| Summary: | Non-admin user with "view_content_host" right can not view content host list. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Prakash Ghadge <pghadge> | ||||
| Component: | Hosts - Content | Assignee: | satellite6-bugs <satellite6-bugs> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Brad Buckingham <bbuckingham> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6.1.6 | CC: | bbuckingham, bkearney, erinn.looneytriggs, jsherril, mhulan, sthirugn | ||||
| Target Milestone: | Unspecified | Keywords: | Triaged | ||||
| Target Release: | Unused | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-02-21 17:29:44 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Is there any movement on this, I have a bunch of annoyed admins that want to be able to view conent hosts in their organizations. Tested with 6.2.5, I still see the forever loading page. Checking the production.log it seems that it tries to fetch Foreman hosts from /api/v2/hosts?organization_id=1&page=1&search=&sort_by=name&sort_order=ASC This fails if user does not have permission to view_organizations. When I add this permission to the user it works for me. Could you please verify that the user has the view_organizations permission? I think content host page should better handle errors when loading data. It's not specific to permission system so moving to content host component. Tested on 6.2.5 and was able to view content hosts with the following permissions: Host - view_hosts Content Views - view_content_views Lifecycle Environment - view_lifecycle_environments Organizations - view_organizations, view_subscriptions the first three were limited to an org, 'organizations' had a search with 'name = MyOrg' Justin, shouldn't the page be fixed if user doesn't have view_organizations permission? When I was reproducing it, I saw that the spinner does not disappear and no error was displayed. I think that's bad user experience. Hey Marek, I would agree, it seems unnecessary. The katello UI is simply calling: /api/v2/hosts?organization_id=1 and this is failing unless you have organization read on that org with a 404 not found. Guessing the code in that controller would need to be change to not actually care about readable orgs/locs Failed QA on Satellite 6.3 SNAP 10 : satellite-6.3.0-16.0.beta.el7sat.noarch , tfm-rubygem-katello-3.4.4-1.el7sat.noarch - Configured a user with the role and permissions cited in comment 7 - Logged in as that user - Went to Hosts -> All Hosts and Hosts -> Content Hosts - Neither page is showing any hosts; however, there should be some Hi Marek, if you have a moment, can you take a look at this one? The issue being observed may be different than the original bug; however, the bug cannot be verified. With the current behavior, there are no errors, but the restricted user doesn't see any hosts or content hosts listed. Adding a 'location' to the restricted user allows them to see the Hosts/Content Hosts. In 6.2, this was not necessary. Is the new behavior intentional? This change in behavior may require existing Satellite users to update their users to be within a location. Brad, I believe this is the change that got in in 1.15. It was a fix for CVE 2016-7078, for non-admin user it's impossible to see resource which is not assigned to any organization/location. Please see the issue [1] and the description in github PR [2] for more details [1] http://projects.theforeman.org/issues/16982/ [2] https://github.com/theforeman/foreman/pull/3961 Puuting needinfo back to brad. Is this "as designed" then? Puuting needinfo back to brad. Is this "as designed" then? Correct. The new behavior is working as designed. Moving to VERIFIED. User needs permissions as described in comment 7 + view_location. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336 |
Created attachment 1127663 [details] Foreman-tail output. content host page is accessed around 2016-02-16 22:52:28 Description of problem: Non-admin user with "view_content_host" right can not view content host list. Version-Release number of selected component (if applicable): Satellite 6.1.7 How reproducible: Always. Steps to Reproduce: 1. Administer > Role > Give a name > Save 2. Click on newly created role to add filters. > Select filter > New filter 3. Under "Resource type" > Select Content host 4. Under the permission tab select "view_content_host" 5. Now click on organization tab [Next to filter tab] > Select organizations on which you want to grant access to this role. 6. Save. 7. Grant this newly created role to user. 8. Now login with the non-admin user which have "view_content_host" rights assigned and try to view the content host page. Actual results: when clicking on content host, it simply goes to the page and sits on loading without ever bringing up the hosts. Expected results: The page should load and list out the content hosts. Additional info: I tested this on satellite 6.1.3, 6.1.4, 6.1.6, 6.1.7 and the findings are little strange - Satellite 6.1.3 - "view_content_host" role is not working. Fails to load content host list. Satellite 6.1.4 - Is working as expected. Satellite 6.1.6 - "view_content_host" role is not working. Fails to load content host list. Satellite 6.1.7 - "view_content_host" role is not working. Fails to load content host list. I have attached logs collected from satellite 6.1.7 on to this bugzilla.