Bug 1500979
Summary: | [RFE] Please provide a Pre-made role for registration-only usage | |||
---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Vincent S. Cojot <vcojot> | |
Component: | Users & Roles | Assignee: | Daniel Lobato Garcia <dlobatog> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Lukáš Hellebrandt <lhellebr> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 6.2.12 | CC: | bbuckingham, bmidwood, cmarinea, cwelton, dhlavacd, jhutar, lhellebr, mhulan, peter.vreman, smercurio | |
Target Milestone: | Unspecified | Keywords: | EasyFix, FutureFeature, UserExperience | |
Target Release: | Unused | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1605195 (view as bug list) | Environment: | ||
Last Closed: | 2019-02-21 23:19:19 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1122832, 1605195 |
Description
Vincent S. Cojot
2017-10-11 21:54:08 UTC
Thanks for great report. Since the permission list contains Katello and Foreman core permissions only I think it should be added from Katello. It should be easy to achieve on 6.3+. I can't promise the version in which we can ship it but I'll try to prioritize this. Created redmine issue http://projects.theforeman.org/issues/21307 from this bug Upstream bug assigned to dlobatog Upstream bug assigned to dlobatog Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/21307 has been resolved. FailedQA with Sat 6.4 snap 12. Tried registration through 1) Create Host dialogue 2) Subscription manager 3) bootstrap ... and everything was successfull. HOWEVER, the user with registration role is also able to edit and delete hosts. That means, a person with credentials of this "register-only" user can: * Edit any property of any host * Completely unregister any host * Delete any host's VM from a Compute Resource!! That doesn't seem like "registration-only" to me. I understand these privileges might be set so the host can be unregistered/re-registered but the current state seems like a security issue. Have you read the BZ description? The suggested list of permission contained edit_content_hosts, destroy_content permissions in the list. While we could adjust the list, this is what the reporter expects. If you believe they should be dropped, I'd suggest creating a separate BZ and not failing this one. If you agree, please switch back to ON_QA and remove FailedQA flag, thanks. After discussion with Marek, we decided to document potentially unexpected permissions of the role. I will verify this BZ once bug 1605195 gets verified. That means this BZ should probably be moved to GA. Should this be moved back to ONQA? Corey, I'd only move this to ON_QA once bug 1605195 gets fixed. Lukáš, the linked bug is now closed. Could you please adjust the state now? IMHO it should be VERIFIED. I do not understand why it was ASSIGNED until now as engineering couldn't do anything so ON_QA was IMHO better state as it was pending verification until documentation was updated. Anyway, please move the bug to correct state now. This was resolved in Satellite 6.4; therefore, moving to CLOSED:CURRENTRELEASE. Thanks! |