Bug 1296662

This seems to fix things nicely:

# diff ./app/services/foreman/access_permissions.rb.orig ./app/services/foreman/access_permissions.rb
375a376,378
>     map.permission :view_params,    {:host_editing => [:view_params],
>                                      :"api/v2/parameters" => [:view]
>     }

# grep view_params db/seeds.d/03-permissions.rb
  ['Parameter', 'view_params'],

Then ran a foreman-rake db:seed

# hammer filter available-permissions --resource-type Parameter
----|----------------|----------
ID  | NAME           | RESOURCE
----|----------------|----------
67  | create_params  | Parameter
68  | edit_params    | Parameter
69  | destroy_params | Parameter
239 | view_params    | Parameter
----|----------------|----------

Created redmine issue http://projects.theforeman.org/issues/13164 from this bug

Upstream bug component is Provisioning

Currently if you don't assign create_params/edit_params you can still view then if you have permissions to edit the host/hostgroup/domain (wherever you are looking at the parameters).

Would you want to hide the parameters on all objects unless you give the specific permission?
What about the roles that currently only have permissions like edit_host but expect to continue seeing the parameters as they did until now?

Upstream bug component is Users & Roles

(In reply to orabin from comment #6)

I'm not looking (at the moment!) to change the behavior of the params permissions. We wanted to give users the ability to view and edit the params on locations. I noticed there was no view_param role (despite view_param being referred to in numerous views). So *simply* adding this should suffice for now thanks.

view should allow users the ability to view
edit should allow users to edit existing parameters
create should allow users to create new parameters

Hence I'd expect ALL users who need to edit params to also have the view_params role. I would expect that in order to view parameters on hosts / hostgroups etc that you would need view_params permission... Checking this I can see the with NO params permissions I can indeed see hosts params which I'd suggest is wrong (you're assuming that edit_hosts should also allow edit_params - we could probably debate endlessly!). That is probably a separate bug for now though which I'll raise. I think the permissions model overall needs some work....!

@andrew: adding the view_params permissions turned out to be more complex than it seemed at the beginning and it might take some time to finish properly.

If I understand your case properly, the main priority right now is to be able to edit the parameters in locations by non-admin users.

What we can do to unblock you, before the proper view_params permission is finalized, is to change the behavior in the locations to use `edit_params` permissions instead of the `view_params`.

Would this approach unblock you at your use case?

Moving to POST since upstream bug http://projects.theforeman.org/issues/13164 has been closed

FAILED QA
for sat 6.2.0 GA18.1

This filter works, however having only `view_hosts` filter does not allow user to list host info now. I believe this is not a desired behavior.

# hammer filter available-permissions --resource-type Parameter
[Foreman] Password for admin: 
----|----------------|----------
ID  | NAME           | RESOURCE 
----|----------------|----------
104 | create_params  | Parameter
105 | edit_params    | Parameter
106 | destroy_params | Parameter
259 | view_params    | Parameter
----|----------------|----------

#My user utilizes the 'View hosts' role:
# hammer -u admin -p changeme user info --id 4
Id:                   4
Login:                rplevka
Name:                  
... 
Roles:                
    View hosts
    Anonymous
User groups:          

Organizations:        
    Default Organization
...
# which i modified to contain the following filters:
# hammer -u admin -p changeme role filters --name="View hosts"
----|---------------|--------|------------|------------|-------------------
ID  | RESOURCE TYPE | SEARCH | UNLIMITED? | ROLE       | PERMISSIONS       
----|---------------|--------|------------|------------|-------------------
244 | Organization  | none   | yes        | View hosts | view_organizations
248 | Host          | none   | yes        | View hosts | view_hosts        
----|---------------|--------|------------|------------|-------------------

# Getting a list of hosts works just fine:
# hammer -u rplevka -p changeme host list
---|--------------------------------|------------------|------------|---------------|------------------
ID | NAME                           | OPERATING SYSTEM | HOST GROUP | IP            | MAC              
---|--------------------------------|------------------|------------|---------------|------------------
2  | my-centos-1.blah.com | CentOS 7         | my-hg-1    | 192.168.100.2 | 52:54:00:b0:c1:3a
3  | my-centos-2.blah.com | CentOS 7         | my-hg-2    | 192.168.100.4 | 52:54:00:1b:c6:db
---|--------------------------------|------------------|------------|---------------|------------------

# However listing a host information does not (as it contains parameter info and i didn't add a view_parameter role):
# hammer -u rplevka -p changeme host info --id 2
Forbidden - server refused to process the request

- this pretty much renders whole view_hosts filter useless as one sees 'all or nothing'.

Not sure what should be the desired behavior, but I would vote for cutting off the 'Parameters:' part and print out the rest.

VERIFIED
(sat6.2 snap19.1)
putting this to verified since regressions mentioned above have been reported as new BZ's.

`view_params` filter is in place and working.

The changes to introduce the view_parmas proper turned out to be to be quite big and risky and need some time to stabilize. Before we have a better confidence that they actually work well with the rest of the product, we will go to use the edit_params instead of view_params permission in the locations/organizations form to unblock it's usage from non-admin users, as part of https://bugzilla.redhat.com/show_bug.cgi?id=1354572

Apologies for my late entry into this.

@Ivan:

Some comments:

1) view_params really needs to be *view* throughout (and needs to work with *all* params in locations, hosts, hostgroups, subnets, domains and where ever else you can set a param)

2) edit_params needs to allow *edit* for the above.

These are both distinct and separate. The reason being that we have a need to be able to use the roles to restrict users from editing some parameters (for example we define the root password as a crypted string in the locations, but we don't want host owners (or hostgroup owners) to be able to modify this.)

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501

The code is merged upstream, just not delivered as 6.2 GA, moving back to POST

VERIFIED
sat6.3 snap#5

- not having the view_param permission now prints entity info excepting hte parameters section.

qe_test_coverage PR: https://github.com/SatelliteQE/robottelo/pull/5299

Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336

Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336