Bug 1293716

Summary: Unable to control where users can build hosts
Product: Red Hat Satellite 6 Reporter: Andrew Schofield <andrew.schofield>
Component: Users & RolesAssignee: Tomer Brisker <tbrisker>
Status: CLOSED ERRATA QA Contact: Peter Ondrejka <pondrejk>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.1.5CC: andrew.schofield, bbuckingham, bkearney, cwelton, dcaplan, jsherril, kabbott, mhulan, mmccune, oshtaier, prsharma, tbrisker
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: All   
OS: All   
URL: http://projects.theforeman.org/issues/4477
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 17:07:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
screenshot_1
none
screenshot_2 none

Description Andrew Schofield 2015-12-22 19:45:48 UTC
Description of problem:
When a user has the 'create_hosts' permission then there are no controls to limit what Location, Host Group, Lifecycle Environment, Content View that the user can create the host in. 

Version-Release number of selected component (if applicable):
6.1.5

How reproducible:
Create a user, assign to a role. Give the following roles
access_dashboard
assign_organizations, view_organizations
assign_locations, view_locations
edit_products, view_products	name = P_GIRAFFE
promote_or_remove_content_views, view_content_views, publish_content_views	name = CCV_CSL3.1_GIRAFFE or name = CV_GIRAFFE
promote_or_remove_content_views_to_environments, view_lifecycle_environments	name = ENG
create_hosts, view_hosts	hostgroup_fullname = HG_Capsule

Notice in the New Host as this user you can view ALL Host Groups, ALL Lifecycle Environments, ALL Content View's etc and initiate the build of a host.

Actual results:
Host is created by in host groups, lifecycle environments we have tried to limit.

Expected results:
Host creation to only show resources that the user has access too.

Additional info:

Comment 1 David Caplan 2016-01-05 18:20:03 UTC
Please help us to understand the affected user's context:

1. is the affected user logged into a specific organization context (vs. any context)
2. Has the user been constrained to only view specific location?

Comment 2 Andrew Schofield 2016-01-05 20:10:20 UTC
1. The user is assigned to a organization (we only have one org configured) and is a member of that organization when attempting to create a host.
2. Yes. The user is assigned and constrained to a location.

Comment 5 Tomer Brisker 2016-03-17 11:38:47 UTC
Created redmine issue http://projects.theforeman.org/issues/14248 from this bug

Comment 6 Bryan Kearney 2016-03-17 12:08:52 UTC
Upstream bug component is Provisioning

Comment 7 Bryan Kearney 2016-03-17 12:43:16 UTC
Connecting redmine issue http://projects.theforeman.org/issues/7289 from this bug

Comment 8 Bryan Kearney 2016-03-17 14:08:50 UTC
Upstream bug component is Users & Roles

Comment 10 Tomer Brisker 2016-03-27 14:50:54 UTC
*** Bug 1118312 has been marked as a duplicate of this bug. ***

Comment 12 Bryan Kearney 2016-06-27 12:10:23 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/4477 has been closed

Comment 15 Peter Ondrejka 2016-10-31 13:10:03 UTC
Checked in Satellite 6.3 snap 5, the host creation dialog is correctly limited by user's privileges, with the exception of Lifecycle environments.

Having a role with permissions:
    promote_or_remove_content_views_to_environments, view_lifecycle_environments
and search fitler as:
    name = testenv
(see screenshot1)

This doesn't prevent the user from seeing all available lifecycle environments when creating a host as well as at the Contnet > Lifecycle Environment page.(see screenshot2)

Comment 16 Peter Ondrejka 2016-10-31 13:12:10 UTC
Created attachment 1215800 [details]
screenshot_1

Comment 17 Peter Ondrejka 2016-10-31 13:12:47 UTC
Created attachment 1215801 [details]
screenshot_2

Comment 18 Justin Sherrill 2016-11-01 16:01:44 UTC
Taking over to fix the FAILED_QE issue in katello

Comment 19 Bryan Kearney 2016-11-01 16:18:59 UTC
Upstream bug assigned to tbrisker@redhat.com

Comment 20 Justin Sherrill 2016-11-01 22:50:56 UTC
Connecting redmine issue http://projects.theforeman.org/issues/17176 from this bug

Comment 21 pm-sat@redhat.com 2017-01-09 21:18:37 UTC
Upstream bug assigned to tbrisker@redhat.com

Comment 22 Tomer Brisker 2017-03-16 14:12:00 UTC
Second upstream bug has been closed for a while, looks like it wasn't picked up by the bot. Moving to POST.

Comment 23 Peter Ondrejka 2017-10-25 15:15:52 UTC
Verified in satellite-6.3.0-21.0.beta.el7sat.noarch, create host dialog has options correctly limited according to permissions including lc environments

Comment 25 Bryan Kearney 2018-02-21 17:07:02 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336