Synchronizing a container repository from a connected to a disconnected Red Hat Satellite fails with a 403 'Forbidden' error for non-admin users.

Solution Verified - Updated -

Environment

  • Red Hat Satellite 6

Issue

  • In Red Hat Satellite 6 synchronizing the container repository as a non-admin user from the connected Red Hat Satellite to the disconnected Red Hat Satellite fails with below error.

    403, message='Forbidden', url=URL('https://satellite.example.com/v2/token?service=satellite.example.com&scope=repository:registry:pull,push')

  • Synchronizing Red Hat repositories and custom repositories as a non-admin user completes successfully without any issues; however synchronizing container repository fails.

  • The error can also be:

    422, message='Unprocessable Content', url='https://satellite/v2/token?service=satellite&scope=repository:registry:pull,push'

Resolution

  • Create a new role and include the following filters:

    Satellite WebUI --> Administer --> Roles --> Create Role --> fill required details --> Submit
Satellite WebUI --> Administer --> Roles --> Select newly created role --> Filters --> Add below filter --> Submit

- Resource --> "Personal Token"
- Permissions --> create_personal_access_tokens

  • Once the new role is created assign it to the non-admin user.

    Satellite WebUI --> Adminiter --> Users --> Select User --> Roles --> Assign Newly created Role --> Submit

Root Cause

  • The issue occurres because the create_personal_access_tokens permission was not granted to the non-admin user which is required to synchronize container repositories when authentication is enabled.

Diagnostic Steps

  • Below are the minimum permissions required to synchronize content including the container repository.

    - Resource --> "Product and Repositories"
- Permissions --> create_products, edit_products, sync_products, view_products

- Resource --> "Organization"
- Permissions --> edit_organizations

- Resource --> "Personal Token"
- Permissions --> create_personal_access_tokens

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments