Bug 868910

Summary: Another administrator can no longer remove the original "admin" account
Product: Red Hat Satellite Reporter: Jeff Weiss <jweiss>
Component: Users & RolesAssignee: Dominic Cleal <dcleal>
Status: CLOSED CURRENTRELEASE QA Contact: Og Maciel <omaciel>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.1CC: adprice, bkearney, ckannan, cwelton, dajohnso, dcleal, ehelms, inecas, jmontleo, jsherril, mmccune, ohadlevy, omaciel
Target Milestone: UnspecifiedKeywords: Regression, Reopened, TestBlocker, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/3272
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-11 12:26:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Weiss 2012-10-22 12:45:05 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
Katello Version: 1.2.1-1.git.122.8b1c3a7.el6_3

How reproducible:
always

Steps to Reproduce:
1. Create a user foo, assign him the administrator role
2. log in as foo
3. delete the user "admin".
  
Actual results:
    403 Forbidden (RestClient::Forbidden)
    {"error":{"details":"You are trying to delete your own account","message":"Access denied"}}
    Click here for more details.

Expected results:
admin user deleted.

Additional info:
Comment 3 Justin Sherrill 2012-12-18 19:00:44 UTC 
I am not able to reproduce this.  Worked fine for me.  Are you able to reproduce Jeff?
Comment 4 Og Maciel 2013-02-15 17:20:47 UTC 
Works in the following setup:
* candlepin-0.7.19-3.el6cf.noarch
* candlepin-selinux-0.7.19-3.el6cf.noarch
* candlepin-tomcat6-0.7.19-3.el6cf.noarch
* elasticsearch-0.18.4-11.el6.noarch
* katello-1.1.12.2-5.el6cf.noarch
* katello-all-1.1.12.2-5.el6cf.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.8-1.el6cf.noarch
* katello-cli-1.1.8-14.el6cf.noarch
* katello-cli-common-1.1.8-14.el6cf.noarch
* katello-common-1.1.12.2-5.el6cf.noarch
* katello-configure-1.1.9-13.el6cf.noarch
* katello-glue-candlepin-1.1.12.2-5.el6cf.noarch
* katello-glue-pulp-1.1.12.2-5.el6cf.noarch
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-qpid-client-key-pair-1.0-1.noarch
* katello-selinux-1.1.1-5.el6cf.noarch
* pulp-1.1.15-1.el6cf.noarch
* pulp-common-1.1.15-1.el6cf.noarch
* pulp-selinux-server-1.1.15-1.el6cf.noarch
Comment 5 Ivan Necas 2013-02-25 16:04:51 UTC 
There is a problem while deleting the admin user:



    [ERROR 2013-02-23 02:43:32 b6fac538cd52dc9dedb639780e373fe5 #11746] 422 Unproces
    sable Entity (RestClient::UnprocessableEntity)
    /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/abstract_response.r
    b:48:in `return!'
    /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:220:in `
    process_result'
    /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:169:in `
    transmit'
    /usr/lib/ruby/1.8/net/http.rb:543:in `start'
    /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:166:in `
    transmit'
    /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:60:in `e
    xecute'
    /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:31:in `e
    xecute'
    /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/resource.rb:80:in `
    delete'
    /usr/lib/ruby/gems/1.8/gems/foreman_api-0.1.1/lib/foreman_api/base.rb:35:in `sen
    d'
    /usr/lib/ruby/gems/1.8/gems/foreman_api-0.1.1/lib/foreman_api/base.rb:35:in `cal
    l'
    /usr/lib/ruby/gems/1.8/gems/foreman_api-0.1.1/lib/foreman_api/resources/user.rb:
    74:in `destroy'
    /usr/share/katello/lib/resources/abstract_model.rb:342:in `delete!'



Due to Foreman restiction:

Started DELETE "/foreman/api/users/1" for 127.0.0.1 at Sat Feb 23 02:43:32 -0500
 2013
  Processing by Api::V1::UsersController#destroy as JSON
  Parameters: {"id"=>"1"}
Unable to delete internal admin account
Rendered api/v1/errors/unprocessable_entity.json.rabl (1.8ms)
Completed 422 Unprocessable Entity in 243ms (Views: 2.7ms | ActiveRecord: 18.4ms
)

So two bugs here (instead of none:):

* one can't delete admin user (but should be able to do this IMO)
* after the operation fails, there is an inconsistency in data among systems.
Comment 7 Corey Welton 2013-06-14 14:55:41 UTC 
Priority raised due to possibility of data loss/corruption as referenced by ivan in comment #5
Comment 9 Hayk Hovsepyan 2013-06-18 14:00:07 UTC 
Tested on revision:
foreman-1.1.10011-1.noarch
katello-1.4.2-14.el6sat.noarch


User "admin" was removed from Sat6 but error from Foreman is shown:
"Failed to perform additional action KatelloForemanEngine::Actions::UserDestroy: 403 Forbidden"
Comment 10 Hayk Hovsepyan 2013-06-18 14:03:06 UTC 
User create also shows the same Foreman error, but user is being created successfully.
Comment 11 Mike McCune 2013-06-19 04:20:08 UTC 
So for MDP1 we can't support deleting the admin user.  I think this is acceptable, although ugly.

Proposing we punt to MDP2
Comment 12 Ivan Necas 2013-06-19 12:09:56 UTC 
This bug is closely related to this one (already postponed for MDP2):

https://bugzilla.redhat.com/show_bug.cgi?id=967583

The roles distribution between Katello and Foreman needs to be designed and implemented properly (personally, I would like to see signo being to one to say what roles the user can take). Trying to quick-fixing this for MDP1 would IMO cause more harm than use (and would be probably thrown away anyway).

The workaround for MDP1 is to set the admin flag for the new user in Foreman manually, before removing the original admin user.
Comment 13 Ivan Necas 2013-06-19 12:18:09 UTC 
Correction: the suggested workaround doesn't work, as Foreman doesn't allow to remove the admin user.
Comment 14 Mike McCune 2013-08-16 18:18:59 UTC 
getting rid of 6.0.0 version since that doesn't exist
Comment 15 Ivan Necas 2013-10-15 13:57:27 UTC 
The limitation from https://bugzilla.redhat.com/show_bug.cgi?id=868910#c13 still holds. Upstream foreman doesn't allow to delete admin user.

Due to design spikes around enginification there was a little done in terms of users integration between Foreman and Katello as the work will should go away with the enginification stuff. So fixing this bug is quite a waste as it will go away with the enginification effort.

@ohad: could we loose the constrain on deleting an admin user, or there is something that would break after that? (provided new admin user is created?)
Comment 16 Mike McCune 2013-10-15 15:34:34 UTC 
moving to MDP3 where we are tackling user integration with more effort
Comment 17 Dominic Cleal 2013-10-15 17:48:26 UTC 
Ivan, I'd suggest moving to the Katello concept of a hidden admin user as we also need it for some anonymous actions (like incoming Puppet reports or rake tasks).  Then we can have the user create their own admin user on top instead of them sharing the internal account.
Comment 18 Ohad Levy 2013-10-16 08:07:16 UTC 
+1
Comment 21 Dominic Cleal 2013-10-23 08:39:18 UTC 
*** Bug 1022397 has been marked as a duplicate of this bug. ***
Comment 23 Bryan Kearney 2014-04-24 20:38:59 UTC 
Upstream bug to dcleal
Comment 25 Dominic Cleal 2014-05-20 11:38:36 UTC 
*** Bug 985978 has been marked as a duplicate of this bug. ***
Comment 28 Bryan Kearney 2014-06-30 14:01:16 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/3272 has been closed
Comment 29 Adam Price 2014-06-30 16:53:24 UTC 
https://github.com/Katello/katello/pull/4368

katello's DB seed failed after the above fixed was merged into master.
Comment 31 Og Maciel 2014-07-29 15:19:47 UTC 
Verified:

* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.9.19-1.el6_5.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.9.19-1.el6_5.noarch
* candlepin-tomcat6-0.9.19-1.el6_5.noarch
* elasticsearch-0.90.10-4.el6sat.noarch
* foreman-1.6.0.32-1.el6sat.noarch
* foreman-compute-1.6.0.32-1.el6sat.noarch
* foreman-gce-1.6.0.32-1.el6sat.noarch
* foreman-libvirt-1.6.0.32-1.el6sat.noarch
* foreman-ovirt-1.6.0.32-1.el6sat.noarch
* foreman-postgresql-1.6.0.32-1.el6sat.noarch
* foreman-proxy-1.6.0.22-1.el6sat.noarch
* foreman-selinux-1.6.0.3-1.el6sat.noarch
* foreman-vmware-1.6.0.32-1.el6sat.noarch
* katello-1.5.0-27.el6sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.6-1.el6sat.noarch
* katello-installer-0.0.56-1.el6sat.noarch
* openldap-2.4.23-32.el6_4.1.x86_64
* pulp-katello-0.3-3.el6sat.noarch
* pulp-nodes-common-2.4.0-0.23.beta.el6sat.noarch
* pulp-nodes-parent-2.4.0-0.23.beta.el6sat.noarch
* pulp-puppet-plugins-2.4.0-0.23.beta.el6sat.noarch
* pulp-puppet-tools-2.4.0-0.23.beta.el6sat.noarch
* pulp-rpm-plugins-2.4.0-0.23.beta.el6sat.noarch
* pulp-selinux-2.4.0-0.23.beta.el6sat.noarch
* pulp-server-2.4.0-0.23.beta.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch
* rubygem-hammer_cli-0.1.1-10.el6sat.noarch
* rubygem-hammer_cli_foreman-0.1.1-13.el6sat.noarch
* rubygem-hammer_cli_foreman_tasks-0.0.3-3.el6sat.noarch
* rubygem-hammer_cli_katello-0.0.4-9.el6sat.noarch
Comment 33 Bryan Kearney 2014-09-11 12:26:02 UTC 
This was delivered with Satellite 6.0 which was released on 10 September 2014.