Bug 1126838

Summary: Models with a 'belongs_to' association to an Organization do not verify association belongs to that Organization
Product: Red Hat Satellite Reporter: Eric Helms <ehelms>
Component: Organizations and LocationsAssignee: Eric Helms <ehelms>
Status: CLOSED WONTFIX QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.4CC: adujicek, bkearney, cwelton, dlobatog, ehelms, mhulan, mmccune, omaciel, tbrisker
Target Milestone: UnspecifiedKeywords: PrioBumpQA, Security, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/6777
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-04 17:47:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1115955, 1480886    

Description Eric Helms 2014-08-05 12:20:26 UTC
While this affects more models in Katello where every model must be silo'd within an Organization, this problem arises in Foreman as well. Thus, a general use validator that lives in Foreman would be the ideal solution.

Foreman Case:
1. Ensure you have a host and a smart proxy
2. Assign host to organization 'Org A'
3. Assign smart proxy ONLY to organization 'Org B'
4. Ensure 'Org A' does not have any smart proxies
5. Note that UI will not present options to set the Puppet CA for the host on the edit screen
6. Via the API:
PUT to /api/v2/hosts/1 { 'puppet_proxy_id': 1 } (the ID of the smart proxy in 'Org B')
7. Smart proxy that is only in 'Org B' will be assigned to host in 'Org A'

Katello Example:
1. Create Product in 'Org A'
2. Create GPG Key in 'Org B'
3. Via the API:
PUT to /katello/api/v2/products/1 - { 'gpg_key_id': 1} (the ID of the gpg key)
7. Gpg Key from another organization can be assigned to product

Comment 1 Eric Helms 2014-08-05 12:20:27 UTC
Created from redmine issue http://projects.theforeman.org/issues/6777

Comment 3 Mike McCune 2014-08-05 16:38:12 UTC
To put this a bit more bluntly:

You can assign association between objects *across* organizational boundaries.

Comment 5 Bryan Kearney 2015-08-25 17:59:52 UTC
Upstream bug component is Multi Org

Comment 8 Kurt Seifried 2017-03-07 03:52:25 UTC
What action is required by org B to gain access to org A? Does the org A have to run the PUT command?

Comment 15 Brad Buckingham 2017-09-22 14:28:19 UTC
*** Bug 1115955 has been marked as a duplicate of this bug. ***

Comment 16 Brad Buckingham 2017-09-22 14:30:27 UTC
The solution for this bugzilla is to address a generic issue.  When verifying, please make sure to also verify scenarios associated with any bugzillas that may have been closed as a duplicate.  

For example:
https://bugzilla.redhat.com/show_bug.cgi?id=1115955#c5

Comment 19 Bryan Kearney 2018-09-04 17:47:19 UTC
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.