ns8-core: rich firewall rule update fails with 403 Forbidden even with correct node:fwadm authorization #7836
Description
When configuring a nmodule in NethServer 8, updating rich firewall rules
fail with a 403 Forbidden error even if the module image specifies the correct
node:fwadm authorization. The error occurs during the execution of the
module's configuration task.
Steps to reproduce:
1. Install a module on NethServer 8.
2. Ensure the module image label declares node:fwadm in its org.nethserver.authorizations.
3. Run the configure-module action for the module to update firewall rich rules.
4. Observe the task failure and inspect the error logs.
Expected behavior
The module's configuration task completes successfully, and the requested rich
firewall rules are updated when node:fwadm authorization is present.
Actual behavior
The configuration task fails with a 403 Forbidden error when updating rich
firewall rules, despite node:fwadm authorization being present in the
authorizations label.
A temporary workaround is to add the portsadm authorization to the image
label, which allows the configuration to succeed.
Components
- ns8-core:
3.16.1
See also
- Error traceback excerpt:
Run task module/nethvoice-proxy1/configure-module failed!
Traceback (most recent call last):
File "/home/nethvoice-proxy1/.config/actions/configure-module/20configure", line 89, in <module>
result = agent.add_rich_rules(new_rules)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/agent/pypkg/agent/__init__.py", line 497, in add_rich_rules
response = agent.tasks.run(
^^^^^^^^^^^^^^^^
File "/usr/local/agent/pypkg/agent/tasks/run.py", line 39, in run
results = runp([taskrq], **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/agent/pypkg/agent/tasks/run.py", line 50, in runp
return asyncio.run(_runp(tasks, **kwargs))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.11/asyncio/runners.py", line 190, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.11/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.11/asyncio/base_events.py", line 654, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/usr/local/agent/pypkg/agent/tasks/run.py", line 120, in _runp
return await asyncio.gather(*runners, return_exceptions=(len(tasks) > 1))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/agent/pypkg/agent/tasks/run.py", line 129, in _run_with_protocol
return await run_apiclient(taskrq, **pconn)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/agent/pypkg/agent/tasks/apiclient.py", line 47, in run_apiclient
taskctx['status_path'] = await _retry_request(_apost_task, taskrq, client=client, theaders=theaders, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/agent/pypkg/agent/tasks/apiclient.py", line 191, in _retry_request
raise exhttp
File "/usr/local/agent/pypkg/agent/tasks/apiclient.py", line 166, in _retry_request
retval = await request_procedure(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/agent/pypkg/agent/tasks/apiclient.py", line 246, in _apost_task
async with client.post(
File "/usr/local/agent/pyenv/lib64/python3.11/site-packages/aiohttp/client.py", line 1488, in __aenter__
self._resp: _RetType = await self._coro
^^^^^^^^^^^^^^^^
File "/usr/local/agent/pyenv/lib64/python3.11/site-packages/aiohttp/client.py", line 897, in _request
resp.raise_for_status()
File "/usr/local/agent/pyenv/lib64/python3.11/site-packages/aiohttp/client_reqrep.py", line 629, in raise_for_status
raise ClientResponseError(
aiohttp.client_exceptions.ClientResponseError: 403, message='Forbidden', url='http://cluster-leader:9311/api/node/1/tasks': 0 != 1
- Rich rules documentation: https://nethserver.github.io/ns8-core/core/firewall/#managing-rich-rules
- Discussion PVT https://mattermost.nethesis.it/nethesis/pl/h8c7iyec9pfqtf7q1tcu9jtkkr
Metadata
Metadata
Assignees
Labels
Type
Projects
Status