#12175 Create pagure API token with group_modify ACLs
Closed: Fixed a month ago by lenkaseg. Opened 2 months ago by lenkaseg.

Describe what you would like us to do:

Create a pagure API token with group_modify ACLs and make it accessible from fedora_messaging.toml.

pagure_user=maybe "toddler"? or "cleaning_packager_groups"?

It's needed for the toddler cleaning_packager_groups that removes user, which has been removed from a packager group, from all distgit groups.
The toddler is calling api_group_remove_member API endpoint, which requires group_modify permissions.
For both staging and production please.

When do you need this to be done by? (YYYY/MM/DD)

the sooner the better, but it's not urgent


I think there should already be API token with the permissions used for pagure_group_sync toddler. It would be probably better to use that one.

Let me know if that is working for you.

Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-gain, low-trouble, ops

2 months ago

Metadata Update from @zlopez:
- Issue assigned to zlopez

2 months ago

@lenkaseg Does the token work for you?

Trying to make post request (removing myself from infra-sig group with that token and I get: The method is not allowed for the requested URL.
Weird, it should have the same acls...

Does not seem to work:

{'error': 'Invalid or expired token. Please visit https://src.fedoraproject.org/settings#nav-api-tab to get or renew your API token.',
 'error_code': 'EINVALIDTOK',
 'errors': 'Invalid token'}

Ah, ok. What I actually want is a distgit_api_token.

There is a dist_git_token
But it lacks the correct ACLS:

{'error': 'Invalid or expired token. Please visit https://src.fedoraproject.org/settings#nav-api-tab to get or renew your API token.',
 'error_code': 'EINVALIDTOK',
 'errors': 'Missing ACLs: group_modify'}

That means you are sending wrong HTTP method. Could you share the URL you are trying to reach?

Forgot to refresh the ticket, so I was responding to wrong comment.

For dist_git you need separate token, but the groups in dist_git should reflect the state in FAS. They are updated automatically. Why do you need to update them manually?

I think the problem this fix is trying to solve is that the update is happening when the user logs in. When they don't, they keep being members of the distgit group.

But in any case you need to remove the user from corresponding FAS group, otherwise the change in dist-git will be overriden.

The issue is that dist-git doesn't provide group_modify ACL at all.
Here is the list of ACLs when trying to generate token on dist-git:

0.  pull_request_flag
1.  pull_request_comment
2.  pull_request_merge
3.  create_project
4.  modify_project
5.  generate_acls_project
6.  commit_flag
7.  create_branch
8.  tag_project

Thats a regular user token?

I think there are 'admin tokens' that let you do more? But I am not sure 100% if they have a group_modify or not.

Ah, I think it needs to be added to our ./roles/distgit/pagure/templates/pagure.cfg
look at the upstream config and it has modify_group acl listed, but we don't?

(I wonder what other acls are we missing?)

So we added the group_modify ACL to the ADMIN_API_ACLS: https://pagure.io/fedora-infra/ansible/pull-request/2276, but I still get the same error when trying to remove myself from a group in distgit:

{'error': 'Invalid or expired token. Please visit https://src.fedoraproject.org/settings#nav-api-tab to get or renew your API token.',
 'error_code': 'EINVALIDTOK',
 'errors': 'Missing ACLs: group_modify'}

How I test it:

In [96]: headers = {
    ...:             "Authorization": "token {0}".format(distgit_api_token),
    ...:             "Accept": "application/json",
    ...:             "Content-Type": "application/json",
    ...:         }

In [97]: payload = {"user": "lenkaseg"}

In [98]: distgit_url = "https://src.fedoraproject.org/api/0/group/infra-sig/remove"

In [99]: r = requests.post(distgit_url, data=json.dumps(payload), headers=headers)

In [100]: r.json()
Out[100]: 
{'error': 'Invalid or expired token. Please visit https://src.fedoraproject.org/settings#nav-api-tab to get or renew your API token.',
 'error_code': 'EINVALIDTOK',
 'errors': 'Missing ACLs: group_modify'}

Just a question, did you generated a new token with group_modify ACLs after enabling them on dist_git?

@kevin That are the pagure-admin admin-token ACLs I shared.

Just a question, did you generated a new token with group_modify ACLs after enabling them on dist_git?

Nope, I didn't!
(Not sure if I have perms to do so, I'm not a distgit admin)

So you are still using token with the old ACLs. You will probably need to generate a new one. I'm not sure if it's possible to add new ACL to existing one.

I regenerated the toddlers dist-git tokens for staging and production to contain the new modify_group permission. Let me know if anything is still missing.

The new token didn't worked and we spent some time today to debug the issue with @lenkaseg.

After some investigation we found out that the issue is actually with the group_modify ACL missing in dist-git database. Unfortunately pagure-admin will not throw any error and just create the token without the ACL or doesn't create the token at all if this is only ACL.

@lenkaseg is working on PR to add the new ACL to correct section in dist-git configuration and after updating the pagure configuration I need to run pagure-admin update-acls manually to update it in the database on all affected machines.

The PR is merged and the new ACL added to both dist-git on staging and production. I regenerated the tokens with the group_modify ACL (checked that this time).

Just run the playbook for toddlers and the tokens should be in place. Hopefully it will work this time.

dist_git_token created and tested, confirmed working.
Closing issue.
Thank you!

Metadata Update from @lenkaseg:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a month ago

Log in to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog
Related Pull Requests
  • #2276 Merged a month ago