Bug 2046322

Summary: Manager role does contain the execute_jobs_on_infrastructure_hosts permission
Product: Red Hat Satellite Reporter: Peter Ondrejka <pondrejk>
Component: Remote ExecutionAssignee: Adam Ruzicka <aruzicka>
Status: CLOSED ERRATA QA Contact: Peter Ondrejka <pondrejk>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.11.0CC: aruzicka, lstejska, pcreech
Target Milestone: 6.11.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tfm-rubygem-foreman_remote_execution-5.0.2, foreman-3.1.2,foreman-3.1.1.7-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-05 14:32:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Ondrejka 2022-01-26 15:38:43 UTC 
Description of problem:
The Manager role does contain the execute_jobs_on_infrastructure_hosts permission by default which does not agree with the specification in the SAT-3232 feature card

Version-Release number of selected component (if applicable):

Satellite 7.0 snap 6

How reproducible:
always

Steps to Reproduce:
1. Check filters of the Manager role under Administer > Roles

Actual results:
execute_jobs_on_infrastructure_hosts permission included

Expected results:
permission shouldn't be listed by default

Additional info:
Comment 1 Adam Ruzicka 2022-01-26 16:29:50 UTC 
Hmm, looks like I misread the card and considered "Remote Execution Manager" == "Manager", which of course does not hold.

On the other hand, the Manager role explicitly states that it "grants *all* available permissions to a user having that role and that a user with the role can do everything admin can".

# hammer role show --name 'Manager'
Id:          2
Name:        Manager
Builtin:     no
Description: Role granting all available permissions. With this role, user is able to do everything that admin can except for changing settings

We need to either change the jira card or remove the permissions from the Manager role and change its description.
Comment 3 Adam Ruzicka 2022-01-27 12:38:18 UTC 
Created redmine issue https://projects.theforeman.org/issues/34324 from this bug
Comment 4 Bryan Kearney 2022-01-27 16:05:34 UTC 
Upstream bug assigned to aruzicka
Comment 5 Bryan Kearney 2022-01-27 16:05:36 UTC 
Upstream bug assigned to aruzicka
Comment 8 Peter Ondrejka 2022-03-01 10:41:02 UTC 
As per discussion in the feature card SAT-3232, the outcome should be:

*Mananager* and *Site manager* roles should have execute_jobs_on_infrastructure_hosts
*Organization admin* and *REX Manager* roles shouldn't have it 

Verified on Sat 7.0 sn 11:

~]# hammer role filters --name "Manager" | grep jobs
166 | JobInvocation                   | none   | yes        | no        | Manager | create_job_invocations, view_job_invocations, execute_jobs_on_infrastructure_...
~]# hammer role filters --name "Site manager" | grep jobs
176 | JobInvocation       | none   | yes        | no        | Site manager | create_job_invocations, view_job_invocations, execute_jobs_on_infrastructure_...
~]# hammer role filters --name "Organization admin" | grep jobs
~]# hammer role filters --name "Remote Execution Manager" | grep jobs
Comment 12 errata-xmlrpc 2022-07-05 14:32:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498