[FOLIO-3343] folio-ansible tenant admin bootstrap script failure Created: 15/Nov/21 Updated: 18/Jan/22 Resolved: 18/Nov/21 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | TBD |
| Reporter: | Wayne Schneider | Assignee: | Wayne Schneider |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | DevOps Sprint 127 | ||||||||
| Development Team: | FOLIO DevOps | ||||||||
| Description |
|
We are seeing this error when building the tenant admin user:
failed: [10.36.1.10] (item=perms.users.assign.okapi) => {“ansible_loop_var”: “item”, “changed”: false, “connection”: “close”, “content”: “Cannot add okapi permission perms.users.assign.okapi not owned by operating user 88e0aa9e-6ce0-5410-a029-0cde5cf4f9b2”, “content_type”: “text/plain”, “elapsed”: 0, “item”: “perms.users.assign.okapi”, “msg”: “Status code was 403 and not [200]: HTTP Error 403: Forbidden”, “redirected”: false, “status”: 403, “transfer_encoding”: “chunked”, “url”: “http://10.36.1.10:9130/perms/users/89836a62-1255-44fd-b48e-035d2ae23633/permissions”, “vary”: “origin”, “x_okapi_trace”: “POST mod-permissions-6.0.0-SNAPSHOT.126 http://10.36.1.10:9137/perms/users/89836a62-1255-44fd-b48e-035d2ae23633/permissions : 403 13167us”}
This may be due to the changes introduced in
See Slack conversation at https://folio-project.slack.com/archives/CFQU1MF61/p1636984948069700?thread_ts=1636984118.069400&cid=CFQU1MF61 |
| Comments |
| Comment by Wayne Schneider [ 15/Nov/21 ] |
|
The issue is that that tenant-admin-permissions role was not excluding perms.assign.okapi, as it should (since the tenant admin in the reference environments should not have special Okapi permissions). |
| Comment by Adam Dickmeiss [ 15/Nov/21 ] |
|
Nice, so this makes it more secure than before. |
| Comment by Wayne Schneider [ 17/Nov/21 ] |
|
Reopening. This change causes the Vagrant box builds to fail when creating the special testing_admin user, which requires the okapi.all permission set. See log of failed build. |
| Comment by Wayne Schneider [ 17/Nov/21 ] |
|
Probably the "right" thing to do is to disable mod-authtoken, grant diku_admin the permission, create the testing_admin user, revoke the permission from diku_admin, and reenable mod-authtoken. I took the easy way out and just created diku_admin with perms.users.assign.okapi (and no other Okapi permissions), not ideal. |
| Comment by Adam Dickmeiss [ 18/Jan/22 ] |
|
That testing_admin is a huge security risk with a known password and everything.. let's hope nobody creates that user for a production system. |