Normal user got permission problem when uploading big rpm file as artifact

xm1234567 · October 27, 2023, 3:37pm

Hello everyone,

I got permission problem when uploading a big rpm file as artifact, but a small file is working. Strange. Here is the details:

Problem:
Cannot upload a big rpm file as artifact by pulp artifact upload as a non-privileged user.

as a non-privileged user, I tried to upload two rpm files as artifact, strange, for the small file, it works. But the big rpm file(maybe when it is more than 1MB), not working.
Here is for the small file 114K:

-rw-r--r-- 1 xxx xxxxxx 114K Sep 14  2017 uom-systems-0.7-1.el7.noarch.rpm

(pulpcli_venv) [xxx@xxxxxx ~]$ pulp artifact upload --file uom-systems-0.7-1.el7.noarch.rpm
Uploading file uom-systems-0.7-1.el7.noarch.rpm
{
  "pulp_href": "/pulp/api/v3/artifacts/77d005a8-7d7c-44bc-b456-56eed72b9189/",
  "pulp_created": "2023-10-27T15:12:29.178205Z",
  "file": "artifact/9b/ede41ba5143417f563e5ee346857f33476433552e210176ca0f519373713b7",
  "size": 115804,
  "md5": null,
  "sha1": null,
  "sha224": "d1ab2a7607fde532181000e9b82a6370a8193fa4750f191d5ef62bfa",
  "sha256": "9bede41ba5143417f563e5ee346857f33476433552e210176ca0f519373713b7",
  "sha384": "f67286cd1c33cb2117332e1484b3ddd968fd6c5fa924ce567a9f81a16b22db54cfb60203f35e39f831ef18a5986b6087",
  "sha512": "03a455ccd97f9e2552bdc9440e0e7cd8390102f0b0b6d963006fe23774da96a6bb2f8b11ec4632faaa0c2bde4c49b2e5a1644acb914c140d8c91566905fbc541"
}

Here is for the big file 91M:

-rw-r--r-- 1 xniu ccin2p3  91M Jul 13  2019 firefox-60.8.0-1.el7.centos.x86_64.rpm

(pulpcli_venv) [xxxx@xxxxxx ~]$ pulp artifact upload --file firefox-60.8.0-1.el7.centos.x86_64.rpm
Uploading file firefox-60.8.0-1.el7.centos.x86_64.rpm
Error: {"detail":"You do not have permission to perform this action."}

The error message on server log is like this:
Oct 27 16:49:56.305 xxxxx gunicorn[619003]: pulp [b53a16886b2e4a049963083e1397157f]: django.request:WARNING: Forbidden: /pulp/api/v3/uploads/4ccb0f01-a3b5-40ae-a0f9-490ba9397073/

I am under the same virtual env and using the same user account.
I don’t know why. Maybe related to chunk and permission for chunk?
What could be the reason? How to solve the problem?

Thanks in advance
Pulpcore version:
“component”: “core”,
“version”: “3.22.14”,
“package”: “pulpcore”
Pulp plugins installed and their versions:
“component”: “rpm”,
“version”: “3.19.9”,
“package”: “pulp-rpm”

Operating system - distribution and version:
Rocky 9
Other relevant data:

gerrod · October 27, 2023, 4:00pm

When a file becomes large the CLI will switch over to chunk-uploading to avoid the upload file limit size (usually set by nginx/apache). There are different permission checks for uploading artifacts vs chunked uploading. To upload an artifact normally you just need to be authenticated, i.e. any normal user can upload artifacts. To upload an artifact with chunked uploads you need to have permissions from the RBAC system. To fix this I would add the role to your user account (note you need to be an admin to perform this operation). pulp user role-assignment add --username "your_username" --role "core.upload_creator" --object "". Then you should be able to perform large uploads with your non-privileged user account.

x9c4 · October 28, 2023, 8:51am

You can always also pulp -v ... to see what’s going on.
Also as non privileged user i’d advise you to not create artifacts, but upload content directly. Because Pulp does not grant permissions on content units (that would be insane), you need to ensure the content is created into a repository you own. The command should look like pulp rpm content [-t package] upload --repository <name> ....

xm1234567 · October 29, 2023, 10:57am

Hello @gerrod @x9c4 , thanks for the helps
From pulp -v, the permission change_upload and veiw_upload are also needed.
So for artifact permission problem, at the end I added --permission core.add_upload --permission core.view_upload --permission core.change_upload to make it work.

Under my current installation, I don’t have pulp rpm content upload available yet.

All these, because I am not using the latest version, I think. I will try to update pulpcore and pulp-rpm.

x9c4 · October 29, 2023, 11:59am

Please check the version of pulp cli first.

pulp rpm content --help shows upload to me.

xm1234567 · October 29, 2023, 2:04pm

Hello @x9c4
my pulp cli version is:

(pulpcli_venv) [xxx@xxx ~]$ pulp --version
pulp3 command line interface, version 0.21.2

my bad, with pulp rpm content --help, I do have upload. It was because I didn’t use --help , so I only see list and show

(pulpcli_venv) [xxx@xxxx ~]$ pulp rpm content 
Usage: pulp rpm content [OPTIONS] COMMAND [ARGS]...

Options:
  -t, --type [package|advisory|distribution_tree........
  --help                          Show this message and exit.

Commands:
  list
  show

I tried with pulp rpm content upload --file xxx.rpm --repository as a non-privileged user, for a big file,still need the permissions --permission core.add_upload --permission core.view_upload --permission core.change_upload

x9c4 · October 29, 2023, 2:22pm

Yes, that is expected.

xm1234567 · October 29, 2023, 3:10pm

In fact I follow the example Upload Content — Pulp RPM Support 3.23.0 documentation , I thought all the rpms files need to be uploaded as artifact first , then create rpm content from aritfcate, then add content to repository, then publication + distribution.

So why do you suggest rpm content upload directly? There are some difference? performance? or ?

x9c4 · October 29, 2023, 7:13pm

Without global permission to see all rpm content you would not be able see and add the rpm’s to the repository after creating them as orphans. But creating them into your repo that should just be fine.

x9c4 · November 29, 2023, 10:08am

This brings up an interesting question: Should we add create_upload to all the roles that allow uploading content?