Fixes #6211,BZ1102521 - Use hidden user's remote id to ping pulp_auth #4265
Conversation
|
I am OK with this for now, but we should use the actual status check (http://pulp-dev-guide.readthedocs.org/en/latest/integration/rest-api/status.html) to do this. Could you make an issue to address this since I imagine it requires a Runcible and Katello update? |
|
@ehelms it doesn't look like that route uses authentication though which would defeat the purpose of the auth check. From your link:
|
|
We can have the regular pulp ping check (pulp_without_oauth) use the status route: |
|
Ahhh, why do we check auth and unauth status?
|
|
@ehelms So we can more easily check if there is an auth error versus there being an issue with the pulp server |
|
Line 25 says ping should be called with the admin user and we also ping
|
Can you point me to that? I tried looking for the code but couldn't find it. |
|
@daviddavis We only have a single user in Candlepin, the admin user unlike Pulp. |
|
So then it's inconsistent? In which case, that point is moot right? Regarding the comment on line 25, this should use the admin user if the admin user is logged in (hence the if). |
|
https://github.com/daviddavis/katello/blob/temp/20140613091921/app/models/katello/ping.rb#L25 -- seems misleading then. Should an unauthenticated user be able to check Pulp status with auth? |
|
I don't know. I was just trying to fix the exception and I hadn't thought about it. |
|
@daviddavis that is why I am wondering if it should just check if User.current exists and only return that status if so. |
|
@ehelms it looks like when you call the v2 ping api, User.current NEVER exists even if you pass in credentials. The fix probably needs to be made in the controller so that it sets the user and checks the user's permissions. The question then would be: which permissions do we allow for ping? Any authenticated user can ping? Or (according to line 25) only admins? |
|
+1
|
It looks like the code didn't properly set User.current so Katello.pulp_server was nil. This code checks for a user in the controller. Also, it handles the case of no user by skipping the pulp_auth check which needs remote_id from a user.
| @@ -18,7 +18,7 @@ class Api::V2::PingController < Api::V2::ApiController | |||
| end | |||
|
|
|||
| skip_before_filter :authorize | |||
| skip_before_filter :require_user, :only => [:server_status] | |||
| before_filter :require_login, :only => [:index] | |||
There was a problem hiding this comment.
Don't ask me why but require_login doesn't actually require a login or user. It just sets User.current if credentials were passed. I tested it:
❯ curl "http://localhost:3000/katello/api/v2/ping"
{"status":"FAIL","services":{"elasticsearch":{"status":"ok","duration_ms":"13"},"katello_jobs":{"status":"FAIL","message":"katello-jobs service not running"},"candlepin":{"status":"ok","duration_ms":"564"},"candlepin_auth":{"status":"ok","duration_ms":"82"},"pulp":{"status":"ok","duration_ms":"21"},"pulp_auth":{}}}
|
APJ |
Fixes #6211,BZ1102521 - Use hidden user's remote id to ping pulp_auth
No description provided.