aap_configuration.hub_group_role gives error adding roles to a group in automationhub #1019
Description
Summary
When using the role aap_configuration.hub_group_role to add roles to a group in hub, there is an error:
"Create error: You do not have permission to POST api/galaxy/pulp/api/v3/groups/ (HTTP 403).," it seems
like the "admin" user has no rights to post on this part of the api.
Issue Type
- Bug Report
Ansible, Collection, Controller details
ansible --version
ansible [core 2.15.10]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/wilco/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/wilco/.local/lib/python3.9/site-packages/ansible
ansible collection location = /home/wilco/.ansible/collections:/usr/share/ansible/collections
executable location = /home/wilco/.local/bin/ansible
python version = 3.9.13 (main, Jul 25 2022, 00:00:00) [GCC 11.3.1 20220421 (Red Hat 11.3.1-2)] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = True
[wilco@rhel9-1 ee_cac_image (update)]$ ansible-galaxy collection list
# /home/wilco/.ansible/collections/ansible_collections
Collection Version
----------------------------------- -------
ansible.controller 4.6.3
ansible.eda 2.2.0
ansible.hub 1.0.0
ansible.netcommon 4.1.0
ansible.platform 2.5.3
ansible.posix 2.0.0
ansible.utils 2.8.0
ansible.windows 2.6.0
awx.awx 22.1.0
community.crypto 2.10.0
community.general 10.1.0
community.postgresql 2.3.2
community.vmware 5.2.0
community.windows 2.3.0
infra.aap_configuration 3.1.0
infra.ah_configuration 2.0.4
redhat.satellite 4.0.0
redhat_cop.controller_configuration 2.3.1
vmware.vmware 1.7.1
wf_linux.infra 0.0.7
wf_linux.oracle 0.0.1
wf_linux.rhel 0.0.2
wf_linux.web 0.0.4
# /home/wilco/.local/lib/python3.9/site-packages/ansible_collections
Collection Version
----------------------------------- -------
amazon.aws 6.5.0
ansible.netcommon 5.3.0
ansible.posix 1.5.4
ansible.utils 2.12.0
ansible.windows 1.14.0
arista.eos 6.2.2
awx.awx 22.7.0
azure.azcollection 1.19.0
check_point.mgmt 5.1.1
chocolatey.chocolatey 1.5.1
cisco.aci 2.8.0
cisco.asa 4.0.3
cisco.dnac 6.9.0
cisco.intersight 1.0.27
cisco.ios 4.6.1
cisco.iosxr 5.0.3
cisco.ise 2.6.2
cisco.meraki 2.17.0
cisco.mso 2.5.0
cisco.nso 1.0.3
cisco.nxos 4.4.0
cisco.ucs 1.10.0
cloud.common 2.1.4
cloudscale_ch.cloud 2.3.1
community.aws 6.4.0
community.azure 2.0.0
community.ciscosmb 1.0.7
community.crypto 2.16.1
community.digitalocean 1.24.0
community.dns 2.6.4
community.docker 3.4.11
community.fortios 1.0.0
community.general 7.5.2
community.google 1.0.0
community.grafana 1.6.1
community.hashi_vault 5.0.1
community.hrobot 1.8.2
community.libvirt 1.3.0
community.mongodb 1.6.3
community.mysql 3.8.0
community.network 5.0.2
community.okd 2.3.0
community.postgresql 2.4.3
community.proxysql 1.5.1
community.rabbitmq 1.2.3
community.routeros 2.11.0
community.sap 1.0.0
community.sap_libs 1.4.1
community.skydive 1.0.0
community.sops 1.6.7
community.vmware 3.11.1
community.windows 1.13.0
community.zabbix 2.2.0
containers.podman 1.11.0
cyberark.conjur 1.2.2
cyberark.pas 1.0.23
dellemc.enterprise_sonic 2.2.0
dellemc.openmanage 7.6.1
dellemc.powerflex 1.9.0
dellemc.unity 1.7.1
f5networks.f5_modules 1.27.1
fortinet.fortimanager 2.3.0
fortinet.fortios 2.3.4
frr.frr 2.0.2
gluster.gluster 1.0.2
google.cloud 1.3.0
grafana.grafana 2.2.3
hetzner.hcloud 1.16.0
hpe.nimble 1.1.4
ibm.qradar 2.1.0
ibm.spectrum_virtualize 1.12.0
ibm.storage_virtualize 2.1.0
infinidat.infinibox 1.3.12
infoblox.nios_modules 1.5.0
inspur.ispim 1.3.0
inspur.sm 2.3.0
junipernetworks.junos 5.3.1
kubernetes.core 2.4.0
lowlydba.sqlserver 2.2.2
microsoft.ad 1.4.1
netapp.aws 21.7.1
netapp.azure 21.10.1
netapp.cloudmanager 21.22.1
netapp.elementsw 21.7.0
netapp.ontap 22.8.3
netapp.storagegrid 21.11.1
netapp.um_info 21.8.1
netapp_eseries.santricity 1.4.0
netbox.netbox 3.15.0
ngine_io.cloudstack 2.3.0
ngine_io.exoscale 1.1.0
ngine_io.vultr 1.1.3
openstack.cloud 2.2.0
openvswitch.openvswitch 2.1.1
ovirt.ovirt 3.2.0
purestorage.flasharray 1.24.0
purestorage.flashblade 1.14.0
purestorage.fusion 1.6.0
sensu.sensu_go 1.14.0
servicenow.servicenow 1.0.6
splunk.es 2.1.2
t_systems_mms.icinga_director 1.33.1
telekom_mms.icinga_director 1.35.0
theforeman.foreman 3.15.0
vmware.vmware_rest 2.3.1
vultr.cloud 1.11.0
vyos.vyos 4.1.0
wti.remote 1.0.5
# /usr/local/lib/python3.9/site-packages/ansible_collections
Collection Version
----------------------------------- -------
amazon.aws 6.5.0
ansible.netcommon 5.3.0
ansible.posix 1.5.4
ansible.utils 2.12.0
ansible.windows 1.14.0
arista.eos 6.2.2
awx.awx 22.7.0
azure.azcollection 1.19.0
check_point.mgmt 5.1.1
chocolatey.chocolatey 1.5.1
cisco.aci 2.8.0
cisco.asa 4.0.3
cisco.dnac 6.9.0
cisco.intersight 1.0.27
cisco.ios 4.6.1
cisco.iosxr 5.0.3
cisco.ise 2.6.2
cisco.meraki 2.17.0
cisco.mso 2.5.0
cisco.nso 1.0.3
cisco.nxos 4.4.0
cisco.ucs 1.10.0
cloud.common 2.1.4
cloudscale_ch.cloud 2.3.1
community.aws 6.4.0
community.azure 2.0.0
community.ciscosmb 1.0.7
community.crypto 2.16.1
community.digitalocean 1.24.0
community.dns 2.6.4
community.docker 3.4.11
community.fortios 1.0.0
community.general 7.5.2
community.google 1.0.0
community.grafana 1.6.1
community.hashi_vault 5.0.1
community.hrobot 1.8.2
community.libvirt 1.3.0
community.mongodb 1.6.3
community.mysql 3.8.0
community.network 5.0.2
community.okd 2.3.0
community.postgresql 2.4.3
community.proxysql 1.5.1
community.rabbitmq 1.2.3
community.routeros 2.11.0
community.sap 1.0.0
community.sap_libs 1.4.1
community.skydive 1.0.0
community.sops 1.6.7
community.vmware 3.11.1
community.windows 1.13.0
community.zabbix 2.2.0
containers.podman 1.11.0
cyberark.conjur 1.2.2
cyberark.pas 1.0.23
dellemc.enterprise_sonic 2.2.0
dellemc.openmanage 7.6.1
dellemc.powerflex 1.9.0
dellemc.unity 1.7.1
f5networks.f5_modules 1.27.1
fortinet.fortimanager 2.3.0
fortinet.fortios 2.3.4
frr.frr 2.0.2
gluster.gluster 1.0.2
google.cloud 1.3.0
grafana.grafana 2.2.3
hetzner.hcloud 1.16.0
hpe.nimble 1.1.4
ibm.qradar 2.1.0
ibm.spectrum_virtualize 1.12.0
ibm.storage_virtualize 2.1.0
infinidat.infinibox 1.3.12
infoblox.nios_modules 1.5.0
inspur.ispim 1.3.0
inspur.sm 2.3.0
junipernetworks.junos 5.3.1
kubernetes.core 2.4.0
lowlydba.sqlserver 2.2.2
microsoft.ad 1.4.1
netapp.aws 21.7.1
netapp.azure 21.10.1
netapp.cloudmanager 21.22.1
netapp.elementsw 21.7.0
netapp.ontap 22.8.3
netapp.storagegrid 21.11.1
netapp.um_info 21.8.1
netapp_eseries.santricity 1.4.0
netbox.netbox 3.15.0
ngine_io.cloudstack 2.3.0
ngine_io.exoscale 1.1.0
ngine_io.vultr 1.1.3
openstack.cloud 2.2.0
openvswitch.openvswitch 2.1.1
ovirt.ovirt 3.2.0
purestorage.flasharray 1.24.0
purestorage.flashblade 1.14.0
purestorage.fusion 1.6.0
sensu.sensu_go 1.14.0
servicenow.servicenow 1.0.6
splunk.es 2.1.2
t_systems_mms.icinga_director 1.33.1
telekom_mms.icinga_director 1.35.0
theforeman.foreman 3.15.0
vmware.vmware_rest 2.3.1
vultr.cloud 1.11.0
vyos.vyos 4.1.0
wti.remote 1.0.5
Automation Controller Version
4.6.3
Event Driven Automation Version
1.1.2
Automation Hub Version
4.10.1
- ansible installation method: one of source, pip, OS package, EE
OS / ENVIRONMENT
Desired Behavior
The roles should be added to the exsisting groups.
Actual Behavior
Please give some details of what is actually happening.
Include a [minimum complete verifiable example] with:
- playbook / task
---
- name: Configure rhaap platform base
hosts: aapserver3.localdomain
connection: local
gather_facts: false
- pre_tasks:
- name: include the user_vars
ansible.builtin.include_vars:
file: hub_group_roles.yml
roles:
- infra.aap_configuration.hub_group_roles
- configuration file / list
---
hub_group_roles:
- groups:
- hub_coll
role_list:
- roles:
- galaxy.collection_admin
state: present
- error
<aap_dev> EXEC /bin/sh -c 'echo ~wilco && sleep 0'
<aap_dev> EXEC /bin/sh -c 'echo ~wilco && sleep 0'
<aap_dev> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/wilco/.ansible/tmp `"&& mkdir "` echo /home/wilco/.ansible/tmp/ansible-tmp-1734610534.0161428-19209-142771980579335 `" && echo ansible-tmp-1734610534.0161428-19209-142771980579335="` echo /home/wilco/.ansible/tmp/ansible-tmp-1734610534.0161428-19209-142771980579335 `" ) && sleep 0'
Using module file /home/wilco/.local/lib/python3.9/site-packages/ansible/modules/async_status.py
<aap_dev> PUT /home/wilco/.ansible/tmp/ansible-local-19141bzzy2_h_/tmp4j3fyecy TO /home/wilco/.ansible/tmp/ansible-tmp-1734610534.0161428-19209-142771980579335/AnsiballZ_async_status.py
<aap_dev> EXEC /bin/sh -c 'chmod u+x /home/wilco/.ansible/tmp/ansible-tmp-1734610534.0161428-19209-142771980579335/ /home/wilco/.ansible/tmp/ansible-tmp-1734610534.0161428-19209-142771980579335/AnsiballZ_async_status.py && sleep 0'
<aap_dev> EXEC /bin/sh -c '/usr/bin/python3 /home/wilco/.ansible/tmp/ansible-tmp-1734610534.0161428-19209-142771980579335/AnsiballZ_async_status.py && sleep 0'
<aap_dev> EXEC /bin/sh -c 'rm -f -r /home/wilco/.ansible/tmp/ansible-tmp-1734610534.0161428-19209-142771980579335/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
File "/tmp/ansible_ansible.hub.group_roles_payload_k2eypqk3/ansible_ansible.hub.group_roles_payload.zip/ansible_collections/ansible/hub/plugins/module_utils/ah_pulp_object.py", line 233, in create
response = self.api.make_request("POST", url, data=new_item)
File "/tmp/ansible_ansible.hub.group_roles_payload_k2eypqk3/ansible_ansible.hub.group_roles_payload.zip/ansible_collections/ansible/hub/plugins/module_utils/ah_api_module.py", line 291, in make_request
response = self.make_request_raw_reponse(method, url, **kwargs)
File "/tmp/ansible_ansible.hub.group_roles_payload_k2eypqk3/ansible_ansible.hub.group_roles_payload.zip/ansible_collections/ansible/hub/plugins/module_utils/ah_api_module.py", line 243, in make_request_raw_reponse
raise AHAPIModuleError("You do not have permission to {method} {path} (HTTP 403).".format(method=method, path=url.path))
failed: [aap_dev] (item=Create/Update Group roles ['hub_coll'] | Wait for finish the Group roles creation) => {
"__group_roles_job_async_result_item": {
"__hub_group_roles_item": {
"groups": [
"hub_coll"
],
"role_list": [
{
"roles": [
"galaxy.collection_admin"
]
}
],
"state": "present"
},
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"ansible_job_id": "j36406895663.19169",
"ansible_loop_var": "__hub_group_roles_item",
"changed": false,
"failed": 0,
"finished": 0,
"results_file": "/home/wilco/.ansible_async/j36406895663.19169",
"started": 1
},
"ansible_job_id": "j36406895663.19169",
"ansible_loop_var": "__group_roles_job_async_result_item",
"attempts": 2,
"changed": false,
"finished": 1,
"invocation": {
"module_args": {
"ah_host": "https://aapserver3.localdomain",
"ah_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"ah_path_prefix": "galaxy",
"ah_username": "admin",
"groups": [
"hub_coll"
],
"request_timeout": 60.0,
"role_list": [
{
"content_urls": [],
"roles": [
"galaxy.collection_admin"
]
}
],
"state": "present",
"validate_certs": false
}
},
"msg": "Create error: You do not have permission to POST api/galaxy/pulp/api/v3/groups/ (HTTP 403)., url: https://aapserver3.localdomain/api/galaxy/pulp/api/v3/groups/",
"results_file": "/home/wilco/.ansible_async/j36406895663.19169",
"started": 1,
"stderr": "",
"stderr_lines": [],
"stdout": "",
"stdout_lines": []
}
STEPS TO REPRODUCE
Use the above playbook and group definition to reproduce..
make sure the group is created as team in gateway..( btw, the creation of teams and groups is poorly documented)