Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission denied when using ostree import-all CLI command. #373

Closed
decko opened this issue Jun 19, 2024 · 0 comments · Fixed by #379
Closed

Permission denied when using ostree import-all CLI command. #373

decko opened this issue Jun 19, 2024 · 0 comments · Fixed by #379
Labels
Issue

Comments

@decko
Copy link
Member

decko commented Jun 19, 2024

Version
pulpcore 3.54.0
pulp_ostree 2.3.1

Describe the bug
After creating a role with all core and ostree permissions, an user is not able to use import-all commits of an ostree repo into a pulp repo.
It is possible to use the same command as an super-user and get the content uploaded without errors.

To Reproduce
The role is created using the following payload:

{
  "name": "ostree.admin",
  "description": "Role for ostree administrative tasks.",
  "permissions": [
    "core.add_compositecontentguard",
    "core.add_domain",
    "core.add_headercontentguard",
    "ostree.add_ostreedistribution",
    "ostree.add_ostreeremote",
    "ostree.add_ostreerepository",
    "ostree.view_ostreerepository",
    "ostree.change_ostreerepository",
    "ostree.delete_ostreerepository",
    "ostree.import_commits_ostreerepository",
    "ostree.manage_roles_ostreerepository",
    "ostree.modify_ostreerepository",
    "ostree.repair_ostreerepository",
    "ostree.sync_ostreerepository",
    "ostree.view_ostreerepository",
    "ostree.add_ostreerepository",
    "ostree.view_ostreeremote",
    "ostree.change_ostreeremote",
    "ostree.delete_ostreeremote",
    "ostree.manage_roles_ostreeremote",
    "ostree.view_ostreeremote",
    "ostree.add_ostreeremote",
    "ostree.view_ostreedistribution",
    "ostree.change_ostreedistribution",
    "ostree.delete_ostreedistribution",
    "ostree.manage_roles_ostreedistribution",
    "ostree.view_ostreedistribution",
    "ostree.add_ostreedistribution",
    "core.replicate_upstreampulp",
    "core.view_upstreampulp",
    "core.view_upstreampulp",
    "core.change_upstreampulp",
    "core.delete_upstreampulp",
    "core.manage_roles_upstreampulp",
    "core.replicate_upstreampulp",
    "core.view_upstreampulp",
    "core.add_upstreampulp",
    "core.view_upload",
    "core.change_upload",
    "core.delete_upload",
    "core.manage_roles_upload",
    "core.view_upload",
    "core.add_upload",
    "core.view_task",
    "core.change_task",
    "core.delete_task",
    "core.manage_roles_task",
    "core.view_task",
    "core.view_taskschedule",
    "core.manage_roles_taskschedule",
    "core.view_taskschedule",
    "core.download_rbaccontentguard",
    "core.view_rbaccontentguard",
    "core.change_rbaccontentguard",
    "core.delete_rbaccontentguard",
    "core.manage_roles_rbaccontentguard",
    "core.view_rbaccontentguard",
    "core.add_rbaccontentguard",
    "core.view_headercontentguard",
    "core.change_headercontentguard",
    "core.delete_headercontentguard",
    "core.manage_roles_headercontentguard",
    "core.view_headercontentguard",
    "core.add_headercontentguard",
    "core.view_group",
    "core.change_group",
    "core.delete_group",
    "core.manage_roles_group",
    "core.view_group",
    "core.add_group",
    "core.view_domain",
    "core.change_domain",
    "core.delete_domain",
    "core.manage_roles_domain",
    "core.view_domain",
    "core.add_domain",
    "core.view_contentredirectcontentguard",
    "core.change_contentredirectcontentguard",
    "core.delete_contentredirectcontentguard",
    "core.manage_roles_contentredirectcontentguard",
    "core.view_contentredirectcontentguard",
    "core.add_contentredirectcontentguard",
    "core.view_compositecontentguard",
    "core.change_compositecontentguard",
    "core.delete_compositecontentguard",
    "core.manage_roles_compositecontentguard",
    "core.view_compositecontentguard",
    "core.add_compositecontentguard"
  ]
}

Then you assign this role to a non-admin user.

pulp user role-assignment add --username <non-admin-user> --role edge_ostree.admin --object ""

after that, try to import an repo:

pulp ostree repository import-all --name fedora-iot --repository_name repo --file repo.tar --ref fedora/stable/x86_64/iot

and you'll receive a message about an operation that is not permited.
decko added a commit to decko/pulp_ostree that referenced this issue Jun 24, 2024
@decko
Fixes the permission issue with import-all.
4e7084d 
Closes pulp#373
@decko decko mentioned this issue Jun 24, 2024
Merged
decko added a commit to decko/pulp_ostree that referenced this issue Jun 25, 2024
@decko
Fixes the permission issue with import-all.
fd13743 
Closes pulp#373
patchback bot pushed a commit that referenced this issue Jun 26, 2024
@decko @patchback
Fixes the permission issue with import-all.
0d7c774 
Closes #373

(cherry picked from commit 94ed3e5)
@patchback patchback bot mentioned this issue Jun 26, 2024
Merged
lubosmj pushed a commit that referenced this issue Jun 26, 2024
@decko @lubosmj
Fixes the permission issue with import-all.
aad4228 
Closes #373

(cherry picked from commit 94ed3e5)
patchback bot pushed a commit that referenced this issue Jun 26, 2024
@decko @patchback
Fixes the permission issue with import-all.
05503c9 
Closes #373

(cherry picked from commit 94ed3e5)
@patchback patchback bot mentioned this issue Jun 26, 2024
Merged
lubosmj pushed a commit that referenced this issue Jun 26, 2024
@decko @lubosmj
Fixes the permission issue with import-all.
413f8bf 
Closes #373

(cherry picked from commit 94ed3e5)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue
Projects
No open projects
RH Pulp Kanban board
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes the permission issue with import-all. decko/pulp_ostree
1 participant
@decko