Bug 1464137

Summary: API - non-admin user can't create entities within org and loc he belongs to
Product: Red Hat Satellite Reporter: Stanislav Tkachenko <stkachen>
Component: Organizations and LocationsAssignee: Marek Hulan <mhulan>
Status: CLOSED ERRATA QA Contact: Sanket Jagtap <sjagtap>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: bbuckingham, ehelms, jalviso, mhulan, oshtaier, sjagtap, tstrachota, zhunting
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: foreman-1.16.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 16:54:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stanislav Tkachenko 2017-06-22 13:45:39 UTC 
Description of problem:
Newly created non-admin user with create permissions can't create entity within organization and location he belongs to (in example below it is Subnet and 'create_subnets'). Other entities affected as well (tested with Subnet, Host and Domain).

> Making HTTP POST request to https://sat6.com/api/v2/users with options... and data {"user": {..., "location_ids": [491], "organization_ids": [490]}}.

> Received HTTP 201 response: {"default_location":null,"locations":[{"id":491,"name":"OgyTrUojzLM","title":"OgyTrUojzLM","description":null}],"default_organization":null,"organizations":[{"id":490,"name":"hfspaJbBY","title":"hfspaJbBY","description":null}],...}

> Making HTTP POST request to https://sat6.com/api/v2/subnets with options ... and data {"subnet": {..., "location_ids": [491], "organization_ids": [490]}}.

> Received HTTP 422 response: {
>  "error": {"id":null,"errors":{"organization_ids":["Invalid organizations selection, you must select at least one of yours"],"location_ids":["Invalid locations selection, you must select at least one of yours"]},"full_messages":["Organization ids Invalid organizations selection, you must select at least one of yours","Location ids Invalid locations selection, you must select at least one of yours"]}

Version-Release number of selected component (if applicable):
Satellite 6.3 Snap 3.0:
* satellite-6.3.0-15.0.beta.el7sat.noarch
* foreman-1.15.0-1.el7sat.noarch
* katello-3.4.1-1.el7sat.noarch

How reproducible:
Always

Steps to Reproduce:
1. Create non-admin user with org and loc and grant create permissions (e.g. create_domains)
2. Try to create entity (e.g. Domain)
3. Check whether it was created or error is raised

Actual results:
422 error

Expected results:
Entity should be created

Additional info:
Comment 2 Marek Hulan 2017-06-26 11:43:24 UTC 
Could you please provide the full reproducer? Ideally curl/wget commands you're using ideally also for user creation and permission setup. I can't reproduce the behavior.

Following hammer commands did the trick for me

    hammer user create --login orgtest --mail ares --password changeme --organization-ids 1 --location-ids 2 --auth-source-id 1

    hammer user add-role --login orgtest --role Manager

    hammer -u orgtest -p changeme subnet create --organization-ids 1 --location-ids 2 --name Test --network 192.168.0.1 --mask 255.255.255.0

Also please list all roles and their configuration that the user is assigned.
Comment 5 Marek Hulan 2017-06-28 15:01:54 UTC 
Thanks Stanislav, now I see what's going on. Your user does not have permissions "assign_location" and "assign_organization" which are required to create resources assigned to orgs and locs. I think the validation message could be more descriptive, e.g. 'Organization ids Invalid organizations selection, you must select at least one of yours for which you have permission to `assign_organization`'. Would that be a good solution? Also if you agree, I think this is not a 6.3 blocker so I'd move it to sat-backlog even though I'd provide the fix right away.
Comment 7 Stanislav Tkachenko 2017-06-29 05:15:45 UTC 
(In reply to Marek Hulan from comment #5)
I've checked with additional permissions, now tests are passing :)

> I think the validation
> message could be more descriptive, e.g. 'Organization ids Invalid
> organizations selection, you must select at least one of yours for which you
> have permission to `assign_organization`'. Would that be a good solution?
Yes, more descriptive message would be great.

> Also if you agree, I think this is not a 6.3 blocker so I'd move it to
> sat-backlog even though I'd provide the fix right away.
Agree.
Comment 8 Marek Hulan 2017-06-29 13:31:07 UTC 
Created redmine issue http://projects.theforeman.org/issues/20165 from this bug
Comment 9 Satellite Program 2017-06-29 14:14:51 UTC 
Upstream bug assigned to mhulan
Comment 10 Satellite Program 2017-06-29 14:14:54 UTC 
Upstream bug assigned to mhulan
Comment 11 Marek Hulan 2017-06-30 14:00:28 UTC 
*** Bug 1462388 has been marked as a duplicate of this bug. ***
Comment 12 Satellite Program 2017-06-30 18:14:41 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/20165 has been resolved.
Comment 13 Sanket Jagtap 2017-12-01 07:22:03 UTC 
Build: Satellite 6.3.0 snap 26

Using the reproducer steps

The new error generated is more detailed and the require permission are display in error 

curl -s -H "Content-Type: application/json" -H "Accept:application/json" -k -u "apple:apple" -X POST -d '{"domain": {"name": "apple", "location_ids": [8], "organization_ids": [7]}}'  https://sathost/api/v2/domains
{
  "error": {"id":null,"errors":{"organization_ids":["Invalid organizations selection, you must select at least one of yours and have 'assign_organizations' permission."],"location_ids":["Invalid locations selection, you must select at least one of yours and have 'assign_locations' permission."]},"full_messages":["Organization ids Invalid organizations selection, you must select at least one of yours and have 'assign_organizations' permission.","Location ids Invalid locations selection, you must select at least one of yours and have 'assign_locations' permission."]}
}
Comment 14 Satellite Program 2018-02-21 16:54:17 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://access.redhat.com/errata/RHSA-2018:0336