Pulp_ansible: how does it work?

Support
#1

Hi all,

I’m trying to setup pulp_ansible on pulp3 to host my ansible collections, but I’m running into a couple of problems.

To start, I followed the instructions in Pulp in One Container | software repository management.

In Settings — Pulp Project 3.50.2 documentation I see that setting SECRET_KEY is required. This is not mentioned in the pulp-in-one-container documentation and setting it seems not to make any difference. Is that correct?

Despite of having lots of “error: Failed to initialize NSS library” messages in the logs I ended up with a running container which I can query with “pulp status” and with curl by calling /pulp/api/v3/status/. Accessing this url using firefox or chrome results in an error 500 and pulp complaining about “django.template.exceptions.TemplateSyntaxError: ‘optional_logout’ did not receive value(s) for the argument(s): ‘csrf_token’”.

Other urls like /pulp/api/v3/docs/ and /pulp/content/ can be queried by firefox and chrome, though. Is this expected?

Anyway, the api works fine using pulp-cli.

Next, I skipped to Welcome to Pulp Ansible’s documentation! — Pulp ansible Support 0.21.3 documentation and tried to setup everything for hosting an ansible collection.

As it seems to be possible to add users and assign roles, I imagined this scenario:

  • add two repositories ‘foorepo’ and ‘barrepo’
  • add two distributions ‘foodist’ and ‘bardist’ which are bound to ‘foo’ or ‘bar’, respectively
  • add two users ‘foouser’ and ‘barrepo’ with publishing rights on ‘foorepo’, ‘foodist’ or ‘barrepo’, ‘bardist’, respectively
for x in foo bar; do
  pulp ansible repository create --name "${x}repo"
  pulp ansible distribution create --name "${x}dist" --base-path "${x}" --repository "${x}repo"
  pulp user create --username "${x}user" --password "${x}pass1234"
  href_repo=$(pulp ansible repository list | jq -r ".[]|select(.name==\"${x}repo\")|.pulp_href")
  href_dist=$(pulp ansible distribution list | jq -r ".[]|select(.name==\"${x}dist\")|.pulp_href")
  pulp user role-assignment add --username "${x}user" --role ansible.ansiblerepository_owner --object "${href_repo}"
  pulp user role-assignment add --username "${x}user" --role ansible.ansiblerepository_creator --object "${href_repo}"
  pulp user role-assignment add --username "${x}user" --role ansible.ansibledistribution_owner --object "${href_dist}"
  pulp user role-assignment add --username "${x}user" --role ansible.ansibledistribution_creator --object "${href_dist}"
done

Now, I expected to be able to publish a collection using:

ansible-galaxy collection publish -s "http://foouser:foopass1234@$(hostname -f):8080/pulp_ansible/galaxy/foo/ test-package-1.2.3.tar.gz

Alas, I’m getting “You do not have permission to perform this action. Code: permission_denied” here.

So I tried without ‘href_{repo,dist}’, even though that’s probably not what I want, as, in my understanding, both users would have publishing rights to all repos and dists. Let’s use “foo” for now.

x=foo
href_repo=$(pulp ansible repository list | jq -r ".[]|select(.name==\"${x}repo\")|.pulp_href")
href_dist=$(pulp ansible distribution list | jq -r ".[]|select(.name==\"${x}dist\")|.pulp_href")
pulp user role-assignment remove --username "${x}user" --role ansible.ansiblerepository_owner --object "${href_repo}"
pulp user role-assignment remove --username "${x}user" --role ansible.ansiblerepository_creator --object "${href_repo}"
pulp user role-assignment remove --username "${x}user" --role ansible.ansibledistribution_owner --object "${href_dist}"
pulp user role-assignment remove --username "${x}user" --role ansible.ansibledistribution_creator --object "${href_dist}"

pulp user role-assignment add --username "${x}user" --role ansible.ansiblerepository_owner --object ""
pulp user role-assignment add --username "${x}user" --role ansible.ansiblerepository_creator --object ""
pulp user role-assignment add --username "${x}user" --role ansible.ansibledistribution_owner --object ""
pulp user role-assignment add --username "${x}user" --role ansible.ansibledistribution_creator --object ""

But I still get the “permission_denied” here.

My next two attempts were to grant all ansible related roles and to grant all roles I could find:

x=foo
pulp role list --limit 1000 | jq -r '.[]|select(.name|startswith("ansible."))|.name' | \
  while read r; do
    pulp user role-assignment add --username "${x}user" --role "${r}" --object ""
  done

x=foo
pulp role list --limit 1000 | jq -r '.[]|.name' | \
  while read r; do
    pulp user role-assignment add --username "${x}user" --role "${r}" --object ""
  done

Still no luck. How is this rbac suppsed to work, what am I missing?

#2

In Settings — Pulp Project 3.50.2 documentation I see that setting SECRET_KEY is required. This is not mentioned in the pulp-in-one-container documentation and setting it seems not to make any difference. Is that correct?

Correct, it seems the SECRET_KEY gets set to True in the container by default if you don’t supply it (Not sure how though…). It doesn’t prevent Pulp from starting, but it is horribly insecure, so setting it is definitely recommended.

Despite of having lots of “error: Failed to initialize NSS library” messages in the logs I ended up with a running container which I can query with “pulp status” and with curl by calling /pulp/api/v3/status/. Accessing this url using firefox or chrome results in an error 500

The Failed to initialize NSS library is harmless and shouldn’t affect Pulp. We are waiting on an upstream dependency to update their build process to include this missing dependency. If you want to remove it you can run dnf install nss inside the container. [0] The 500 issue when trying pulp/api/v3/status/ from a browser is a know recent issue, accessing status from the CLI should still work. [1]

Still no luck. How is this rbac suppsed to work, what am I missing?

We don’t have this documented and I had to look at the code to figure it out, but you need to create an extra role with one permission, ansible.add_collection, and assign it to each user on the model level.

pulp role create --name ansible.collection_publisher --permission ansible.add_collection
# Add this role to any user you want to be able to publish collections
pulp user role-assignment add --username foo --role ansible.collection_publisher --object ""
# Now galaxy publish should work
ansible-galaxy collection publish -s "http://foouser:foopass1234@$(hostname -f):8080/pulp_ansible/galaxy/foo/ test-package-1.2.3.tar.gz

The RBAC policy for uploading a collection requires the above permission and permission to view the backing repository (this is given by the owner or viewer role). [2] Also, the creator role only gives permission to a user to create new objects (and it should only be specified at the model level, so use --object ""). If you don’t want your users to create new repos/distros then I wouldn’t assign them the creator role.

Hopefully this helps.

[0] New Centos9 base image is missing dependencies needed for pulp_rpm's createrepo_c dependency · Issue #601 · pulp/pulp-oci-images · GitHub
[1] 500 error when viewing Status API from web browser · Issue #5250 · pulp/pulpcore · GitHub
[2] https://github.com/pulp/pulp_ansible/blob/main/pulp_ansible/app/galaxy/v3/views.py#L531-L536

2 Likes
#3

Hi gerrod, thanks a lot for your help!

By creating this role and assigning it to foouser I was able to publish the ansible collection :slight_smile:
I guess I cannot limit this role somehow to a specific repo or distribution? It’d be unfortunate if foouser could mess with barusers’s collections.

Also, can I give non-authorized access to the collections so anonymous users are able to download a collection or can’t this be overriden?
https://docs.pulpproject.org/pulpcore/authentication/overview.html#which-urls-require-authentication

#4

After looking at the code again I don’t think we allow users to change the RBAC policies for the Galaxy APIs through the Pulp Access Policy API since the Galaxy endpoints don’t get counted with the Pulp ones. [0] I think this is an oversight on our part and you should file a feature request in pulp_ansible to allow them to be customizable. [1]

[0] Pulp 3 REST API documentation
[1] https://github.com/pulp/pulp_ansible/issues/new/choose

2 Likes
#5

thanks, will do :slight_smile: