Bug 1999604

Summary: Unable to assign ansible roles to a host group via hammer/api with non-admin user
Product: Red Hat Satellite Reporter: Jan Senkyrik <jsenkyri>
Component: Users & RolesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: sganar
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.8.0CC: mhulan, oezr, pcreech, sganar
Target Milestone: 6.11.0Keywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-05 14:29:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Senkyrik 2021-08-31 12:17:43 UTC
Description of problem:
It's not possible to assign ansible roles to a host group via hammer/api with a non-admin user.

Version-Release number of selected component (if applicable):
Satellite 6.10 beta

How reproducible:
Always

Steps to Reproduce:
1. Create a role with the following permission set:

# hammer role filters --id 33
~~~
----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE          | SEARCH | UNLIMITED? | OVERRIDE? | ROLE | PERMISSIONS                                                                     
----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
335 | AnsibleRole            | none   | yes        | no        | api  | view_ansible_roles                                                              
336 | Architecture           | none   | yes        | no        | api  | view_architectures                                                              
337 | Operatingsystem        | none   | yes        | no        | api  | view_operatingsystems                                                           
338 | Parameter              | none   | yes        | no        | api  | view_params, create_params, edit_params, destroy_params                         
339 | Katello::ActivationKey | none   | no         | no        | api  | view_activation_keys                                                            
340 | Katello::ContentView   | none   | no         | no        | api  | view_content_views                                                              
341 | Katello::KTEnvironment | none   | no         | no        | api  | view_lifecycle_environments                                                     
342 | Hostgroup              | none   | no         | no        | api  | view_hostgroups, create_hostgroups, edit_hostgroups, destroy_hostgroups, play...
343 | Organization           | none   | no         | no        | api  | view_organizations, assign_organizations                                        
344 | Domain                 | none   | no         | no        | api  | view_domains                                                                    
345 | Environment            | none   | no         | no        | api  | view_environments                                                               
346 | Host                   | none   | no         | no        | api  | view_hosts, create_hosts, edit_hosts, destroy_hosts, play_roles_on_host         
347 | Location               | none   | no         | no        | api  | view_locations, assign_locations                                                
348 | Subnet                 | none   | no         | no        | api  | view_subnets, create_subnets, edit_subnets, destroy_subnets                     
349 | SmartProxy             | none   | no         | no        | api  | view_smart_proxies                                                              
----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
~~~

2. Assign this role to a user.
3. Try to assign ansible roles to a HG with this user via WebUI --> SUCCESS
4. Try to assign ansible roles to a HG with this user via hammer --> FAIL:

# hammer -u api -p redhat hostgroup ansible-roles assign --id 1 --ansible-role-ids 3
~~~
Could not assign roles to the hostgroup:
  Access denied
  Missing one of the required permissions: edit_hostgroups
~~~

Additional info:
- I've been able to reproduce this on both Satellite 6.8 and Satellite 6.10 beta.
- I can provide reproducer details.


Kind regards,
Jan

Comment 1 Dominik Matoulek 2021-10-19 11:08:59 UTC
Created redmine issue https://projects.theforeman.org/issues/33727 from this bug

Comment 2 Bryan Kearney 2021-11-04 13:51:17 UTC
Upstream bug assigned to dmatoule

Comment 3 Bryan Kearney 2021-11-04 13:51:19 UTC
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/33727 has been resolved.

Comment 8 sganar 2022-03-01 12:23:31 UTC
Verified.

Tested on Satellite 7.0

Steps followed: 
1. 1. Create a role with the following permission set:

# hammer role filters --id 35
----|------------------------|--------|------------|-----------|--------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE          | SEARCH | UNLIMITED? | OVERRIDE? | ROLE   | PERMISSIONS                                                                     
----|------------------------|--------|------------|-----------|--------|---------------------------------------------------------------------------------
374 | AnsibleRole            | none   | yes        | no        | test99 | view_ansible_roles                                                              
375 | Architecture           | none   | yes        | no        | test99 | view_architectures                                                              
376 | Operatingsystem        | none   | yes        | no        | test99 | view_operatingsystems                                                           
377 | Parameter              | none   | yes        | no        | test99 | view_params, create_params, edit_params, destroy_params                         
378 | Katello::ContentView   | none   | yes        | no        | test99 | view_content_views                                                              
379 | Katello::ActivationKey | none   | yes        | no        | test99 | view_activation_keys                                                            
380 | Katello::KTEnvironment | none   | yes        | no        | test99 | view_lifecycle_environments                                                     
381 | Hostgroup              | none   | yes        | no        | test99 | view_hostgroups, create_hostgroups, edit_hostgroups, destroy_hostgroups, play...
382 | Organization           | none   | yes        | no        | test99 | view_organizations, assign_organizations                                        
383 | Domain                 | none   | yes        | no        | test99 | view_domains                                                                    
384 | Location               | none   | yes        | no        | test99 | view_locations, assign_locations                                                
385 | Subnet                 | none   | yes        | no        | test99 | view_subnets, create_subnets, edit_subnets, destroy_subnets                     
386 | HttpProxy              | none   | yes        | no        | test99 | view_http_proxies                                                               
387 | Host                   | none   | yes        | no        | test99 | view_hosts, create_hosts, edit_hosts, destroy_hosts, play_roles_on_host         
----|------------------------|--------|------------|-----------|--------|---------------------------------------------------------------------------------
2. Assign this role to a user.
3. Try to assign ansible roles to a HG with this user via WebUI 
4. Try to assign ansible roles to a HG with this user via hammer

Observation:
Assigning ansible roles to a Hostgroup with this user via WebUI and hammer was success 

#hammer -u test_user -p redhat hostgroup ansible-roles assign --id 1 --ansible-role-ids 3
Ansible roles were assigned to the hostgroup

Comment 11 errata-xmlrpc 2022-07-05 14:29:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498