Bug 1919146

Summary: [RFE] Possibility for further tailoring with Compliance Viewer role
Product: Red Hat Satellite Reporter: ubasak <ubasak>
Component: SCAP PluginAssignee: Marek Hulan <mhulan>
Status: CLOSED ERRATA QA Contact: addubey
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.7.0CC: addubey, dsinglet, ktordeur, mhulan, momran, oezr, pcreech, satellite6-bugs
Target Milestone: 6.11.0Keywords: EasyFix, FutureFeature, Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-05 14:28:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ubasak@redhat.com 2021-01-22 09:01:41 UTC 
Description of problem:
User with Compliance Viewer role can view all reports.

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 7.9 (Maipo),
satellite-6.7 and 6.8

How reproducible:

Steps to Reproduce:
1.Create user
2.Assign Compliance viewer + View Hosts role to that user
3.Login from that user to cross check 

Actual results:
Any user ID with the "Compliance Viewer" role can view all reports.

Expected results:
Each user ID with the "Compliance Viewer" role can only view the reports of "its content hosts" (or those of its group).

Additional info:
Comment 1 Marek Hulan 2021-01-25 08:58:31 UTC 
These are two independent resources. E.g. some user may not be allowed to view any host but they should still see all compliance reports. If you want to achieve what you describe, we first need to add a host search support for ArfReport resource. Then the compliance viewer role can be further tailored, so a filter like "host.owner = $current_user" could be specified. I'm changing this to RFE, since the behavior is consitent with other pages and I'd say works as it should. I don't think this should be a private bug since it's not a security issue, please publish if you agree.
Comment 4 Ondřej Pražák 2021-07-15 10:53:42 UTC 
Created redmine issue https://projects.theforeman.org/issues/33025 from this bug
Comment 7 Bryan Kearney 2021-09-07 16:04:06 UTC 
Upstream bug assigned to mhulan
Comment 8 Bryan Kearney 2021-09-07 16:04:08 UTC 
Upstream bug assigned to mhulan
Comment 9 Bryan Kearney 2021-11-04 13:49:46 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/33025 has been resolved.
Comment 11 Brad Buckingham 2021-12-01 13:15:35 UTC 
A fix is upstream and proposed for inclusion in Satellite 7.0.
Comment 12 addubey 2022-01-31 06:46:18 UTC 
Verified.


Tested on: Satellite-7.0.0 Snap 7.0


Steps followed: 

1. Create user
2. Assign Compliance viewer + View Hosts role to that user
3. Login from that user to cross-check 


Observation: Each user-ID with the "Compliance Viewer" role can only view the reports of "its content hosts" (or those of its group).
Comment 15 errata-xmlrpc 2022-07-05 14:28:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498