Bug 1836125

Summary:	User not able to view Ansible Service task output after upgrade to 5.0
Product:	Red Hat CloudForms Management Engine	Reporter:	mheppler
Component:	Automate	Assignee:	Yuri Rudman <yrudman>
Status:	CLOSED ERRATA	QA Contact:	Devidas Gaikwad <dgaikwad>
Severity:	high	Docs Contact:	Red Hat CloudForms Documentation <cloudforms-docs>
Priority:	high
Version:	5.11.0	CC:	dmetzger, mshriver, obarenbo, sigbjorn.lie, simaishi, tfitzger, wfitzger
Target Milestone:	GA	Keywords:	ZStream
Target Release:	5.11.7	Flags:	simaishi: cfme-5.11.z+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	5.11.7.0	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-08-06 14:32:54 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	Bug
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	CFME Core	Target Upstream Version:
Embargoed:

Description mheppler 2020-05-15 08:46:01 UTC

Description of problem:

What problem/issue/behavior are you having trouble with?  What do you expect to see?
When a user orders a Ansible Playbook based Service Catalog item, a new service is created.  When the user go to Services -> My Services -> Newly created service, the error below is displayed. If an account with Super-User privileges attempt to display the same account everything works fine and the Ansible output is displayed in the WebUI.

URL https://cloudforms/api/tasks/1000000428719?attributes=task_results
Status 404 Not Found
Content-Type application/json; charset=utf-8
Data {"error":{"kind":"not_found","message":"Couldn't find MiqTask with 'id'=1000000428719","klass":"Api::NotFoundError"}}

The following error is logged in the production.log on the appliance:
[----] D, [2020-05-12T20:05:14.255036 #209649:2b07b76911b4] DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'user@domain', role 'role_name', feature identifier 'miq_task_all_ui'

This was not a problem on CloudForms 4.7.


Version-Release number of selected component (if applicable):

5.0

How reproducible:

Request service as user, always


Steps to Reproduce:
1. 
2.
3.

Actual results:

Result of requested service is not visible to user. Admin can see result of requested service.


Expected results:


Additional info:

Affected services:
$evm.root['service_id'] = 1000000000807
$evm.root['service_id'] = 1000000000808

Affected user ID: 1000000000007

API.log:

[----] I, [2020-05-12T20:16:36.828881 #209649:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.log_request) API Request:    {:requested_at=>"2020-05-12 18:16:36 UTC", :method=>"GET", :url=>"https://cloudforms/api/tasks/1000000428719?attributes=task_results"}
[----] I, [2020-05-12T20:16:36.837509 #209649:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.log_request) Authentication: {:type=>"ui_session", :token=>nil, :x_miq_group=>nil, :user=>"user@domain"}
[----] I, [2020-05-12T20:16:36.840645 #209649:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.log_request) Authorization:  {:user=>"user@domain", :group=>"ldap_group", :role=>"role_name", :tenant=>"MyTenant"}
[----] I, [2020-05-12T20:16:36.841052 #209649:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.log_request) Request:        {:method=>:get, :action=>"read", :fullpath=>"/api/tasks/1000000428719?attributes=task_results", :url=>"https://cloudforms/api/tasks/1000000428719?attributes=task_results", :base=>"https://cloudforms", :path=>"/api/tasks/1000000428719", :prefix=>"/api", :version=>"4.1.0", :api_prefix=>"https://cloudforms/api", :collection=>"tasks", :c_suffix=>nil, :collection_id=>"1000000428719", :subcollection=>nil, :subcollection_id=>nil}
[----] I, [2020-05-12T20:16:36.841359 #209649:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.log_request) Parameters:     {"attributes"=>"task_results", "action"=>"show", "controller"=>"api/tasks", "format"=>"json", "body"=>{}}
[----] E, [2020-05-12T20:16:36.846383 #209649:2b07b7691b00] ERROR -- : MIQ(Api::TasksController.api_error) Api::NotFoundError: Couldn't find MiqTask with 'id'=1000000428719
[----] I, [2020-05-12T20:16:36.846741 #209649:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.log_request) Response:       {:completed_at=>"2020-05-12 18:16:36 UTC", :size=>"0.117 KBytes", :time_taken=>"0.018 Seconds", :status=>404}
[----] I, [2020-05-12T20:16:37.183347 #209657:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.log_request_initiated)
[----] I, [2020-05-12T20:16:37.183486 #209657:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.log_request) API Request:    {:requested_at=>"2020-05-12 18:16:37 UTC", :method=>"DELETE", :url=>"https://cloudforms/api/tasks/1000000428719"}
[----] I, [2020-05-12T20:16:37.192070 #209657:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.log_request) Authentication: {:type=>"ui_session", :token=>nil, :x_miq_group=>nil, :user=>"user@domain"}
[----] I, [2020-05-12T20:16:37.194979 #209657:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.log_request) Authorization:  {:user=>"user@domain", :group=>"ldap_group", :role=>"role_name", :tenant=>"MyTenant"}
[----] I, [2020-05-12T20:16:37.195351 #209657:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.log_request) Request:        {:method=>:delete, :action=>"delete", :fullpath=>"/api/tasks/1000000428719", :url=>"https://cloudforms/api/tasks/1000000428719", :base=>"https://cloudforms", :path=>"/api/tasks/1000000428719", :prefix=>"/api", :version=>"4.1.0", :api_prefix=>"https://cloudforms/api", :collection=>"tasks", :c_suffix=>nil, :collection_id=>"1000000428719", :subcollection=>nil, :subcollection_id=>nil}
[----] I, [2020-05-12T20:16:37.195607 #209657:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.log_request) Parameters:     {"action"=>"destroy", "controller"=>"api/tasks", "format"=>"json", "body"=>{}}
[----] I, [2020-05-12T20:16:37.198756 #209657:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.delete_resource_action) Deleting tasks id 1000000428719
[----] I, [2020-05-12T20:16:37.200233 #209657:2b07b7691b00]  INFO -- : MIQ(Api::TasksController.log_request) Response:       {:completed_at=>"2020-05-12 18:16:37 UTC", :size=>"0.000 KBytes", :time_taken=>"0.017 Seconds", :status=>204}

evm.log:

[----] I, [2020-05-12T20:16:36.147772 #209427:2b07b32852f4]  INFO -- : MIQ(MiqQueue.put) Message id: [1000157705902],  id: [], Zone: [WebUI], Role: [], Server: [], MiqTask id: [1000000428719], Ident: [generic], Target id: [], Instance id: [1000000000516], Task id: [], Command: [ManageIQ::Providers::EmbeddedAnsible::AutomationManager::Job.raw_stdout], Timeout: [600], Priority: [20], State: [ready], Deliver On: [], Data: [], Args: ["html"]
[----] I, [2020-05-12T20:16:36.147873 #209427:2b07b32852f4]  INFO -- : MIQ(MiqTask.generic_action_with_callback) Task: [1000000428719] Queued the action: [ansible_stdout] being run for user: [system]

Comment 8 Tina Fitzgerald 2020-05-28 18:41:55 UTC

Hi Michal,

Customer states in comment 5 that the problem persists after the roles were updated. 
Can you ask them to supply the logs showing the failure?

Thanks,
Tina

Comment 11 CFME Bot 2020-06-01 15:01:00 UTC

https://github.com/ManageIQ/manageiq-ui-classic/pull/7093

Comment 12 CFME Bot 2020-06-02 09:45:52 UTC

New commit detected on ManageIQ/manageiq-ui-classic/master:

https://github.com/ManageIQ/manageiq-ui-classic/commit/a79a0ee1b015944152d340bb24bd886c7eb78ba2
commit a79a0ee1b015944152d340bb24bd886c7eb78ba2
Author:     Yuri Rudman <yrudman>
AuthorDate: Mon Jun  1 14:45:25 2020 +0000
Commit:     Yuri Rudman <yrudman>
CommitDate: Mon Jun  1 14:45:25 2020 +0000

    MiqTask to get stdout for Ansible should be owned by user who is requesting view. otherwise task created under 'syste' accout and not avalable for not admin user
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1836125

 app/views/service/_svcs_show.html.haml | 6 +-
 1 file changed, 3 insertions(+), 3 deletions(-)

Comment 13 Yuri Rudman 2020-06-02 11:54:18 UTC

It is bug: owner of MiqTask created to grab stdout from Ansible playbook should be current user and not system account; above PR should fix it.

Comment 14 CFME Bot 2020-06-18 20:05:48 UTC

New commit detected on ManageIQ/manageiq-ui-classic/ivanchuk:

https://github.com/ManageIQ/manageiq-ui-classic/commit/3caf2323f7cd76b88fbc5815dfb88962127804c9
commit 3caf2323f7cd76b88fbc5815dfb88962127804c9
Author:     Milan Zázrivec <mzazrivec>
AuthorDate: Tue Jun  2 09:43:33 2020 +0000
Commit:     Satoe Imaishi <simaishi>
CommitDate: Thu Jun 18 20:03:48 2020 +0000

    Merge pull request #7093 from yrudman/pass-user-when-strting-task-to-get-ansible-stdout

    MiqTask to get stdout for Ansible should be owned by user who requested view

    (cherry picked from commit 498f55f4e88f8f6dec1cc61a39236ad36c3ddbd9)

    https://bugzilla.redhat.com/show_bug.cgi?id=1836125

 app/views/service/_svcs_show.html.haml | 6 +-
 1 file changed, 3 insertions(+), 3 deletions(-)

Comment 15 Devidas Gaikwad 2020-07-20 09:01:25 UTC

Verified BZ with Build: 5.11.7.0.20200714215453_0da8a4a
Able to see standard output without any issue.


I have done below steps to verify BZ:
- login appliance to main UI user admin
- create one ansible playbook
- create role from self_service with restriction="Only User or Group Owned"
- create group using recently created role
- create user
- create ansible playbook service catalog item
- set ownership
- create service catalog

- log in SSUI using newly created user
- add service to shopping card
- order service

- log in main UI using newly created user 
- navigate  Services->My Servcies>Service> 
- Under "Active catalog" click on ordered service
- click on Provisoning tab 
- able to see standard output without any error

Comment 18 errata-xmlrpc 2020-08-06 14:32:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Critical: CloudForms 5.0.7 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3358