Bug 1694868

Summary: Non-Admin user can see All Remote Execution Jobs initiated by other users
Product: Red Hat Satellite Reporter: Shekhar Raut <sraut>
Component: Remote ExecutionAssignee: Leos Stejskal <lstejska>
Status: CLOSED ERRATA QA Contact: Peter Ondrejka <pondrejk>
Severity: medium Docs Contact:
Priority: high    
Version: 6.4CC: agadhave, ahumbe, aruzicka, egolov, inecas, lstejska
Target Milestone: 6.9.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: tfm-rubygem-foreman_remote_execution-4.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-21 13:11:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
filter set used for verification none

Description Shekhar Raut 2019-04-01 21:41:54 UTC 
Non-Admin user can see All Remote Execution Jobs initiated by other users


Description of problem:

- Assign Remote Execution permissions to Non-Admin User.
- These permissions are restricted to some hosts
- Problem is, this user can see all Remote Execution Jobs under "Satellite Web UI --> Monitor --> Jobs"
- And if User clicked on the job then there are not much details can see in Overview tab but from Preview templates tab, host and action info still visible.

Version-Release number of selected component (if applicable): 6.4.x

How reproducible:

Steps to Reproduce:
  1. Create Non-Admin user on Satellite server
  2. Assign below permissions to user and restrict user to view HostCollection (HostCollection1) :

----|--------------------|-----------------------------------|-----------|-----------|----------------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE      | SEARCH                            | UNLIMITED?| OVERRIDE? | ROLE           | PERMISSIONS                                                                    
----|--------------------|-----------------------------------|-----------|-----------|----------------|---------------------------------------------------------------------------------
301 | (Miscellaneous)    | none                              | yes       | no        | 01 Custom Role | access_dashboard                                                               
302 | Host               | host_collection = HostCollection1 | no        | no        | 01 Custom Role | view_hosts, edit_hosts, build_hosts, console_hosts                             
306 | Organization       | none                              | no        | no        | 01 Custom Role | view_organizations                                                             
308 | JobInvocation      | none                              | yes       | no        | 01 Custom Role | create_job_invocations, view_job_invocations, cancel_job_invocations           
312 | TemplateInvocation | none                              | yes       | no        | 01 Custom Role | view_template_invocations, create_template_invocations, filter_autocompletion...
314 | JobTemplate        | none                              | no        | no        | 01 Custom Role | view_job_templates, create_job_templates, edit_job_templates                   
------|------------------|-----------------------------------|-----------|-----------|----------------|---------------------------------------------------------------------------------

  3. Login with User and go to "Satellite Web UI --> Monitor --> Jobs"
  4. USer can see all Remote Execution Jobs

Actual results:
- USer can see all Remote Execution Jobs

Expected results:
- User can not see Remote Execution Jobs on which user does not have permission
- Need restrict user to see Jobs initiate by the user only

Additional info:
Comment 4 Adam Ruzicka 2019-10-02 11:03:03 UTC 
Created redmine issue https://projects.theforeman.org/issues/27988 from this bug
Comment 5 Bryan Kearney 2020-07-23 12:05:34 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/27988 has been resolved.
Comment 6 Peter Ondrejka 2020-11-19 14:59:46 UTC 
Tested on Satellite 6.9 snap 1 using the permission list from the problem description, the user can still see job invocations from other users.

Reproduction machine available upon request
Comment 7 Leos Stejskal 2020-11-25 09:09:18 UTC 
The problem is in Role filter settings. Limiting job invocations to current user works only when "Job invocations > view_job_invocations" permission have search filter set to "user = current_user".
Comment 8 Peter Ondrejka 2020-11-25 09:40:00 UTC 
Created attachment 1733302 [details]
filter set used for verification
Comment 9 Peter Ondrejka 2020-11-25 09:41:20 UTC 
Using additional filter from comment 7 just for the view permission the limitation works as expected, only user's invocations are listed, invocation creation remains unhampered. Verified on Satellite 6.9 snap 2
Comment 12 errata-xmlrpc 2021-04-21 13:11:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.9 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1313