Project

Profile

Help

Issue #8290

Pulp_ansible unable to sync from galaxy endpoint with token whereas ansible-galaxy client can

Added by sajha 9 days ago. Updated 6 minutes ago.

Status:
MODIFIED
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Steps to reproduce: Set up a remote with a token and point to a galaxy instance.

 {
            "auth_url": null,
            "ca_cert": null,
            "client_cert": null,
            "client_key": null,
            "download_concurrency": 10,
            "name": "hub_1-128797",
            "password": null,
            "policy": "immediate",
            "proxy_url": null,
            "pulp_created": "2021-02-19T19:05:47.231796Z",
            "pulp_href": "/pulp/api/v3/remotes/ansible/collection/91c20a7d-8477-48d8-86df-46755cdffcae/",
            "pulp_last_updated": "2021-02-22T16:53:00.377091Z",
            "requirements_file": "---\ncollections:\n- ibm.cloudcollection",
            "tls_validation": false,
            "token": "xxx-valid-token-xxx",
            "url": "https://hostname/api/galaxy/content/community/",
            "username": null
        },

When syncing this, I get a 403 from the endpoint with the following logs:

Feb 22 17:13:53 hub-sat1-v4-2-1-jhardy gunicorn[74032]: pulp: django.request:WARNING: Forbidden: /api/galaxy/content/community/
Feb 22 17:13:53 hub-sat1-v4-2-1-jhardy gunicorn[74032]: pulp [-]:  - - [22/Feb/2021:17:13:53 +0000] "GET /api/galaxy/content/community/ HTTP/1.0" 403 112 "-" "pulpcore/3.7.3 (cpython 3.6.8-final0, Linux x86_64) (aiohttp 3.7.2)"
Feb 22 17:13:54 hub-sat1-v4-2-1-jhardy gunicorn[74032]: pulp: django.request:WARNING: Forbidden: /api/galaxy/content/community/api/
Feb 22 17:13:54 hub-sat1-v4-2-1-jhardy gunicorn[74032]: pulp [-]:  - - [22/Feb/2021:17:13:54 +0000] "GET /api/galaxy/content/community/api/ HTTP/1.0" 403 112 "-" "pulpcore/3.7.3 (cpython 3.6.8-final0, Linux x86_64) (aiohttp 3.7.2)"

PS: "tls_validation": false is set on the remote.

A ansible-galaxy client with the below cfg file:

[galaxy] server_list = community_repo

[galaxy_server.community_repo] url=https://hostname/api/galaxy/content/community/ token=xxx-valid-token-xxx

gives the following results:

Secure:

# ansible-galaxy collection install -p ./ ibm.cloudcollection
Process install dependency map
ERROR! Unknown error when attempting to call Galaxy at 'https://hub-sat1-v4-2-1-jhardy.c.ansible-tower-engineering.internal/api/galaxy/content/community/api': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)>

Ignore SSL certificate validation errors with -c :

# ansible-galaxy collection install -c -p ./ ibm.cloudcollection
Process install dependency map
Starting collection install process
Installing 'ibm.cloudcollection:1.21.0' to '/root/ansible_collections/ibm/cloudcollection'

Expected result: Pulp_Ansible should be able to ignore cert validations and sync successfully when tls_validation is off.

Associated revisions

Revision 002fab0b View on GitHub
Added by Fabricio Aguiar about 19 hours ago

Use DRF token when no auth_url is provided

https://pulp.plan.io/issues/8290 closes #8290

Revision 7d1e0616 View on GitHub
Added by Fabricio Aguiar 4 minutes ago

Use DRF token when no auth_url is provided

https://pulp.plan.io/issues/8290 closes #8290

(cherry picked from commit 002fab0bfd3eddf03d272182eaf7269590953a60)

Revision 54e7e0c8 View on GitHub
Added by Fabricio Aguiar 3 minutes ago

Use DRF token when no auth_url is provided

https://pulp.plan.io/issues/8290 closes #8290

(cherry picked from commit 002fab0bfd3eddf03d272182eaf7269590953a60)

History

#1 Updated by alikins 8 days ago

(cleaned up ansible-galaxy config for ref)

[galaxy] 
server_list = community_repo

[galaxy_server.community_repo]
url=https://hostname/api/galaxy/content/community/
token=xxx-valid-token-xxx

#2 Updated by alikins 8 days ago

Give the '403' error, what is the origin of the token ("xxx-valid-token-xxx")? From login to the standalone autohub? elsewhere?

#3 Updated by alikins 8 days ago

Do we know what version of pulpcore, pulp_ansible, and galaxy_ng are involved? ~~ Seems to be galaxy_ng 4.2.0 ?~~

Hopped on the system, it's:

  • automation-hub-4.2.1-2.el8pc.noarch
  • pulp-ansible (0.5.5)
  • pulpcore (3.7.3)
  • galaxy-importer (0.2.12)
  • galaxy-ng (4.2.1)

#4 Updated by fao89 6 days ago

Turns out we were sending Bearer token, while we should send DRF Token: https://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication

tested with:

sed -i "s/Bearer/Token/g" pulp_ansible/app/downloaders.py  

#5 Updated by bmbouter 6 days ago

What style does galaxy.ansible.com need for tokens submitted to it?

#6 Updated by pulpbot about 20 hours ago

  • Status changed from NEW to POST

#7 Updated by Anonymous about 19 hours ago

  • Status changed from POST to MODIFIED

Please register to edit this issue

Also available in: Atom PDF