Bug 1500979

Summary: [RFE] Please provide a Pre-made role for registration-only usage
Product: Red Hat Satellite Reporter: Vincent S. Cojot <vcojot>
Component: Users & RolesAssignee: Daniel Lobato Garcia <dlobatog>
Status: CLOSED CURRENTRELEASE QA Contact: Lukáš Hellebrandt <lhellebr>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2.12CC: bbuckingham, bmidwood, cmarinea, cwelton, dhlavacd, jhutar, lhellebr, mhulan, peter.vreman, smercurio
Target Milestone: UnspecifiedKeywords: EasyFix, FutureFeature, UserExperience
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1605195 (view as bug list) Environment:
Last Closed: 2019-02-21 23:19:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1122832, 1605195    

Description Vincent S. Cojot 2017-10-11 21:54:08 UTC 
Description of problem:

Because bootstrap.py requires a login and password in clear text, I decided to follow https://access.redhat.com/solutions/1570203 to create an unpriviledged role to which I could assign that user.

In the end, on sat 6.2.12, this proved to be a daunting task because the KB article was incomplete.
Here's the set of permissions which worked for me:

[root@sat6 ~]# hammer  role filters --id 22
----|-------------------------|--------|------------|----------------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE           | SEARCH | UNLIMITED? | ROLE           | PERMISSIONS
----|-------------------------|--------|------------|----------------|---------------------------------------------------------------------------------
171 | Hostgroup               | none   | yes        | Register Hosts | view_hostgroups
173 | Katello::ActivationKey  | none   | yes        | Register Hosts | view_activation_keys
174 | Katello::System         | none   | yes        | Register Hosts | view_content_hosts, create_content_hosts, edit_content_hosts, destroy_content...
175 | Katello::ContentView    | none   | yes        | Register Hosts | view_content_views
176 | Katello::GpgKey         | none   | yes        | Register Hosts | view_gpg_keys
177 | Katello::Subscription   | none   | yes        | Register Hosts | view_subscriptions, attach_subscriptions
178 | Host                    | none   | yes        | Register Hosts | view_hosts
179 | Katello::HostCollection | none   | yes        | Register Hosts | view_host_collections
180 | Organization            | none   | yes        | Register Hosts | view_organizations
182 | Katello::KTEnvironment  | none   | yes        | Register Hosts | view_lifecycle_environments
183 | Katello::Product        | none   | yes        | Register Hosts | view_products
184 | Location                | none   | yes        | Register Hosts | view_locations
185 | Domain                  | none   | yes        | Register Hosts | view_domains
186 | Architecture            | none   | yes        | Register Hosts | view_architectures
187 | Operatingsystem         | none   | yes        | Register Hosts | view_operatingsystems
----|-------------------------|--------|------------|----------------|------------------------------------------------------------------------

This allowed me to use bootstrap like this:
bootstrap.py -l register -p password -s ${SAT_HOSTNAME} -o ${SAT_ORGANIZATION} -a ${ACTIVATION_KEY} -L ${SAT_LOCATION} -g ${SAT_HOSTGROUP} -O ${SAT_OS_NAME} --enablerepos=* --skip-puppet --force

Most importantly, view_operatingsystems, view_architectures, view_domains and view_locations are missing from the above KB article.

Please provide a pre-defined role in 6.2.z/6.3.z so people don't have to go through this.
Thank you,
Comment 1 Marek Hulan 2017-10-12 07:52:00 UTC 
Thanks for great report. Since the permission list contains Katello and Foreman core permissions only I think it should be added from Katello. It should be easy to achieve on 6.3+. I can't promise the version in which we can ship it but I'll try to prioritize this.
Comment 2 Marek Hulan 2017-10-12 08:14:16 UTC 
Created redmine issue http://projects.theforeman.org/issues/21307 from this bug
Comment 3 Satellite Program 2017-11-21 13:19:38 UTC 
Upstream bug assigned to dlobatog
Comment 4 Satellite Program 2017-11-21 13:19:41 UTC 
Upstream bug assigned to dlobatog
Comment 5 Satellite Program 2017-11-29 21:19:42 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/21307 has been resolved.
Comment 6 Lukáš Hellebrandt 2018-07-20 09:47:47 UTC 
FailedQA with Sat 6.4 snap 12.

Tried registration through

1) Create Host dialogue
2) Subscription manager
3) bootstrap

... and everything was successfull.

HOWEVER, the user with registration role is also able to edit and delete hosts. That means, a person with credentials of this "register-only" user can:

* Edit any property of any host
* Completely unregister any host
* Delete any host's VM from a Compute Resource!!

That doesn't seem like "registration-only" to me. I understand these privileges might be set so the host can be unregistered/re-registered but the current state seems like a security issue.
Comment 7 Marek Hulan 2018-07-20 10:19:51 UTC 
Have you read the BZ description? The suggested list of permission contained edit_content_hosts, destroy_content permissions in the list. While we could adjust the list, this is what the reporter expects. If you believe they should be dropped, I'd suggest creating a separate BZ and not failing this one. If you agree, please switch back to ON_QA and remove FailedQA flag, thanks.
Comment 8 Lukáš Hellebrandt 2018-07-20 12:38:48 UTC 
After discussion with Marek, we decided to document potentially unexpected permissions of the role. I will verify this BZ once bug 1605195 gets verified. That means this BZ should probably be moved to GA.
Comment 9 Corey Welton 2018-07-29 15:27:02 UTC 
Should this be moved back to ONQA?
Comment 12 Lukáš Hellebrandt 2018-08-20 12:40:24 UTC 
Corey, I'd only move this to ON_QA once bug 1605195 gets fixed.
Comment 13 Marek Hulan 2018-09-04 08:22:12 UTC 
Lukáš, the linked bug is now closed. Could you please adjust the state now? IMHO it should be VERIFIED. I do not understand why it was ASSIGNED until now as engineering couldn't do anything so ON_QA was IMHO better state as it was pending verification until documentation was updated. Anyway, please move the bug to correct state now.
Comment 14 Lukáš Hellebrandt 2018-09-05 09:25:40 UTC 
Verified as per comment 6, comment 8 and the fact that the docs BZ is now CLOSED_NEXTRELEASE.
Comment 20 Brad Buckingham 2019-02-21 23:19:19 UTC 
This was resolved in Satellite 6.4; therefore, moving to CLOSED:CURRENTRELEASE.  Thanks!