Bug 1387384

Summary: Problem with accessing content host page with custom roles
Product: Red Hat Satellite Reporter: Paul Gozart <pgozart>
Component: Hosts - ContentAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.2.2CC: bbuckingham, bnh1, dhawke, dhlavacd, jalviso, jcallaha, jnikolak, jsherril, jucastro, pgozart, satellite6-bugs
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-01 15:14:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Paul Gozart 2016-10-20 18:23:27 UTC 
Description of problem:
When creating a custom role to access content hosts and restricting it to a specific host collection then assigning only that role to a user we are experiencing a constant loading screen on the content host page.


Version-Release number of selected component (if applicable):
6.2.2 satellite server


How reproducible:
1. Create organization, location and host collection with unique name.
2. Create user that is assigned to only the appropriate organization and location
3. Now create role as an admin, click Roles and click new role and name it "<Unique host collection name> Admin Role" and save it
4. Click on the role that was just created and click on the filters tab
5. Click New Filter
6. Click Resource type and select "Host" Resource type.
7. Click the + symbol to move all the items to the selected items block
8. Uncheck the "Unlimited" box
9. Click in the search box at the bottom and enter " host_collection = <Unique host collection name> 
10. Click submit
11. Now click on the new filter and repeat the process to add all of the "Content Hosts" Resource type.
12. Remove all other roles from the unique user that was created and assign the new custom role that was created above to that user. 
13. Login to the satellite ui, click hosts, click content hosts and it'll go to a page that never gets past displaying "Loading..."


Actual results:
Content Hosts page spins a "Loading..." icon endlessly


Expected results:
User with access to see specific content hosts, sees only those content hosts.


Additional info:
Secure Government Lab with TAM needs to be able to create a host collection and give access to a user to administer only those hosts.  The reproduction steps above seems to be a way to do that except that the content hosts page doesn't load.  A fix is needed as soon as possible.
Comment 4 Brad Buckingham 2016-10-25 16:16:57 UTC 
Based on the scenario provided in the initial description, it looks like the non-admin user will also need to have the following filter added to their role:

- Resource: Organization
- Permissions: view_organizations

Note: the organizations can be limited to those that the user should be restricted to.

I have tested this on a 6.2.2 configuration and it is allowing my user to view Content -> Content Hosts.

Can you please confirm that the same works for you?
Comment 5 Paul Gozart 2016-11-07 19:08:36 UTC 
(In reply to Brad Buckingham from comment #4)
> Based on the scenario provided in the initial description, it looks like the
> non-admin user will also need to have the following filter added to their
> role:
> 
> - Resource: Organization
> - Permissions: view_organizations
> 
> Note: the organizations can be limited to those that the user should be
> restricted to.
> 
> I have tested this on a 6.2.2 configuration and it is allowing my user to
> view Content -> Content Hosts.
> 
> Can you please confirm that the same works for you?


I got word from the customer that 'view_organizations' was the problem.  

This BZ can be closed unless we feel like there is something we can do to avoid this confusion in the future such as notification that the action cannot be performed due to insufficient permissions. Simply "Loading..." endlessly might not be ideal.
Comment 6 Brad Buckingham 2016-11-07 19:50:03 UTC 
From initial investigation, it appears that the behavior on Content Hosts is inconsistent with some of the other pages (e.g. Activation Keys, Products, Sync Plans, Host Collections...).  When accessing those pages, the UI also sends to the server the organization_id to support filtering the content that will be returned; however, the API does not specifically reject returning the content based upon the organization permission. 

I am going to assign this bugzilla over to the Host component to see if perhaps the API could be altered to provide similar behavior to the katello APIs for this case.  If not, we may want to defer (or close) this bugzilla as the issue should/could ultimately be addressed if/when the Host and Content Host UIs are unified in the future.

The following is an example of the API invoked by Content Hosts ui:
   GET api/v2/hosts?organization_id=1
Comment 12 Brad Buckingham 2017-06-09 13:20:28 UTC 
Did the user attempt to add the view_organization permission to their custom role?  (Please see bugzilla comment 4.)
Comment 13 jalviso 2017-06-12 07:01:36 UTC 
Hi Brad,

Thank you, adding "view_organization" allows the user to view the Content Host
it is filtered to view. Now the adverse effect is; when creating a Host Group
using this User, it won't create. It does not allow to add any organization as it is only Viewing. Previously without adding Organization Filter, HG is created defaulting to the User assigned organization.

I have workaround this by adding permission "assigned_organization" then further adding search filter "name ~ user_org". I haven't checked though what else is affected.

Cheers,

Josephine
Comment 14 Justin Sherrill 2018-03-01 15:05:20 UTC 
Josephine, yes your workaround is expected.  You need the 'assign_organization' and 'assign_location' permissions in order to create a hostgroup with that org and location.
Comment 15 Justin Sherrill 2018-03-01 15:14:51 UTC 
The issue around needing a 'view_organization' permission to see content_hsots appears to be resolved in 6.3.  I created a role with just "view_hosts", and the user can see hosts on both the host and content_host page with no problem.