Galaxy NG token not working for organization namespace/role import

Get Help
1

Hi everybody,

this is a reframed problem statement that originated from this post: Galaxy NG: Role Import into organizational namespace fails with "ERROR! None (HTTP Code: 403, Message: Forbidden)"

What I have:

  • A personal galaxy namespace stevenengland/github user stevenengland
  • A organizational galaxy namespace paperless_ngx/github organization paperless-ngx
  • A new Galaxy NG token

For stevenengland I am an owner:

$ curl -s https://galaxy.ansible.com/api/v1/namespaces/6647/ | jq .summary_fields.owners
[
  {
    "id": 5224,
    "username": "stevenengland"
  }
]

For paperless_ngx I am also an owner:

$ curl -s https://galaxy.ansible.com/api/v1/namespaces/9590/ | jq .summary_fields.owners
[
  {
    "id": 5226,
    "username": "paperlessngx-bot"
  },
  {
    "id": 5225,
    "username": "shamoon"
  },
  {
    "id": 5224,
    "username": "stevenengland"
  }
]

Imports on my old users repo (that I had before it was migrated to an organization long time ago) work pretty fine:

ansible-galaxy role import -vvvvv --role-name stevenengland.paperless_ngx --api-key <NEW NG TOKEN FOR STEVENENGLAND> stevenengland paperless_ngx_ansible_role

Imports on the organization repo fail:

ansible-galaxy role import -vvvvv --role-name paperless_ngx.paperless_ngx --api-key <NEW NG TOKEN FOR STEVENENGLAND> paperless-ngx ansible

ansible-galaxy [core 2.15.2]
  config file = None
  configured module search path = ['/home/wsldev/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/wsldev/paperless-ngx_ansible/.venv/lib/python3.10/site-packages/ansible
  ansible collection location = /home/wsldev/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/wsldev/paperless-ngx_ansible/.venv/bin/ansible-galaxy
  python version = 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] (/home/wsldev/paperless-ngx_ansible/.venv/bin/python3)
  jinja version = 3.1.2
  libyaml = True
No config file found; using defaults
Initial connection to galaxy_server: https://galaxy.ansible.com
Opened /home/wsldev/.ansible/galaxy_token
Calling Galaxy at https://galaxy.ansible.com/api/
Found API version 'v3, pulp-v3, v1' with Galaxy server default (https://galaxy.ansible.com/api/)
Calling Galaxy at https://galaxy.ansible.com/api/v1/imports/
ERROR! None (HTTP Code: 403, Message: Forbidden)

So what I would summarize so far: New NG tokens do provide permission to import roles in a general manner. But there seems to be confusion when it comes to organizational accounts…

@tannerjc Sorry for pulling you in but I saw you helping a few people struggeling with imports and namespace confusions and access control. I am really running out of ideas of what I can check from my side anymore :frowning:

2

Uhhhhh!!! Some Wonders happened this night!

For the third and new namespace paperless-ngx (ID 5391 in contrast to the original namespace paperless_ngx with ID 9590) there are now owners that yesterday were not and a testimport today was successful. I’ll check where this import went to and if this is the desired goal but so far: Thanks to the anonymous helper in the background!