-
Bug
-
Resolution: Done
-
Critical
-
2.3
-
None
-
False
-
-
False
-
ANSTRAT-423 - Direct LDAP connection from Private Hub in App without another VM being required
-
Do Not Include (note: this means to exclude from release notes and errata)
Description
(non admin) User can't push an image to container repository if LDAP is enabled. When LDAP is off, no issue is found.
Steps to Reproduce
Preconditions:
LDAP is enabled
PULP_TOKEN_AUTH_DISABLED=true
non admin user is in a group with a role with the permission "container.namespace_push_containerdistribution"
podman login localhost:5001 --username rbac-user-test_078040f4-b837-4252-8a2c-9f775c08102f --password p@ssword! --tls-verify=False podman push localhost:5001/ee_d2ff4ecd-c678-494e-82e3-21a5b470a5fb:latest --tls-verify=False
Actual Behavior
Error: writing blob: initiating layer upload to /v2/ee_d2ff4ecd-c678-494e-82e3-21a5b470a5fb/blobs/uploads/ in localhost:5001: denied: Access to the requested resource is not authorized.
Expected Behavior
Push successful
Note: same error when group is added in the EE's owners tab (both global an object permissions)
related IQE test
def test_global_role_push_image_to_ee(app, galaxy_client, skip_if_rbac_not_available):
"""
Verifies that when a user has global permissions
to push an image, the user can push an image
"""
gc = galaxy_client("ansible_insights", ignore_cache=True)
user, group = add_new_user_to_new_group(gc)
permissions_user = ["container.namespace_push_containerdistribution"]
role_user = f"galaxy.rbac_test_role_{uuid4()}"
gc.create_role(role_user, "any_description", permissions_user)
gc.add_role_to_group(role_user, group["id"])
ee_name = create_local_image_container(app, gc)
gc_user = galaxy_client(user)
return_code = gc_user.push_image(ee_name + ":latest")
assert return_code == 0
test case logs
-------------------------------- live log setup -------------------------------- 106 Run command run_args: podman login localhost:5001 --username admin --password admin --tls-verify=False 108 Run command stderr: 109 Run command stdout: Login Succeeded!110 Run command return code: 0 58 Logged in with user admin 228 Starting new HTTP connection (1): localhost:5001 456 http://localhost:5001 "GET /api/automation-hub/ HTTP/1.1" 200 270 -------------------------------- live log call --------------------------------- 106 Run command run_args: podman login localhost:5001 --username admin --password admin --tls-verify=False 108 Run command stderr: 109 Run command stdout: Login Succeeded!110 Run command return code: 0 58 Logged in with user admin 106 Run command run_args: podman pull docker.io/library/alpine 108 Run command stderr: Trying to pull docker.io/library/alpine:latest... Getting image source signatures Copying blob sha256:213ec9aee27d8be045c6a92b7eac22c9a64b44558193775a1a7f626352392b49 Copying config sha256:9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5 Writing manifest to image destination Storing signatures109 Run command stdout: 9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5110 Run command return code: 0 106 Run command run_args: podman image tag alpine localhost:5001/ee_8368a3d1-14e4-4386-9fe8-347d9b56771d:latest 108 Run command stderr: 109 Run command stdout: 110 Run command return code: 0 106 Run command run_args: podman push localhost:5001/ee_8368a3d1-14e4-4386-9fe8-347d9b56771d:latest --tls-verify=False 108 Run command stderr: Getting image source signatures Copying blob sha256:994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7 Copying config sha256:9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5 Writing manifest to image destination Storing signatures109 Run command stdout: 110 Run command return code: 0 228 Starting new HTTP connection (1): localhost:5001 456 http://localhost:5001 "GET /api/automation-hub/_ui/v1/execution-environments/repositories/ee_8368a3d1-14e4-4386-9fe8-347d9b56771d/_content/images/ HTTP/1.1" 200 877 228 Starting new HTTP connection (1): localhost:5001 456 http://localhost:5001 "DELETE /api/automation-hub/_ui/v1/execution-environments/repositories/ee_8368a3d1-14e4-4386-9fe8-347d9b56771d/_content/images/sha256:45739f46c7027fb602a70863415e1db3660440d80b528b120e5b72db4c07d691/ HTTP/1.1" 202 86 228 Starting new HTTP connection (1): localhost:5001 456 http://localhost:5001 "POST /api/automation-hub/_ui/v1/groups/ HTTP/1.1" 201 126 228 Starting new HTTP connection (1): localhost:5001 456 http://localhost:5001 "GET /api/automation-hub/_ui/v1/users?username=rbac-user-test_971bc5c3-1758-4f52-81f8-5411181e2073 HTTP/1.1" 301 0 273 Resetting dropped connection: localhost 456 http://localhost:5001 "GET /api/automation-hub/_ui/v1/users/?username=rbac-user-test_971bc5c3-1758-4f52-81f8-5411181e2073 HTTP/1.1" 200 313 228 Starting new HTTP connection (1): localhost:5001 456 http://localhost:5001 "POST /api/automation-hub/_ui/v1/users/ HTTP/1.1" 201 219 228 Starting new HTTP connection (1): localhost:5001 456 http://localhost:5001 "POST /api/automation-hub/_ui/v1/groups/5/users/ HTTP/1.1" 201 121 228 Starting new HTTP connection (1): localhost:5001 456 http://localhost:5001 "POST /api/automation-hub/pulp/api/v3/roles/ HTTP/1.1" 201 316 228 Starting new HTTP connection (1): localhost:5001 456 http://localhost:5001 "GET /api/automation-hub/_ui/v1/execution-environments/namespaces/ee_8368a3d1-14e4-4386-9fe8-347d9b56771d/ HTTP/1.1" 200 753 228 Starting new HTTP connection (1): localhost:5001 456 http://localhost:5001 "PUT /api/automation-hub/_ui/v1/execution-environments/namespaces/ee_8368a3d1-14e4-4386-9fe8-347d9b56771d/ HTTP/1.1" 200 901 106 Run command run_args: podman login localhost:5001 --username rbac-user-test_971bc5c3-1758-4f52-81f8-5411181e2073 --password p@ssword! --tls-verify=False 108 Run command stderr: 109 Run command stdout: Login Succeeded!110 Run command return code: 0 58 Logged in with user rbac-user-test_971bc5c3-1758-4f52-81f8-5411181e2073 106 Run command run_args: podman push localhost:5001/ee_8368a3d1-14e4-4386-9fe8-347d9b56771d:latest --tls-verify=False 108 Run command stderr: Getting image source signatures Copying blob sha256:994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7 Error: writing blob: initiating layer upload to /v2/ee_8368a3d1-14e4-4386-9fe8-347d9b56771d/blobs/uploads/ in localhost:5001: denied: Access to the requested resource is not authorized.109 Run command stdout: 110 Run command return code: 125 FAILED [ 50%] iqe_automation_hub/tests/api/test_rbac.py:658 (test_object_role_push_image_to_ee) 125 != 0Expected :0 Actual :125
