Unable to import roles organization namespace containing underscore

I have a github organization called haufe-it which is/was mapped to the namespace haufe_it on the old galaxy. Also, there’s a new namespace called haufe-it which is empty and I don’t seem to have access to it.

I’m unable to import anything into either of these namespaces:

$ ansible-galaxy role import haufe-it ansible-role-multissh
ERROR! None (HTTP Code: 403, Message: Forbidden)

Makes sense as the WebIf doesn’t show haufe-it as belonging to me.

$ ansible-galaxy role import haufe_it ansible-role-multissh
Successfully submitted import request 2053706321136235841224340602491325788
git clone for https://github.com/haufe_it/ansible-role-multissh failed
  File "/venv/lib64/python3.11/site-packages/pulpcore/tasking/tasks.py", line 66, in _execute_task
    result = func(*args, **kwargs)
  File "/app/galaxy_ng/app/api/v1/tasks.py", line 356, in legacy_role_import
    do_git_checkout(clone_url, checkout_path, github_reference)
  File "/app/galaxy_ng/app/api/v1/tasks.py", line 118, in do_git_checkout
    raise Exception(f'git clone for {clone_url} failed')

Also makes sense, as the git URL is wrong.

ansible-galaxy role import --role-name haufe_it.multissh haufe-it ansible-role-multissh
ERROR! None (HTTP Code: 403, Message: Forbidden)


How to proceed from here?

This is a bit confusing to me because I see that JakobHaufe owns the haufe_it namespace. Could you clarify a few points please?

  1. Is your galaxy/github login “JakobHaufe” ?
  2. Did you make a new token on galaxy.ansible.com and put that into your ansible.cfg?
  1. Yes.
  2. Yes, I supplied it on the command line.

It seems galaxy-ng doesn’t know that the namespace haufe_it corresponds to haufe-it on github as it tries the wrong URL. There’s no haufe_it on github.

The role on old galaxy has the “haufe_it” namespace (probably due to the namespace conversions done in the past) …


New galaxy has the same role with the same attributes …


Since the namespace.name is “haufe_it” your first import command should have been correct and the backend code should have found the existing role to update.

ansible-galaxy role import haufe-it ansible-role-multissh

The second command is definitely not the correct one to use for this role …

ansible-galaxy role import haufe_it ansible-role-multissh

The main issue appears to be authentication or authorization for the “haufe_it” namespace.

In the namespace details, it shows your login as the owner …


With your token are you able to fetch this url and see the correct username? …

curl -H 'Authorization: token <TOKEN>' https://galaxy.ansible.com/api/_ui/v1/me/ | jq .username

Yes, this returns “JakobHaufe”.

Okay, I think I’ve figured it out. We have rbac code in place that determines who can write to what namespaces. In that code we check the ‘github_user’ field from the post data to validate the namespace name, but we don’t yet have the lookup code to match it to the old roles with swapped namespace names.

To fix it, I made the haufe-it legacynamespace Galaxy NG and then bound the provider namespace to haufe_it Galaxy NG

I tested importing with your token afteward and it appears to work now.

(galaxydev) [jtanner@p1 beta.scripts.2023-10-18]$ ansible-galaxy role import --token=<TOKEN> -vvvvvv haufe-it ansible-role-multissh
ansible-galaxy [core 2.15.3]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/jtanner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/jtanner/venvs/galaxydev/lib64/python3.11/site-packages/ansible
  ansible collection location = /home/jtanner/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/jtanner/venvs/galaxydev/bin/ansible-galaxy
  python version = 3.11.6 (main, Oct  3 2023, 00:00:00) [GCC 13.2.1 20230728 (Red Hat 13.2.1-1)] (/home/jtanner/venvs/galaxydev/bin/python3)
  jinja version = 3.1.2
  libyaml = True
Using /etc/ansible/ansible.cfg as config file
Initial connection to galaxy_server: https://galaxy.ansible.com
Opened /home/jtanner/.ansible/galaxy_token
Calling Galaxy at https://galaxy.ansible.com/api/
Found API version 'v3, pulp-v3, v1' with Galaxy server default (https://galaxy.ansible.com/api/)
Calling Galaxy at https://galaxy.ansible.com/api/v1/imports/
Successfully submitted import request 2053790683390280560371105338281559867
Calling Galaxy at https://galaxy.ansible.com/api/v1/imports?id=2053790683390280560371105338281559867
Calling Galaxy at https://galaxy.ansible.com/api/v1/imports?id=2053790683390280560371105338281559867
role imported successfully

Yes indeed, it’s working for me again as well. Thank you very much!

Could I have done this myself using API requests or was some manual backend fiddling necessary?

Unfortunately you couldn’t have fixed this yourself. The backend code should have made the legacy namespace automatically and bound it to the v3 namespace, but I think it decided that since you already owned haufe_it, it didn’t need to make another.

I’ll have to correct that logic.

This seems to have created another issue: While existing roles can now be updated in the v1 namespace (and only there), new imports end up in the v3 namespace only.

Is there a way to fix this by either getting rid of the v1 namespace altogether or somehow enabling uploads to both namespaces?

Both haufe_it and haufe-it are standalone/v1/legacy/etc namespaces. The v3 namespace is haufe_it(v3) and only collections end up there, but it does control ownership of the other 2 legacy namespaces.

If you’d like all of your roles to end up in haufe-it it’s probably best that you first delete the roles currently in haufe_it and then re-import them. That should make sure they get to the right place by skipping past the backend import code that tries to match the github_user and github_repo to existing roles.

I’ve outlined how to delete roles in a new docs PR

Thanks again! That worked. I was also able to delete the now empty namespace using curl.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.