Bug 1199408
| Summary: | non-admin user cannot register content host | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Neil Miao <nmiao> | ||||
| Component: | Registration | Assignee: | Christine Fouant <cfouant> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Tazim Kolhar <tkolhar> | ||||
| Severity: | high | Docs Contact: | David O'Brien <daobrien> | ||||
| Priority: | unspecified | ||||||
| Version: | 6.0.8 | CC: | bbuckingham, cwelton, gduarte, hannsj_uhl, mmccune, tkolhar | ||||
| Target Milestone: | Unspecified | Keywords: | ReleaseNotes, Triaged | ||||
| Target Release: | Unused | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| URL: | http://projects.theforeman.org/issues/10132 | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-09-15 07:21:43 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1190823 | ||||||
| Attachments: |
|
||||||
"Actual results:" and "Expected results:" are reversed ... sorry. Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. Connecting redmine issue http://projects.theforeman.org/issues/10132 from this bug Connecting redmine issue http://projects.theforeman.org/issues/10132 from this bug Is there any workaround or other info I can include in a rel note to help the customer? thanks WORKAROUND: Use a user with the 'Admin' role or use an Activation Key VERIFIED:
# rpm -qa | grep foreman
foreman-vmware-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman-redhat_access-0.2.3-1.el6_6sat.noarch
foreman-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el6_6sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.7-1.el6_6sat.noarch
tyan-gt24-03.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch
tyan-gt24-03.rhts.eng.bos.redhat.com-foreman-proxy-client-1.0-1.noarch
foreman-libvirt-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman_discovery-2.0.0.19-1.el6_6sat.noarch
ruby193-rubygem-foreman-tasks-0.6.15.5-1.el6_6sat.noarch
foreman-postgresql-1.7.2.35-1.el6_6sat.noarch
rubygem-hammer_cli_foreman-0.1.4.14-1.el6_6sat.noarch
tyan-gt24-03.rhts.eng.bos.redhat.com-foreman-proxy-1.0-1.noarch
foreman-selinux-1.7.2.13-1.el6_6sat.noarch
ruby193-rubygem-foreman_docker-1.2.0.20-1.el6_6sat.noarch
foreman-ovirt-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.5-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_docker-0.0.3.9-1.el6_6sat.noarch
foreman-compute-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.13-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_discovery-0.0.1.10-1.el6_6sat.noarch
foreman-gce-1.7.2.35-1.el6_6sat.noarch
foreman-proxy-1.7.2.5-1.el6_6sat.noarch
foreman-debug-1.7.2.35-1.el6_6sat.noarch
steps:
hammer --csv role filters --id 11
[Foreman] Username: admin
[Foreman] Password for admin:
Id,Resource type,Search,Unlimited?,Role,Permissions
48,Host,none,true,View hosts,view_hosts
153,Katello::ActivationKey,none,true,View hosts,"view_activation_keys, create_activation_keys, edit_activation_keys, destroy_activation_keys"
154,Katello::System,none,true,View hosts,"view_content_hosts, create_content_hosts, edit_content_hosts, destroy_content_hosts"
155,Katello::ContentView,none,true,View hosts,view_content_views
156,Katello::GpgKey,none,true,View hosts,view_gpg_keys
157,Katello::HostCollection,none,true,View hosts,view_host_collections
158,Katello::KTEnvironment,none,true,View hosts,view_lifecycle_environments
159,Organization,none,true,View hosts,view_organizations
160,Katello::Product,none,true,View hosts,view_products
# subscription-manager register --org="Default_Organization" --environment="Library" --force
Username: testuser
Password:
The system has been registered with ID: c71688cb-86b8-4fb3-960c-c97993a17d13
# tail -f production.log
2015-08-27 06:49:23 [I] Completed 200 OK in 155ms (Views: 0.4ms | ActiveRecord: 0.0ms)
2015-08-27 06:49:50 [I] Processing by Api::V2::FiltersController#index as JSON
2015-08-27 06:49:50 [I] Parameters: {"search"=>"role_id = \"11\"", "apiv"=>"v2", "filter"=>{}}
2015-08-27 06:49:50 [I] Authorized user admin(Admin User)
2015-08-27 06:49:51 [I] Rendered api/v2/filters/index.json.rabl within api/v2/layouts/index_layout (97.0ms)
2015-08-27 06:49:51 [I] Completed 200 OK in 167ms (Views: 100.0ms | ActiveRecord: 26.6ms)
2015-08-27 06:51:07 [I] Processing by HostsController#externalNodes as YML
2015-08-27 06:51:07 [I] Parameters: {"name"=>"tyan-gt24-03.rhts.eng.bos.redhat.com"}
2015-08-27 06:51:09 [I] Rendered text template (0.0ms)
2015-08-27 06:51:09 [I] Completed 200 OK in 1850ms (Views: 14.4ms | ActiveRecord: 426.4ms)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2015:1786 |
Created attachment 998691 [details] foreman-debug output Description of problem: Created a non-admin user (jdoe) with the following permissions: # hammer --csv role filters --id 11 Id,Resource type,Search,Unlimited?,Role,Permissions 123,Katello::ActivationKey,none,false,test,"view_activation_keys, create_activation_keys, edit_activation_keys, destroy_activation_keys" 124,Katello::System,none,false,test,"view_content_hosts, create_content_hosts, edit_content_hosts, destroy_content_hosts" 125,Katello::ContentView,none,false,test,view_content_views 126,Katello::GpgKey,none,false,test,view_gpg_keys 127,Katello::HostCollection,none,false,test,view_host_collections 128,Katello::KTEnvironment,none,false,test,view_lifecycle_environments 129,Organization,none,true,test,view_organizations 130,Katello::Product,none,false,test,view_products try to register a content host and failed with a ruby exception. # subscription-manager register --org="platops" --environment="Library" Username: jdoe Password: undefined local variable or method `anonymous_admin' for #<User:0x00000009734318> --- production.log --- [ERROR 2015-03-06 02:06:14 cp_proxy #8043] NameError: undefined local variable or method `anonymous_admin' for #<User:0x0000000c620348> | /opt/rh/ruby193/root/usr/share/gems/gems/activemodel-3.2.8/lib/active_model/attribute_methods.rb:407:in `method_missing' | /opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/attribute_methods.rb:149:in `method_missing' | /opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/models/katello/concerns/user_extensions.rb:212:in `allowed_organizations' | /opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/controllers/katello/api/rhsm/candlepin_proxies_controller.rb:327:in `find_organization' | /opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/controllers/katello/api/rhsm/candlepin_proxies_controller.rb:90:in `rhsm_index' | /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/implicit_render.rb:4:in `send_action' | /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/base.rb:167:in `process_action' | /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/rendering.rb:10:in `process_action' | /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/callbacks.rb:18:in `block in process_action' | /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:560:in `block (3 levels) in _run__3457411624030313466__process_action__3351353520943957048__callbacks' Version-Release number of selected component (if applicable): Satellite Version: 6.0.8 Installed Packages candlepin-0.9.23.1-1.el7.noarch candlepin-common-1.0.1-1.el7.noarch candlepin-guice-3.0-2_redhat_1.el7.noarch candlepin-scl-1-5.el7.noarch candlepin-scl-quartz-2.1.5-6.el7.noarch candlepin-scl-rhino-1.7R3-3.el7.noarch candlepin-scl-runtime-1-5.el7.noarch candlepin-selinux-0.9.23.1-1.el7.noarch candlepin-tomcat-0.9.23.1-1.el7.noarch elasticsearch-0.90.10-6.el7sat.noarch katello-certs-tools-1.5.6-1.el7sat.noarch katello-default-ca-1.0-1.noarch katello-installer-0.0.67-1.el7sat.noarch katello-server-ca-1.0-1.noarch nil-sat6-02.devlab.redhat.com-qpid-broker-1.0-1.noarch nil-sat6-02.devlab.redhat.com-qpid-client-cert-1.0-1.noarch pulp-katello-0.3-4.el7sat.noarch pulp-nodes-common-2.4.4-1.el7sat.noarch pulp-nodes-parent-2.4.4-1.el7sat.noarch pulp-puppet-plugins-2.4.4-1.el7sat.noarch pulp-puppet-tools-2.4.4-1.el7sat.noarch pulp-rpm-plugins-2.4.4-1.1.el7sat.noarch pulp-selinux-2.4.4-1.el7sat.noarch pulp-server-2.4.4-1.el7sat.noarch python-gofer-qpid-1.3.0-1.el7sat.noarch python-isodate-0.5.0-1.pulp.el7sat.noarch python-kombu-3.0.15-12.pulp.el7sat.noarch python-pulp-bindings-2.4.4-1.el7sat.noarch python-pulp-common-2.4.4-1.el7sat.noarch python-pulp-puppet-common-2.4.4-1.el7sat.noarch python-pulp-rpm-common-2.4.4-1.1.el7sat.noarch python-qpid-0.22-15.el7.noarch python-qpid-qmf-0.22-37.el7.x86_64 qpid-cpp-client-0.22-42.el7.x86_64 qpid-cpp-server-0.22-42.el7.x86_64 qpid-cpp-server-linearstore-0.22-42.el7.x86_64 qpid-java-client-0.22-7.el7.noarch qpid-java-common-0.22-7.el7.noarch qpid-proton-c-0.7-2.el7.x86_64 qpid-qmf-0.22-37.el7.x86_64 qpid-tools-0.22-13.el7.noarch ruby193-rubygem-katello-1.5.0-98.el7sat.noarch rubygem-hammer_cli_katello-0.0.4-14.el7sat.noarch rubygem-smart_proxy_pulp-1.0.1-1.1.el7sat.noarch How reproducible: always Steps to Reproduce: 1. add a non-admin internal user with the above permissions 2. run subscription-manager to register a client with the non-admin user Actual results: non-admin should be able to register a content host while the necessary permissions are supplied. Expected results: ruby exception Additional info: It seems the allowed_organization method is trying to call anonymous_admin as a instance method (/opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/models/katello/concerns/user_extensions.rb) def allowed_organizations (admin? || anonymous_admin) ? Organization.all : self.organizations end while anonymous_admin is actually a class method (/usr/share/foreman/app/models/user.rb) def self.anonymous_admin unscoped.find_by_login ANONYMOUS_ADMIN or raise Foreman::Exception.new(N_("Anonymous admin user %s is missing, run foreman-rake db:seed", ANONYMOUS_ADMIN)) end Document URL: Section Number and Name: Describe the issue: Suggestions for improvement: Additional information: Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Document URL: Section Number and Name: Describe the issue: Suggestions for improvement: Additional information: Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: