Hi everybody,
this is a reframed problem statement that originated from this post: Galaxy NG: Role Import into organizational namespace fails with "ERROR! None (HTTP Code: 403, Message: Forbidden)"
What I have:
- A personal galaxy namespace
stevenengland
/github userstevenengland
- A organizational galaxy namespace
paperless_ngx
/github organizationpaperless-ngx
- A new Galaxy NG token
For stevenengland
I am an owner:
$ curl -s https://galaxy.ansible.com/api/v1/namespaces/6647/ | jq .summary_fields.owners
[
{
"id": 5224,
"username": "stevenengland"
}
]
For paperless_ngx
I am also an owner:
$ curl -s https://galaxy.ansible.com/api/v1/namespaces/9590/ | jq .summary_fields.owners
[
{
"id": 5226,
"username": "paperlessngx-bot"
},
{
"id": 5225,
"username": "shamoon"
},
{
"id": 5224,
"username": "stevenengland"
}
]
Imports on my old users repo (that I had before it was migrated to an organization long time ago) work pretty fine:
ansible-galaxy role import -vvvvv --role-name stevenengland.paperless_ngx --api-key <NEW NG TOKEN FOR STEVENENGLAND> stevenengland paperless_ngx_ansible_role
Imports on the organization repo fail:
ansible-galaxy role import -vvvvv --role-name paperless_ngx.paperless_ngx --api-key <NEW NG TOKEN FOR STEVENENGLAND> paperless-ngx ansible
ansible-galaxy [core 2.15.2]
config file = None
configured module search path = ['/home/wsldev/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/wsldev/paperless-ngx_ansible/.venv/lib/python3.10/site-packages/ansible
ansible collection location = /home/wsldev/.ansible/collections:/usr/share/ansible/collections
executable location = /home/wsldev/paperless-ngx_ansible/.venv/bin/ansible-galaxy
python version = 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] (/home/wsldev/paperless-ngx_ansible/.venv/bin/python3)
jinja version = 3.1.2
libyaml = True
No config file found; using defaults
Initial connection to galaxy_server: https://galaxy.ansible.com
Opened /home/wsldev/.ansible/galaxy_token
Calling Galaxy at https://galaxy.ansible.com/api/
Found API version 'v3, pulp-v3, v1' with Galaxy server default (https://galaxy.ansible.com/api/)
Calling Galaxy at https://galaxy.ansible.com/api/v1/imports/
ERROR! None (HTTP Code: 403, Message: Forbidden)
So what I would summarize so far: New NG tokens do provide permission to import roles in a general manner. But there seems to be confusion when it comes to organizational accounts…
@tannerjc Sorry for pulling you in but I saw you helping a few people struggeling with imports and namespace confusions and access control. I am really running out of ideas of what I can check from my side anymore