Bug 2142555

Summary: import puppet classes permission filter does not work
Product: Red Hat Satellite Reporter: Stefan Nemeth <snemeth>
Component: PuppetAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: visawant
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.11.4CC: gtalreja, mhulan, mschibli, oezr, paul.porcelli, rlavi, shwsingh
Target Milestone: 6.13.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-03 13:22:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stefan Nemeth 2022-11-14 12:09:30 UTC 
Description of problem:

permissions

Puppetclass -> import_puppetclasses

for limited users does not work. Instead, when such user is used, error 

"error": {"message":"Access denied","details":"Missing one of the required permissions: ","missing_permissions":[]}

is returned

Version-Release number of selected component (if applicable):

6.11.4

How reproducible:

100%

Steps to Reproduce:
1. administer -> users create user "puppetenvuser" 
2. administer -> roles create role "puppet-env-import-role" 
with following filters:

hammer role filters --name puppet-env-import-role
----|---------------|--------|------------|-----------|------------------------|-------------------------------------------
ID  | RESOURCE TYPE | SEARCH | UNLIMITED? | OVERRIDE? | ROLE                   | PERMISSIONS
----|---------------|--------|------------|-----------|------------------------|-------------------------------------------
588 | Puppetclass   | none   | yes        | no        | puppet-env-import-role | create_puppetclasses, import_puppetclasses
592 | Location      | none   | no         | no        | puppet-env-import-role | view_locations
593 | Organization  | none   | no         | no        | puppet-env-import-role | view_organizations
594 | SmartProxy    | none   | yes        | no        | puppet-env-import-role | view_smart_proxies
595 | Environment   | none   | yes        | no        | puppet-env-import-role | view_environments
----|---------------|--------|------------|-----------|------------------------|-----------------------

3. assign puppet-env-import-role to puppetenvuser
4. try to use puppetenvuser to import puppet classes

Actual results:

#curl -s -k -X POST -u puppetenvuser:redhat -H "Content-Type: application/json" https://10.44.129.52/api/environments/production/smart_proxies/1/import_puppetclasses?dryrun=true

{
  "error": {"message":"Access denied","details":"Missing one of the required permissions: ","missing_permissions":[]}
}

Expected results:

#curl -s -k -X POST -u puppetenvuser:redhat -H "Content-Type: application/json" https://10.44.129.52/api/environments/production/smart_proxies/1/import_puppetclasses?dryrun=true
{
  "message": "Successfully updated environment and puppetclasses from the on-disk puppet installation",
  "results": {"name":"production","actions":["new"],"new_puppetclasses":["access_insights_client::current","access_insights_client","access_insights_client::old","foreman_scap_client","foreman_scap_client::params","stdlib","stdlib::stages"]}
}

Additional info:

in /usr/share/gems/gems/foreman_puppet-2.0.6/lib/foreman_puppet/register.rb  adding 

    permission :import_puppetclasses, { 'foreman_puppet/puppetclasses' => %i[import_environments obsolete_and_new],
                                        'foreman_puppet/api/v2/environments' => [:import_puppetclasses],
 +                                      'api/v2/smart_proxies' => [:import_puppetclasses]  },

fixes the issue
Comment 8 Ron Lavi 2023-01-25 13:18:31 UTC 
Yes, to view that page from the web-ui, the user needs the `view_puppetclasses` permission.
glad to see that the other requests are also working now, I think it's safe to move it to VERIFIED
Comment 11 errata-xmlrpc 2023-05-03 13:22:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.13 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2097