pulpbot 9 months ago

  • Status changed from NEW to POST

#5 Updated by ggainey 9 months ago

  • Status changed from POST to MODIFIED

#6 Updated by bmbouter 9 months ago

  • Sprint/Milestone set to 3.7.0

#7 Updated by pulpbot 9 months ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF