Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1284475

Summary: Filter with permission edit_config_groups is not actually limited by search expression
Product: Red Hat Satellite Reporter: Shimon Shtein <sshtein>
Component: Users & RolesAssignee: Marek Hulan <mhulan>
Status: CLOSED ERRATA QA Contact: Tazim Kolhar <tkolhar>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.4CC: bbuckingham, bkearney, chpeters, cwelton, daobrien, tkolhar
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/9506
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Editing config groups did not respect permission filters. These filters are now respected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-21 07:42:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Shimon Shtein 2015-11-23 12:40:40 UTC 
I try to restrict access to specific config groups for a specific user. The new role should be able to filter the available config groups through their names. Therefore this user should not be able to change production relevant config groups.
I would need to use this feature in a real world DevOps scenario.

- create a new role and add filter 1 for host class permissions.
- select items "edit_classes" for filter 1.
- create filter 2 with config group permissions.
- select items "view_config_groups" and "edit_config_groups" for filter 2.
- uncheck unlimited checkbox for filter 2.
- enter search expression into search textbox like "name !=  production-apache" for filter 2.
- associate the role with restricted user.
- create config group with a name like "production-apache"
- login with the restricted user.
- on the menu go to configure - config groups.

expected result -> the user should not be able to view or edit config groups with the string "production" in their names.
actual problem -> the user is allowed to view and edit all config groups, even ones with matching names to the exclusion search expression.

Thanks for your attention,
Roland
Comment 1 Shimon Shtein 2015-11-23 12:40:42 UTC 
Created from redmine issue http://projects.theforeman.org/issues/9506
Comment 4 Bryan Kearney 2015-11-23 13:02:27 UTC 
Upstream bug assigned to mhulan
Comment 5 Bryan Kearney 2015-11-23 13:02:28 UTC 
Upstream bug component is Users & Roles
Comment 8 Tazim Kolhar 2016-01-05 11:49:50 UTC 
VERIFIED:
# rpm -qa | grep foreman
dell-pe1950-05.rhts.eng.brq.redhat.com-foreman-client-1.0-1.noarch
dell-pe1950-05.rhts.eng.brq.redhat.com-foreman-proxy-1.0-1.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el7sat.noarch
puppet-foreman_scap_client-0.3.3-10.el7sat.noarch
foreman-vmware-1.7.2.50-1.el7sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.5-1.el7sat.noarch
foreman-ovirt-1.7.2.50-1.el7sat.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el7sat.noarch
foreman-1.7.2.50-1.el7sat.noarch
ruby193-rubygem-foreman_docker-1.2.0.24-1.el7sat.noarch
ruby193-rubygem-foreman-tasks-0.6.15.7-1.el7sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.7-1.el7sat.noarch
rubygem-hammer_cli_foreman_docker-0.0.3.10-1.el7sat.noarch
foreman-debug-1.7.2.50-1.el7sat.noarch
foreman-proxy-1.7.2.8-1.el7sat.noarch
dell-pe1950-05.rhts.eng.brq.redhat.com-foreman-proxy-client-1.0-1.noarch
foreman-discovery-image-3.0.5-3.el7sat.noarch
foreman-libvirt-1.7.2.50-1.el7sat.noarch
ruby193-rubygem-foreman_openscap-0.3.2.10-1.el7sat.noarch
foreman-gce-1.7.2.50-1.el7sat.noarch
rubygem-hammer_cli_foreman-0.1.4.15-1.el7sat.noarch
ruby193-rubygem-foreman_discovery-2.0.0.23-1.el7sat.noarch
foreman-selinux-1.7.2.17-1.el7sat.noarch
foreman-postgresql-1.7.2.50-1.el7sat.noarch
foreman-compute-1.7.2.50-1.el7sat.noarch
ruby193-rubygem-foreman-redhat_access-0.2.4-1.el7sat.noarch
rubygem-hammer_cli_foreman_discovery-0.0.1.10-1.el7sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.14-1.el7sat.noarch

steps:

- create a new role and add filter 1 for host class permissions.
- select items "edit_classes" for filter 1.
- create filter 2 with config group permissions.
- select items "view_config_groups" and "edit_config_groups" for filter 2.
- uncheck unlimited checkbox for filter 2.
- enter search expression into search textbox like "name !=  production-apache" for filter 2.
- associate the role with restricted user.
- create config group with a name like "production-apache"
- login with the restricted user.
- on the menu go to configure - config groups.

the user is not be able to view or edit config groups with the string "production" in their names.
Comment 11 errata-xmlrpc 2016-01-21 07:42:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:0052