Pulp_rpm: content create as non-admin user

Support
#1

Hi!

I want to deploy rpms through my ci/cd and therefore I added a non-admin user and gave it some permissions:

pulp role create --name "rpm_publisher" \
    --permission "rpm.view_rpmrepository" \
    --permission "rpm.add_rpmpublication" \
    --permission "rpm.add_rpmdistribution"
pulp user create --username publisher --password "..."
pulp user role-assignment add --username publisher \
    --role rpm_publisher --object ""

Pushing rpms directly into a repository works well using the rest api. But as some packages consist of multiple rpm files (foo, foo-libs, foo-devel, …) I want to add all of these at once.

According to Upload Content — Pulp RPM Support 3.25.3 documentation I need to perform the following steps:

  1. upload rpms to /pulp/api/v3/artifacts/
  2. create content from these artifacts by passing the artifact_hrefs to /pulp/api/v3/content/rpm/packages/
  3. modify repo and add these content_hrefs

The pulp-cli requires the additional step of getting the artifact’s checksum and passing this checksum to pulp rpm content create --sha256, which, according to pulp -v only translates this back to the artifact_hrefs and passes these hrefs to pulp/api/v3/content/rpm/packages/. This is something I don’t understand, why is this needed instead of passing the artifact_href directly?

Anyway, my problem is that step 2, creating content from the artifacts, only works as admin user. The “publisher” user is required to pass a destination repository. No matter whether I use the rest api or pulp-cli:

chksum=$(pulp show --href ${artifact_href} | jq -r .sha256)
pulp --username publisher --password "..." rpm content create --sha256 ${chksum}
# Error: ["Destination upload repository was not provided."]

What permissions are required to create rpm content without specifying a repository?

#2

What you say it definitely right. The file → artifact → content → repository workflow has been there from the beginning of pulp3. But it was not maintainable in the face of RBAC (we decided, having permissions on the individual content unit is not feasible).
So we restricted the accessibility (and visibility) of content to the repository. For this, the content upload endpoint allows to receive either a file or an (uncommitted) upload object and needs a repository where the content will be added, so you can see it. I think the process is sketched out in this new (not yet official) version of the docs.

https://staging-docs.pulpproject.org/pulp_rpm/docs/user/guides/02-upload/#post-content

#3

This is useful as I was trying to use the artifact workflow and was running into a permissions issue. Uploading the package directly to the repository also simplifies things into one command.

Though I’m having an issue with permissions when trying to upload a package with a created user.

pulp --config pulp.config rpm content -t package upload --file package_file.rpm --repository reponame
Error: {"detail":"You do not have permission to perform this action."}

Note, it works fine if I use the built-in admin user.

Just to try and get this working, I tried assigning the rpm.admin role to the user, with no luck. I also tried creating and assigning the example rpm_publisher role from the documentation here - Configure Role Based Access Control - Pulp Project

Any other tips to try to enable a created user to be able to upload rpm files to an rpm repo? I feel like it’s going to be a simple missed permission somewhere.

Thanks!

1 Like
#4

Depending on the size of the file you may need to assign the core.upload_creator role, too.
Can you add -v right after pulp in that command so we can see what http call actually failed?

#5

With the verbose flag:

uploads_create : post https://host.name/pulp/api/v3/uploads/
Response: 403

You were right though, I added core.upload_creator and it started working! :slight_smile:

Thanks for your time and the suggestion.

2 Likes