Bug 1309056

Summary: Non-admin user with "view_content_host" right can not view content host list.
Product: Red Hat Satellite Reporter: Prakash Ghadge <pghadge>
Component: Hosts - ContentAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Brad Buckingham <bbuckingham>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1.6CC: bbuckingham, bkearney, erinn.looneytriggs, jsherril, mhulan, sthirugn
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 17:29:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Foreman-tail output. content host page is accessed around 2016-02-16 22:52:28 none

Description Prakash Ghadge 2016-02-16 18:11:29 UTC
Created attachment 1127663 [details]
Foreman-tail output. content host page is accessed around 2016-02-16 22:52:28

Description of problem:

Non-admin user with "view_content_host" right can not view content host list.

Version-Release number of selected component (if applicable):

Satellite 6.1.7

How reproducible:

Always.

Steps to Reproduce:
1. Administer > Role > Give a name > Save
2. Click on newly created role to add filters. > Select filter > New filter
3. Under "Resource type" > Select Content host
4. Under the permission tab select "view_content_host"
5. Now click on organization tab [Next to filter tab] >  Select organizations on which you want to grant access to this role.
6. Save.
7. Grant this newly created role to user.
8. Now login with the non-admin user which have "view_content_host" rights assigned and try to view the content host page.


Actual results:
when clicking on content host, it simply goes to the page and sits on loading without ever bringing up the hosts.

Expected results:
The page should load and list out the content hosts.

Additional info:

I tested this on satellite 6.1.3, 6.1.4, 6.1.6, 6.1.7 and the findings are little strange -


Satellite 6.1.3 - "view_content_host" role is not working. Fails to load content host list.

Satellite 6.1.4 - Is working as expected.

Satellite 6.1.6 - "view_content_host" role is not working. Fails to load content host list.

Satellite 6.1.7 - "view_content_host" role is not working. Fails to load content host list.

I have attached logs collected from satellite 6.1.7 on to this bugzilla.

Comment 5 Erinn Looney-Triggs 2016-09-11 22:58:10 UTC
Is there any movement on this, I have a bunch of annoyed admins that want to be able to view conent hosts in their organizations.

Comment 6 Marek Hulan 2016-12-02 14:21:09 UTC
Tested with 6.2.5, I still see the forever loading page. Checking the production.log it seems that it tries to fetch Foreman hosts from
/api/v2/hosts?organization_id=1&page=1&search=&sort_by=name&sort_order=ASC

This fails if user does not have permission to view_organizations. When I add this permission to the user it works for me. Could you please verify that the user has the view_organizations permission?

 I think content host page should better handle errors when loading data. It's not specific to permission system so moving to content host component.

Comment 7 Justin Sherrill 2016-12-19 19:12:17 UTC
Tested on 6.2.5 and was able to view content hosts with the following permissions:

Host - view_hosts 
Content Views - view_content_views
Lifecycle Environment - view_lifecycle_environments
Organizations - view_organizations, view_subscriptions

the first three were limited to an org, 'organizations' had a search with 'name = MyOrg'

Comment 8 Marek Hulan 2016-12-20 10:14:33 UTC
Justin, shouldn't the page be fixed if user doesn't have view_organizations permission? When I was reproducing it, I saw that the spinner does not disappear and no error was displayed. I think that's bad user experience.

Comment 9 Justin Sherrill 2017-02-13 03:46:16 UTC
Hey Marek,

I would agree, it seems unnecessary.  The katello UI is simply calling:

/api/v2/hosts?organization_id=1

and this is failing unless you have organization read on that org with a 404 not found.  Guessing the code in that controller would need to be change to not actually care about readable orgs/locs

Comment 11 Brad Buckingham 2017-08-09 16:07:15 UTC
Failed QA on Satellite 6.3 SNAP 10 : satellite-6.3.0-16.0.beta.el7sat.noarch , tfm-rubygem-katello-3.4.4-1.el7sat.noarch

- Configured a user with the role and permissions cited in comment 7
- Logged in as that user
- Went to Hosts -> All Hosts and Hosts -> Content Hosts
  - Neither page is showing any hosts; however, there should be some

Comment 12 Brad Buckingham 2017-08-09 17:45:55 UTC
Hi Marek, if you have a moment, can you take a look at this one?  The issue being observed may be different than the original bug; however, the bug cannot be verified.  With the current behavior, there are no errors, but the restricted user doesn't see any hosts or content hosts listed.

Comment 13 Brad Buckingham 2017-08-09 18:10:10 UTC
Adding a 'location' to the restricted user allows them to see the Hosts/Content Hosts.  In 6.2, this was not necessary.  Is the new behavior intentional?

This change in behavior may require existing Satellite users to update their users to be within a location.

Comment 14 Marek Hulan 2017-08-10 09:44:36 UTC
Brad, I believe this is the change that got in in 1.15. It was a fix for CVE 2016-7078, for non-admin user it's impossible to see resource which is not assigned to any organization/location. Please see the issue [1] and the description in github PR [2] for more details

[1] http://projects.theforeman.org/issues/16982/
[2] https://github.com/theforeman/foreman/pull/3961

Comment 15 Bryan Kearney 2017-09-07 19:18:27 UTC
Puuting needinfo back to brad. Is this "as designed" then?

Comment 16 Bryan Kearney 2017-09-07 19:18:28 UTC
Puuting needinfo back to brad. Is this "as designed" then?

Comment 17 Brad Buckingham 2017-09-27 21:35:01 UTC
Correct.  The new behavior is working as designed.  Moving to VERIFIED.

User needs permissions as described in comment 7 + view_location.

Comment 18 Bryan Kearney 2018-02-21 16:45:47 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336

Comment 19 Bryan Kearney 2018-02-21 17:29:44 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336