Project

Profile

Help

Issue #8290

closed

Pulp_ansible unable to sync from galaxy endpoint with token whereas ansible-galaxy client can

Added by sajha over 3 years ago. Updated over 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
-
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Steps to reproduce: Set up a remote with a token and point to a galaxy instance.

 {
            "auth_url": null,
            "ca_cert": null,
            "client_cert": null,
            "client_key": null,
            "download_concurrency": 10,
            "name": "hub_1-128797",
            "password": null,
            "policy": "immediate",
            "proxy_url": null,
            "pulp_created": "2021-02-19T19:05:47.231796Z",
            "pulp_href": "/pulp/api/v3/remotes/ansible/collection/91c20a7d-8477-48d8-86df-46755cdffcae/",
            "pulp_last_updated": "2021-02-22T16:53:00.377091Z",
            "requirements_file": "---\ncollections:\n- ibm.cloudcollection",
            "tls_validation": false,
            "token": "xxx-valid-token-xxx",
            "url": "https://hostname/api/galaxy/content/community/",
            "username": null
        },

When syncing this, I get a 403 from the endpoint with the following logs:

Feb 22 17:13:53 hub-sat1-v4-2-1-jhardy gunicorn[74032]: pulp: django.request:WARNING: Forbidden: /api/galaxy/content/community/
Feb 22 17:13:53 hub-sat1-v4-2-1-jhardy gunicorn[74032]: pulp [-]:  - - [22/Feb/2021:17:13:53 +0000] "GET /api/galaxy/content/community/ HTTP/1.0" 403 112 "-" "pulpcore/3.7.3 (cpython 3.6.8-final0, Linux x86_64) (aiohttp 3.7.2)"
Feb 22 17:13:54 hub-sat1-v4-2-1-jhardy gunicorn[74032]: pulp: django.request:WARNING: Forbidden: /api/galaxy/content/community/api/
Feb 22 17:13:54 hub-sat1-v4-2-1-jhardy gunicorn[74032]: pulp [-]:  - - [22/Feb/2021:17:13:54 +0000] "GET /api/galaxy/content/community/api/ HTTP/1.0" 403 112 "-" "pulpcore/3.7.3 (cpython 3.6.8-final0, Linux x86_64) (aiohttp 3.7.2)"

PS: "tls_validation": false is set on the remote.

A ansible-galaxy client with the below cfg file:

[galaxy] server_list = community_repo

[galaxy_server.community_repo] url=https://hostname/api/galaxy/content/community/ token=xxx-valid-token-xxx

gives the following results:

Secure:

# ansible-galaxy collection install -p ./ ibm.cloudcollection
Process install dependency map
ERROR! Unknown error when attempting to call Galaxy at 'https://hub-sat1-v4-2-1-jhardy.c.ansible-tower-engineering.internal/api/galaxy/content/community/api': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)>

Ignore SSL certificate validation errors with -c :

# ansible-galaxy collection install -c -p ./ ibm.cloudcollection
Process install dependency map
Starting collection install process
Installing 'ibm.cloudcollection:1.21.0' to '/root/ansible_collections/ibm/cloudcollection'

Expected result: Pulp_Ansible should be able to ignore cert validations and sync successfully when tls_validation is off.

Actions #1

Updated by alikins over 3 years ago

(cleaned up ansible-galaxy config for ref)

[galaxy] 
server_list = community_repo

[galaxy_server.community_repo]
url=https://hostname/api/galaxy/content/community/
token=xxx-valid-token-xxx
Actions #2

Updated by alikins over 3 years ago

Give the '403' error, what is the origin of the token ("xxx-valid-token-xxx")? From login to the standalone autohub? elsewhere?

Actions #3

Updated by alikins over 3 years ago

Do we know what version of pulpcore, pulp_ansible, and galaxy_ng are involved? ~~ Seems to be galaxy_ng 4.2.0 ?~~

Hopped on the system, it's:

  • automation-hub-4.2.1-2.el8pc.noarch
  • pulp-ansible (0.5.5)
  • pulpcore (3.7.3)
  • galaxy-importer (0.2.12)
  • galaxy-ng (4.2.1)
Actions #4

Updated by fao89 over 3 years ago

Turns out we were sending Bearer token, while we should send DRF Token: https://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication

tested with:

sed -i "s/Bearer/Token/g" pulp_ansible/app/downloaders.py  
Actions #5

Updated by bmbouter over 3 years ago

What style does galaxy.ansible.com need for tokens submitted to it?

Actions #6

Updated by pulpbot over 3 years ago

  • Status changed from NEW to POST

Added by Fabricio Aguiar over 3 years ago

Revision 002fab0b | View on GitHub

Use DRF token when no auth_url is provided

https://pulp.plan.io/issues/8290 closes #8290

Actions #7

Updated by Anonymous over 3 years ago

  • Status changed from POST to MODIFIED

Added by Fabricio Aguiar over 3 years ago

Revision 7d1e0616 | View on GitHub

Use DRF token when no auth_url is provided

https://pulp.plan.io/issues/8290 closes #8290

(cherry picked from commit 002fab0bfd3eddf03d272182eaf7269590953a60)

Added by Fabricio Aguiar over 3 years ago

Revision 54e7e0c8 | View on GitHub

Use DRF token when no auth_url is provided

https://pulp.plan.io/issues/8290 closes #8290

(cherry picked from commit 002fab0bfd3eddf03d272182eaf7269590953a60)

Actions #10

Updated by fao89 over 3 years ago

  • Sprint/Milestone set to 0.5.7
Actions #11

Updated by pulpbot over 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Actions #12

Updated by fao89 over 3 years ago

  • Sprint/Milestone changed from 0.5.7 to 0.6.2
Actions #13

Updated by fao89 over 3 years ago

  • Status changed from CLOSED - CURRENTRELEASE to MODIFIED
Actions #14

Updated by fao89 over 3 years ago

  • Sprint/Milestone changed from 0.6.2 to 0.7.1

Added by Fabricio Aguiar over 3 years ago

Revision 5a37e45a | View on GitHub

Use DRF token when no auth_url is provided

https://pulp.plan.io/issues/8290 closes #8290

(cherry picked from commit 002fab0bfd3eddf03d272182eaf7269590953a60)

Actions #16

Updated by pulpbot over 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF