Issue #8290
closedPulp_ansible unable to sync from galaxy endpoint with token whereas ansible-galaxy client can
Description
Steps to reproduce: Set up a remote with a token and point to a galaxy instance.
{
"auth_url": null,
"ca_cert": null,
"client_cert": null,
"client_key": null,
"download_concurrency": 10,
"name": "hub_1-128797",
"password": null,
"policy": "immediate",
"proxy_url": null,
"pulp_created": "2021-02-19T19:05:47.231796Z",
"pulp_href": "/pulp/api/v3/remotes/ansible/collection/91c20a7d-8477-48d8-86df-46755cdffcae/",
"pulp_last_updated": "2021-02-22T16:53:00.377091Z",
"requirements_file": "---\ncollections:\n- ibm.cloudcollection",
"tls_validation": false,
"token": "xxx-valid-token-xxx",
"url": "https://hostname/api/galaxy/content/community/",
"username": null
},
When syncing this, I get a 403 from the endpoint with the following logs:
Feb 22 17:13:53 hub-sat1-v4-2-1-jhardy gunicorn[74032]: pulp: django.request:WARNING: Forbidden: /api/galaxy/content/community/
Feb 22 17:13:53 hub-sat1-v4-2-1-jhardy gunicorn[74032]: pulp [-]: - - [22/Feb/2021:17:13:53 +0000] "GET /api/galaxy/content/community/ HTTP/1.0" 403 112 "-" "pulpcore/3.7.3 (cpython 3.6.8-final0, Linux x86_64) (aiohttp 3.7.2)"
Feb 22 17:13:54 hub-sat1-v4-2-1-jhardy gunicorn[74032]: pulp: django.request:WARNING: Forbidden: /api/galaxy/content/community/api/
Feb 22 17:13:54 hub-sat1-v4-2-1-jhardy gunicorn[74032]: pulp [-]: - - [22/Feb/2021:17:13:54 +0000] "GET /api/galaxy/content/community/api/ HTTP/1.0" 403 112 "-" "pulpcore/3.7.3 (cpython 3.6.8-final0, Linux x86_64) (aiohttp 3.7.2)"
PS: "tls_validation": false is set on the remote.
A ansible-galaxy client with the below cfg file:
[galaxy] server_list = community_repo
[galaxy_server.community_repo] url=https://hostname/api/galaxy/content/community/ token=xxx-valid-token-xxx
gives the following results:
Secure:
# ansible-galaxy collection install -p ./ ibm.cloudcollection
Process install dependency map
ERROR! Unknown error when attempting to call Galaxy at 'https://hub-sat1-v4-2-1-jhardy.c.ansible-tower-engineering.internal/api/galaxy/content/community/api': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)>
Ignore SSL certificate validation errors with -c :
# ansible-galaxy collection install -c -p ./ ibm.cloudcollection
Process install dependency map
Starting collection install process
Installing 'ibm.cloudcollection:1.21.0' to '/root/ansible_collections/ibm/cloudcollection'
Expected result: Pulp_Ansible should be able to ignore cert validations and sync successfully when tls_validation is off.
Updated by alikins almost 4 years ago
(cleaned up ansible-galaxy config for ref)
[galaxy]
server_list = community_repo
[galaxy_server.community_repo]
url=https://hostname/api/galaxy/content/community/
token=xxx-valid-token-xxx
Updated by alikins almost 4 years ago
Give the '403' error, what is the origin of the token ("xxx-valid-token-xxx")? From login to the standalone autohub? elsewhere?
Updated by alikins almost 4 years ago
Do we know what version of pulpcore, pulp_ansible, and galaxy_ng are involved?
~~
Seems to be galaxy_ng 4.2.0 ?~~
Hopped on the system, it's:
- automation-hub-4.2.1-2.el8pc.noarch
- pulp-ansible (0.5.5)
- pulpcore (3.7.3)
- galaxy-importer (0.2.12)
- galaxy-ng (4.2.1)
Updated by fao89 almost 4 years ago
Turns out we were sending Bearer token, while we should send DRF Token: https://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
tested with:
sed -i "s/Bearer/Token/g" pulp_ansible/app/downloaders.py
Updated by bmbouter almost 4 years ago
What style does galaxy.ansible.com need for tokens submitted to it?
Updated by pulpbot almost 4 years ago
- Status changed from NEW to POST
Added by Fabricio Aguiar almost 4 years ago
Updated by Anonymous almost 4 years ago
- Status changed from POST to MODIFIED
Applied in changeset pulp_ansible|002fab0bfd3eddf03d272182eaf7269590953a60.
Updated by pulpbot almost 4 years ago
Updated by pulpbot almost 4 years ago
Added by Fabricio Aguiar almost 4 years ago
Revision 7d1e0616 | View on GitHub
Use DRF token when no auth_url is provided
https://pulp.plan.io/issues/8290 closes #8290
(cherry picked from commit 002fab0bfd3eddf03d272182eaf7269590953a60)
Added by Fabricio Aguiar almost 4 years ago
Revision 54e7e0c8 | View on GitHub
Use DRF token when no auth_url is provided
https://pulp.plan.io/issues/8290 closes #8290
(cherry picked from commit 002fab0bfd3eddf03d272182eaf7269590953a60)
Updated by pulpbot almost 4 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Updated by fao89 almost 4 years ago
- Sprint/Milestone changed from 0.5.7 to 0.6.2
Updated by fao89 almost 4 years ago
- Status changed from CLOSED - CURRENTRELEASE to MODIFIED
Updated by fao89 almost 4 years ago
- Sprint/Milestone changed from 0.6.2 to 0.7.1
Updated by pulpbot almost 4 years ago
Added by Fabricio Aguiar almost 4 years ago
Revision 5a37e45a | View on GitHub
Use DRF token when no auth_url is provided
https://pulp.plan.io/issues/8290 closes #8290
(cherry picked from commit 002fab0bfd3eddf03d272182eaf7269590953a60)
Updated by pulpbot almost 4 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Use DRF token when no auth_url is provided
https://pulp.plan.io/issues/8290 closes #8290