Bug 1845498

Summary: 50/50 chance to create role filter with non-admin user and enough permissions
Product: Red Hat Satellite Reporter: Rafael Cardoso <rdesouza>
Component: Users & RolesAssignee: Ondřej Ezr <oezr>
Status: CLOSED ERRATA QA Contact: Peter Ondrejka <pondrejk>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.6.0CC: apatel, jjansky, kgaikwad, ktordeur, mhulan, ofedoren, osousa, rabajaj, satellite6-bugs
Target Milestone: 6.10.0Keywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: foreman-2.5.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-16 14:09:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rafael Cardoso 2020-06-09 12:01:04 UTC 
Description of problem:
The error "Could not create the permission filter:
  You don't have permission create_filters with attributes that you have specified or you don't have access to specified organizations or locations" is printed sometimes even with enough permissions for execution of the command:

# hammer --config configFile.yml --output json filter create --role roleName --permissions "permissionName"

Version-Release number of selected component (if applicable):
hammer 0.17.1

How reproducible:
hammer will sometimes success and sometimes not. When in loop you may see fails and success with not changed user role.

Steps to Reproduce:
1. Create Satellite user x
2. Create a /root/.hammer/cli_test.yml config file with the following content:

:foreman:
  :host: <hostname>
  :username: <userName>
  :password: <password>

3. Create Role and add permissions below to the user created in the step 1.
(Miscellaneous)		escalate_roles
Auth source		view_authenticators
Bookmark		view_bookmarks, create_bookmarks, edit_bookmarks, destroy_bookmarks
External usergroup	view_external_usergroups, create_external_usergroups, edit_external_usergroups, destroy_external_usergroups
Filter			view_filters, create_filters, edit_filters, destroy_filters
Organization		view_organizations
Role			view_roles, create_roles, edit_roles, destroy_roles
Subscription		attach_subscriptions, unattach_subscriptions
Usergroup		view_usergroups, create_usergroups, edit_usergroups, destroy_usergroups

4. Add Role from 3. to user from 1.
5. Create new role

# hammer --config /root/.hammer/cli_test.yml role create --name test_role --organizations <organization>

6. Create new filter for test_role

# hammer --config /root/.hammer/cli_test.yml filter create --role test_role --permissions "access_dashboard"

Actual results:
Sometimes
"Could not create the permission filter:
  You don't have permission create_filters with attributes that you have specified or you don't have access to specified organizations or locations"

Sometimes
"Permission filter for [] created."

Expected results:
"Permission filter for [] created."
Comment 2 Shira Maximov 2020-06-11 07:19:54 UTC 
Hi Rafael, I wasn't able to reproduce this, could you please provide hammer logs and development logs?
Comment 8 Shira Maximov 2020-07-14 07:29:55 UTC 
Created redmine issue https://projects.theforeman.org/issues/30394 from this bug
Comment 10 Bryan Kearney 2021-04-01 00:01:15 UTC 
Upstream bug assigned to oezr
Comment 11 Bryan Kearney 2021-04-01 00:01:18 UTC 
Upstream bug assigned to oezr
Comment 12 Ondřej Ezr 2021-04-15 13:34:52 UTC 
Hi,

I've pinpointed the issue to a bug, that we consider Locations and Organizations assigned to filters as 'Belongs to', but this assignment means 'Applies to'.

This causes Role with permissions to manage Filters to be able to manage only Filters that have the same Locations and Organizations as this Role (specificaly as the Filter on Filter resource).
This is wrong and permissions to manage filters should apply globally as it is a global resource and some filters don't have Locations and Organizations (e.g. Miscallenous).
My upstream patch is removing the ability to chose what Orgs/Locs the permissions to manage filters apply to thus Role with such permissions will be allowed to manage all Filters in Satellite.

This will probably land in 6.10, so until then I have a workaround.
To achive this without the patch (before 6.10) you need to navigate to the Role that allows managing Filters, edit the Filter on resource Filter, check `override` checkbox and deselect all the Organizations and Locations in the tabs that appear.
After saving, this Role will be able to manage all the filters in Satellite as with the patch and thus it will always succeed to create Filter.
Comment 14 Bryan Kearney 2021-06-18 16:01:13 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/30394 has been resolved.
Comment 16 Peter Ondrejka 2021-07-09 08:51:41 UTC 
Verified on Satellite 6.10 sn 8 using steps from problem description and comment 1. Non admin user with relevant permissions can now create roles with 100% success rate.
Comment 19 errata-xmlrpc 2021-11-16 14:09:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702