Closed Bug 1513619 Opened 6 years ago Closed 6 years ago

Please create a kinto account "crlite_publisher" for the publication of CRLite state

Categories

(Cloud Services :: Server: Remote Settings, enhancement)

Product:
Cloud Services
Component:
Server: Remote Settings
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jcj, Assigned: autrilla)

References

(Blocks 1 open bug)

Details

We need a dedicated user for CRLite to be able to publish state updates. This will need to function for prod and stage. It will be used from the CRLite server(s) once firewall access is open. (In the mean time, I will use it.)

Username can be "crlite_publisher".
Assignee: mathieu → autrilla

Adrian, could you check this out and send the password to mgoodwin and jjones please?
Thanks!

I sent the password to them already last Tuesday, waiting for confirmation that it all works

In order to keep the ball rolling, could you please confirm that the accounts work on your side please?

You can check the output of the following commands:

    $ curl -s https://settings-writer.stage.mozaws.net/v1/ -u crlite_publisher:secret | jq .user.id
    "account:crlite_publisher"

    $ curl -s https://settings-writer.prod.mozaws.net/v1/ -u crlite_publisher:secret | jq .user.id
    "account:crlite_publisher"

(same in Bug 1513621)

Flags: needinfo?(mgoodwin)
Flags: needinfo?(jjones)

Sorry, I sent :autrilla an email last week:

Adrian,

Using the user crlite_tools, the staging password, and both basic and digest auth, I'm getting an error writing
collection 'cert-revocations' in bucket 'security-state-staging' on https://settings-writer.stage.mozaws.net/v1/

I0109 22:56:19.168705 619 __init__.py:693] Create record with id '2b76a681-4345-4c58-a8a4-33166ff92fb9' in collection 'cert-revocations' in bucket 'security-state-staging'
Traceback (most recent call last):
 File "main.py", line 78, in <module>
   permissions=perms,
 File "/home/ubuntu/.local/lib/python3.6/site-packages/kinto_http/__init__.py", line 705, in create_record
   raise e
 File "/home/ubuntu/.local/lib/python3.6/site-packages/kinto_http/__init__.py", line 698, in create_record
   headers=headers)
 File "/home/ubuntu/.local/lib/python3.6/site-packages/kinto_http/session.py", line 129, in request
   raise exception
kinto_http.exceptions.KintoException: PUT /v1/buckets/security-state-staging/collections/cert-revocations/>records/2b76a681-4345-4c58-a8a4-33166ff92fb9 - 401 401 - {'code': 401, 'errno': 104, 'error': 'Unauthorized', >'message': 'Please authenticate yourself to use this endpoint.'}

(Note: Haven't yet tried the OneCRL logins)

Thanks,
J.C.

I do confirm the staging account works given your commands above.

The production account doesn't return a "user" object out, so the result is null.

Flags: needinfo?(mgoodwin)
Flags: needinfo?(jjones)

Sorry, I missed that email! The appropriate username is onecrl_tools, not crlite_tools. I think we initially agreed to crlite_tools but then switched to onecrl_tools at some point. I have confirmed the above command works in both environments for onecrl_tools.

As for crlite_publisher, I've recreated the production user and confirmed the command above works. I might have slipped up by one character when creating it, I imagine.

Thanks, :autrilla!

I've confirmed that all those accounts log in successfully.

Regarding the crlite_publisher permissions though, I'm now getting the following:

I0114 20:02:17.394232 23862 main.py:46] Using username/password authentication. Username=crlite_publisher
I0114 20:02:17.394349 23862 main.py:48] Connecting to https://settings-writer.stage.mozaws.net/v1/
I0114 20:02:18.794739 23862 main.py:63] New base image indicated. The following MLBF records will be cleaned up at the end: ['a3f9e414-e9f5-45b3-92ee-e075728a31b3']
I0114 20:02:18.794955 23862 __init__.py:693] Create record with id '59b94cda-9978-4d6f-8433-c3a195a49256' in collection 'cert-revocations' in bucket 'security-state-staging'
Traceback (most recent call last):
  File "/home/ubuntu/.local/lib/python3.6/site-packages/kinto_http/__init__.py", line 698, in create_record
    headers=headers)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/kinto_http/session.py", line 129, in request
    raise exception
kinto_http.exceptions.KintoException: PUT /v1/buckets/security-state-staging/collections/cert-revocations/records/59b94cda-9978-4d6f-8433-c3a195a49256 - 403 403 - {'code': 403, 'errno': 121, 'error': 'Forbidden', 'message': 'This user cannot access this resource.'}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "main.py", line 80, in <module>
    permissions=perms,
  File "/home/ubuntu/.local/lib/python3.6/site-packages/kinto_http/__init__.py", line 705, in create_record
    raise e
kinto_http.exceptions.KintoException: PUT /v1/buckets/security-state-staging/collections/cert-revocations/records/59b94cda-9978-4d6f-8433-c3a195a49256 - 403 Unauthorized. Please check that the collection exists and that you have the permission to create or write on this collection record.

The line in question trying the PUT of a new record is calling client.create_record with some attributes and a permissions block of {"read": ["system.Everyone"]}.

(Note the next step is to POST an attachment, then DELETE old records)

Sorry about that! That is probably just because https://github.com/mozilla-services/remote-settings-permissions/pull/16 hadn't been merged. I've merged it and deployed it to stage and prod. Could you try again?

Aha! Found it:

https://github.com/mozilla-services/remote-settings-permissions/pull/16/files#r247890203

crlite_publisher needs cert-revocations-editors, but onecrl_tools does not. With that change, this should work!

This account has been created

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Blocks: 1592089
You need to log in before you can comment on or make changes to this bug.