Bug 1605195

Summary: [RFE] Please provide a Pre-made role for registration-only usage
Product: Red Hat Satellite Reporter: Marek Hulan <mhulan>
Component: DocumentationAssignee: Sergei Petrosian <spetrosi>
Status: CLOSED NEXTRELEASE QA Contact: Melanie Corr <mcorr>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.4CC: adahms, bkearney, bmidwood, dhlavacd, dlobatog, lhellebr, mhulan, peter.vreman, smercurio, swadeley, vcojot
Target Milestone: UnspecifiedKeywords: EasyFix, FutureFeature, Triaged, UserExperience
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1500979 Environment:
Last Closed: 2018-09-03 06:23:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1500979    
Bug Blocks:    

Description Marek Hulan 2018-07-20 12:28:46 UTC
In 6.4 we are adding a role "Register host" which contains also permissions for host editing and deletion. This is required for re-registering, unregistrering the host. That also means user with this role can delete other hosts, which users might not be aware of. So product documentation should document this. Also it should say that if this is not desired, the role can be cloned and these two permissions removed.

+++ This bug was initially created as a clone of Bug #1500979 +++

Description of problem:

Because bootstrap.py requires a login and password in clear text, I decided to follow https://access.redhat.com/solutions/1570203 to create an unpriviledged role to which I could assign that user.

In the end, on sat 6.2.12, this proved to be a daunting task because the KB article was incomplete.
Here's the set of permissions which worked for me:

[root@sat6 ~]# hammer  role filters --id 22
171 | Hostgroup               | none   | yes        | Register Hosts | view_hostgroups
173 | Katello::ActivationKey  | none   | yes        | Register Hosts | view_activation_keys
174 | Katello::System         | none   | yes        | Register Hosts | view_content_hosts, create_content_hosts, edit_content_hosts, destroy_content...
175 | Katello::ContentView    | none   | yes        | Register Hosts | view_content_views
176 | Katello::GpgKey         | none   | yes        | Register Hosts | view_gpg_keys
177 | Katello::Subscription   | none   | yes        | Register Hosts | view_subscriptions, attach_subscriptions
178 | Host                    | none   | yes        | Register Hosts | view_hosts
179 | Katello::HostCollection | none   | yes        | Register Hosts | view_host_collections
180 | Organization            | none   | yes        | Register Hosts | view_organizations
182 | Katello::KTEnvironment  | none   | yes        | Register Hosts | view_lifecycle_environments
183 | Katello::Product        | none   | yes        | Register Hosts | view_products
184 | Location                | none   | yes        | Register Hosts | view_locations
185 | Domain                  | none   | yes        | Register Hosts | view_domains
186 | Architecture            | none   | yes        | Register Hosts | view_architectures
187 | Operatingsystem         | none   | yes        | Register Hosts | view_operatingsystems

This allowed me to use bootstrap like this:
bootstrap.py -l register -p password -s ${SAT_HOSTNAME} -o ${SAT_ORGANIZATION} -a ${ACTIVATION_KEY} -L ${SAT_LOCATION} -g ${SAT_HOSTGROUP} -O ${SAT_OS_NAME} --enablerepos=* --skip-puppet --force

Most importantly, view_operatingsystems, view_architectures, view_domains and view_locations are missing from the above KB article.

Please provide a pre-defined role in 6.2.z/6.3.z so people don't have to go through this.
Thank you,

--- Additional comment from Marek Hulan on 2017-10-12 03:52:00 EDT ---

Thanks for great report. Since the permission list contains Katello and Foreman core permissions only I think it should be added from Katello. It should be easy to achieve on 6.3+. I can't promise the version in which we can ship it but I'll try to prioritize this.

--- Additional comment from Marek Hulan on 2017-10-12 04:14:16 EDT ---

Created redmine issue http://projects.theforeman.org/issues/21307 from this bug

--- Additional comment from pm-sat on 2017-11-21 08:19:38 EST ---

Upstream bug assigned to dlobatog

--- Additional comment from pm-sat on 2017-11-21 08:19:41 EST ---

Upstream bug assigned to dlobatog

--- Additional comment from pm-sat on 2017-11-29 16:19:42 EST ---

Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/21307 has been resolved.

--- Additional comment from Lukáš Hellebrandt on 2018-07-20 05:47:47 EDT ---

FailedQA with Sat 6.4 snap 12.

Tried registration through

1) Create Host dialogue
2) Subscription manager
3) bootstrap

... and everything was successfull.

HOWEVER, the user with registration role is also able to edit and delete hosts. That means, a person with credentials of this "register-only" user can:

* Edit any property of any host
* Completely unregister any host
* Delete any host's VM from a Compute Resource!!

That doesn't seem like "registration-only" to me. I understand these privileges might be set so the host can be unregistered/re-registered but the current state seems like a security issue.

--- Additional comment from Marek Hulan on 2018-07-20 06:19:51 EDT ---

Have you read the BZ description? The suggested list of permission contained edit_content_hosts, destroy_content permissions in the list. While we could adjust the list, this is what the reporter expects. If you believe they should be dropped, I'd suggest creating a separate BZ and not failing this one. If you agree, please switch back to ON_QA and remove FailedQA flag, thanks.

Comment 1 Andrew Dahms 2018-08-30 13:26:18 UTC
Assigning to Sergei for review.

Comment 10 Sergei Petrosian 2018-09-03 06:23:07 UTC
These changes are pushed to master and cherry-picked to 6.4-beta.

Thank you