[FOLIO-3343] folio-ansible tenant admin bootstrap script failure Created: 15/Nov/21  Updated: 18/Jan/22  Resolved: 18/Nov/21

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: TBD
Reporter: Wayne Schneider Assignee: Wayne Schneider
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to MODPERMS-161 perms.users.assign.immutable can give... Closed
Sprint: DevOps Sprint 127
Development Team: FOLIO DevOps

 Description   

We are seeing this error when building the tenant admin user:

failed: [10.36.1.10] (item=perms.users.assign.okapi) => {“ansible_loop_var”: “item”, “changed”: false, “connection”: “close”, “content”: “Cannot add okapi permission perms.users.assign.okapi not owned by operating user 88e0aa9e-6ce0-5410-a029-0cde5cf4f9b2”, “content_type”: “text/plain”, “elapsed”: 0, “item”: “perms.users.assign.okapi”, “msg”: “Status code was 403 and not [200]: HTTP Error 403: Forbidden”, “redirected”: false, “status”: 403, “transfer_encoding”: “chunked”, “url”: “http://10.36.1.10:9130/perms/users/89836a62-1255-44fd-b48e-035d2ae23633/permissions”, “vary”: “origin”, “x_okapi_trace”: “POST mod-permissions-6.0.0-SNAPSHOT.126 http://10.36.1.10:9137/perms/users/89836a62-1255-44fd-b48e-035d2ae23633/permissions : 403 13167us”}

This may be due to the changes introduced in MODPERMS-161 Closed .

See Slack conversation at https://folio-project.slack.com/archives/CFQU1MF61/p1636984948069700?thread_ts=1636984118.069400&cid=CFQU1MF61



 Comments   
Comment by Wayne Schneider [ 15/Nov/21 ]

The issue is that that tenant-admin-permissions role was not excluding perms.assign.okapi, as it should (since the tenant admin in the reference environments should not have special Okapi permissions).

Comment by Adam Dickmeiss [ 15/Nov/21 ]

Nice, so this makes it more secure than before.

Comment by Wayne Schneider [ 17/Nov/21 ]

Reopening. This change causes the Vagrant box builds to fail when creating the special testing_admin user, which requires the okapi.all permission set. See log of failed build.

Comment by Wayne Schneider [ 17/Nov/21 ]

Probably the "right" thing to do is to disable mod-authtoken, grant diku_admin the permission, create the testing_admin user, revoke the permission from diku_admin, and reenable mod-authtoken. I took the easy way out and just created diku_admin with perms.users.assign.okapi (and no other Okapi permissions), not ideal.

Comment by Adam Dickmeiss [ 18/Jan/22 ]

That testing_admin is a huge security risk with a known password and everything.. let's hope nobody creates that user for a production system.

Generated at Thu Feb 08 23:27:24 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.