How to manage access to file repository?

Support
#1

Hi there. I’m new to pulp, evaluating it for hosting artifacts (tarballs, rpms) usable by internal software deployments.

An initial goal is to set up a file repository/distribution, with certain users (& project CI jobs) able to upload files, and anybody to download files without authentication. That seemed like it should be a simple and common use case.

I’m using the Pulp in One Container under podman, and have created repository & distribution and successfully uploaded a file as the admin user; the file, manifest and directory listing are all publically visible.

But then to configure the upload side, I set up a group & RBAC content-guard. It appears that once the content guard is attached to the distribution, public (unauthenticated) access is lost - I get a 403.

No searching of documents & tutorials has come up with any solution.

Copilot suggested adding to settings.py

AUTHENTICATION_BACKENDS = [
    'django.contrib.auth.backends.ModelBackend',
]
ANONYMOUS_USER_NAME = 'anonymous'

but that didn’t appear to make any difference.

What am I missing? If someone could point me in the right direction that would be much appreciated.

Pulpcore version:

3.113.0 - docker.io/pulp/pulp:latest

#2

Content guards are part of the delivery side for content (not the API) in Pulp. You can restrict (consuming) access to certain distributions in a variety of ways assigning a corresponding content guard.

The API side however where you are supposed to manage what and how the content app serves respositories, is direct RBAC. So you should have a look at the roles apis and assign certain (object-)roles to users or groups alike.

https://pulpproject.org/pulpcore/docs/user/guides/protect-content/
https://pulpproject.org/pulp_container/docs/admin/learn/rbac/

#3

Thanks for clarifying that. I was confusing repository and distribution.

My next problem is trying to allow a specific non-admin user to upload a to a file repository. I hope I’ve understood the concepts of user / group / role-assignment / role / permission, and have created a user in a group. I’ve tried adding various role assignments using the supplied roles, but with no luck on attempting an upload.

With pulp -v (or -vv or -vvv) I can see which API calls are being made, but not which permission check is failing.

Where in the docs - or how - can I find a necessary and sufficient set of roles (or permissions) which will allow the user to do

pulp file content upload --repository bigfiles --file <whatever>

and does this depend on whether the upload is chunked or not?

#4

I don’t think there is a way to remotely tell what permissions are missing. There is however a way to check your permissions wrt an object (pulp file repository role my-permissions --help).

For a chunked upload you need to have permissions to create a new upload (that you then turn into owning).
pulp role list tells you what you can assign.

#5

So, diving headlong into the code, I created a patch to log pulpcode.backends.ObjectRolePermissionBackend.has_perm calls to a file, then created a new podman image with that patch applied. That let me see exactly which permission was missing, incrementally.

I found that the permissions needed to upload to a file repository are:

  • file.view_filerepository
    • role file.filerepository_viewer has this
  • file.modify_filerepository
    • role file.filerepository_owner has this, but is too broad for my use case (also allows e.g. deleting the repository)
  • core.add_upload (to allow chunked uploads)
    • role core.upload_creator has this

A recipe to achieve this (assuming a repo-specific group has been created) is thus:

  • create a role “cli_file_uploader” with permissions
    • file.view_filerepository
    • file.modify_filerepository
  • create role-assignments for the group
    • cli_file_uploader --object $FILE_REPO_HREF
    • core.upload_creator --object “”

For an rpm repository, it’s quite similar:

  • create a role “cli_rpm_uploader” with permissions
    • rpm.view_rpmrepository
    • rpm.modify_content_rpmrepository
  • create role-assignments for the group
    • cli_rpm_uploader --object $RPM_REPO_HREF
    • core.upload_creator --object “”

One thing to note is that “pulp rpm content upload” has --publish enabled by default, and that would require extra permissions (exercise for the reader). To avoid this, I’ve just set the autopublish flag on the repo, and add --no-publish to the command line when uploading.

A few other observations along the way:

  • it’s quite complicated
    • CLI → glue → API → django → viewsets → actions → conditions → permissions
    • users → groups → role-assignments → roles → permissions
  • users need to be created with --staff to do meaningful things with the API apart from status
  • (discovered latterly) the python module pulp_file.app.viewsets lists conditions from which permissions may be gleaned; similarly for other plugins
  • “pulp file content upload” uses “…/create” API call not “…/upload”, so the file.file_uploader roles does not help
  • when navigating the API in a browser, there’s missing/hidden support of role-assignments
    • no link to group/N/roles/ where one can POST new assignment
    • instead, we have “list_roles” instead, which doesn’t seem to show anything useful; also “add_role”, “remove_role”. Perhaps left over from a previous role/permission model.
1 Like