Bug 2101986
| Summary: | Getting "NoPermission: Permission to perform this operation was denied." when edit host or compute profile | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Hao Chang Yu <hyu> | ||||||
| Component: | Compute Resources - VMWare | Assignee: | satellite6-bugs <satellite6-bugs> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Lukáš Hellebrandt <lhellebr> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 6.10.6 | CC: | chrobert, mhulan, rlavi, wclark | ||||||
| Target Milestone: | 6.12.0 | Keywords: | Triaged | ||||||
| Target Release: | Unused | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | tfm-rubygem-fog-vsphere-3.5.2 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | |||||||||
| : | 2112351 (view as bug list) | Environment: | |||||||
| Last Closed: | 2022-11-16 13:34:13 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1899803 [details] Hotfix RPM for Satellite 6.11.1 on RHEL7 INSTALL INSTRUCTIONS: 1. Take a complete backup or snapshot of Satellite 6.11.1 server 2. Download the hotfix RPM for Satellite 6.11.1 on RHEL7 attached to this BZ and copy it to Satellite server 3. # yum install ./tfm-rubygem-fog-vsphere-3.5.2-1.el7sat.noarch.rpm --disableplugin=foreman-protector 4. # satellite-maintain service restart NOTE: This hotfix additionally contains the fix for https://bugzilla.redhat.com/show_bug.cgi?id=2072696 Created attachment 1899804 [details] Hotfix RPM for Satellite 6.11.1 on RHEL8 INSTALL INSTRUCTIONS: 1. Take a complete backup or snapshot of Satellite 6.11.1 server 2. Download the hotfix RPM for Satellite 6.11.1 on RHEL8 attached to this BZ and copy it to Satellite server 3. # dnf install ./rubygem-fog-vsphere-3.5.2-1.el8sat.noarch.rpm --disableplugin=foreman-protector 4. # satellite-maintain service restart NOTE: This hotfix additionally contains the fix for https://bugzilla.redhat.com/show_bug.cgi?id=2072696 Verified with Sat 6.12 snap 13.0.
for version in 6 7; do
In vSphere${version}:
1) Menu -> Administration -> SSO -> Add user
2) Storages -> Create new folder
3) Move (drag) an existing storage to the folder
4) Select root, go to permissions tab, add the new user with No access role
5) Select folder, go to permissions tab, add the new user with Administrator role checking Propagate to children
In Satellite (with manifest):
1) Infrastructure -> Compute Resources -> Create, using vSphere${version} and the newly created user credentials
2) <CR> -> Images -> Create
3) <CR> -> Compute Resources -> any
4) Infrastructure -> Compute Resources -> any
5) Edit cluster, storage pod
6) All Hosts -> Create
done
=> No traceback, no WebUI errors, CR added, CP edited, host created, corresponding VM created
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.12 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8506 |
Description of problem: Getting the below error when trying to edit a VMware host or edit a VMware compute profile. ----------------- "Oops, we're sorry but something went wrong NoPermission: Permission to perform this operation was denied." ----------------- Traceback in /var/log/foreman/production.log ----------------- 2022-06-29T12:06:21 [W|app|317ea02a] NoPermission: Permission to perform this operation was denied. 2022-06-29T12:06:21 [I|app|317ea02a] Backtrace for 'NoPermission: Permission to perform this operation was denied.' error (ActionView::Template::Error): NoPermission: Permission to perform this operation was denied. 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/connection.rb:63:in `parse_response' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/connection.rb:92:in `call' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/basic_types.rb:213:in `_call' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/basic_types.rb:76:in `block (2 levels) in init' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:10:in `find' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:97:in `block in traverse' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:96:in `each' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:96:in `inject' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:96:in `traverse' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/ServiceInstance.rb:11:in `find_datacenter' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/requests/compute/get_datacenter.rb:19:in `get_raw_datacenter' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/requests/compute/get_datacenter.rb:14:in `find_raw_datacenter' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/requests/compute/list_networks.rb:11:in `list_networks' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/models/compute/networks.rb:10:in `all' 317ea02a | /usr/share/foreman/app/models/compute_resources/foreman/model/vmware.rb:152:in `block in networks' 317ea02a | /usr/share/foreman/app/services/compute_resource_cache.rb:68:in `instance_eval' 317ea02a | /usr/share/foreman/app/services/compute_resource_cache.rb:68:in `get_uncached_value' 317ea02a | /usr/share/foreman/app/services/compute_resource_cache.rb:22:in `cache' 317ea02a | /usr/share/foreman/app/models/compute_resources/foreman/model/vmware.rb:151:in `networks' 317ea02a | /usr/share/foreman/app/helpers/compute_resources_vms_helper.rb:78:in `vsphere_networks' 317ea02a | /usr/share/foreman/app/views/compute_resources_vms/form/vmware/_network.html.erb:6:in `_b4393ee8b85d1c4bce3b12c61c7ac846' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/actionview-6.0.3.7/lib/action_view/base.rb:274:in `_run' 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/actionview-6.0.3.7/lib/action_view/template.rb:185:in `block in render' <snip> ----------------- Steps to Reproduce: In VCenter: 1. Create a user with "No access" role to the root folder. 2. Create a datacenter with path structure "my_department/my_datacenter". 3. Assign "Administrator" role to the user in "my_department" folder and check "Propagate to children". In Satellite: 1. Create a compute resource and select "my_department/my_datacenter" datacenter. 2. Go to Compute profiles page -> select any size -> select the vmware compute resource. Actual results: Oops, we're sorry but something went wrong NoPermission: Permission to perform this operation was denied. Expected results: No error Additional info: - User has no read permission on root folder so "rbvmomi" failed to traverse from the root folder to find the datacenter. - but this traversing action can actually be avoided because the module has already retrieved all the datacenters. The "get_raw_datacenter" call can we avoided if we also match the raw_datacenters by path. ---------------------------- # "/opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/requests/compute/get_datacenter.rb" def find_raw_datacenter(name) raw_datacenters.find { |d| d.name == name } || get_raw_datacenter(name) end ------------------------------ The below methods set datacenter as path cauing the above method can't match anything then call "get_raw_datacenter" ------------------------------ # /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/models/compute/datacenter.rb def clusters(filters = {}) service.clusters({ datacenter: path.join('/') }.merge(filters)) end def networks(filters = {}) service.networks({ datacenter: path.join('/') }.merge(filters)) end def datastores(filters = {}) service.datastores({ datacenter: path.join('/') }.merge(filters)) end def storage_pods(filters = {}) service.storage_pods({ datacenter: path.join('/') }.merge(filters)) end def vm_folders(filters = {}) service.folders({ datacenter: name, type: :vm }.merge(filters)) <=== this is using name end ------------------------------