Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1185318

Summary: Permission Denied message seen when providing roles to user_groups
Product: Red Hat Satellite Reporter: Kedar Bidarkar <kbidarka>
Component: Users & RolesAssignee: Eric Helms <ehelms>
Status: CLOSED ERRATA QA Contact: Kedar Bidarkar <kbidarka>
Severity: high Docs Contact:
Priority: unspecified    
Version: NightlyCC: bbuckingham, bkearney, dlobatog, jmontleo, jpazdziora, tkolhar
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-12 05:22:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 710189, 1315258    

Description Kedar Bidarkar 2015-01-23 12:51:01 UTC 
Description of problem:

"Permission Denied" message is seen for a user which was part of a "Active Directory" "User Group" and content view access permission was provided to it, at the group level.

Version-Release number of selected component (if applicable):
nightly

How reproducible:
always

Steps to Reproduce:
1) Have AD setup and add a user "foobar".
2) Create a group in AD and add the "foobar" user to the group.
3) Configure the "Linking groups to LDAP" using the docs.
http://theforeman.org/manuals/1.7/index.html#4.1.1LDAPAuthentication
4) create a new role "new_abc" in sat6
5) Assign permission to "view content_view" to "new_abc" role.
6) Just assign this role to the user_group, which has the "foobar" user from "Active Directory"
4. Now login using this user "foobar" and try to access the content-view page, to notice the "Permission Denied" message.

NOTE: Providing this role to the user directly allows the views of the content-view page.
5) Now logout and login as admin.
6) remove the role assigned to the User_group and try assigning the role now directly to the user "foobar".
7) Login as "foobar" user to view the content-views when accessing the content-view page.

In short assigning roles to User_groups fails to allow access.


Actual results:
"Permission Denied" message seen when providing roles to user_groups.

NOTE: Providing the same role to the user works.

Expected results:
Assigning roles to the User_groups, should allow access to the users of the particular group.

Additional info:
Comment 2 Kedar Bidarkar 2015-01-23 13:31:15 UTC 
It turns out that even without the step 3) being performed we face this issue. 

Few updates:
 
1) for "new_abc" role and permissions "view content view", assigning the role to User_group level does not permit the view access.
2) for "new_foreman" role and permission "view hosts"  assigning the role to User_group level permits the view access.
3) for "new_katello" role and permission "view activation key"  assigning the role to User_group level does not permit the view access.
4) for "new_foreman2" role and permission "view compute resource" assigning the 
role to USer_group level does permit the view access.


So it looks like User_group functionality works fine for "foreman" but not for "katello" features.
Comment 3 Daniel Lobato Garcia 2015-01-24 18:58:18 UTC 
I could reproduce this on nightly doing the following:

Steps I followed:
1) As admin, create a user without any roles, or taxonomies.
2) Log in as said user. It doesn't show anything that requires a permission as expected.
3) As admin create a role, with three filters to view lifecycle environments, activation keys, and compute resources
4) As admin, create an user group, and add the previously created user and role to it.
5) Refresh the page with the non-admin user. You should see the Content menu with Lifecycle Environments, Activation Keys and Compute Resources, as expected.
6) Click on any of Lifecycle Environments and Activation Keys. You will get a 403 and a Permission denied error.
7) Click on Infrastructure > Compute Resources. It will show the list of compute resources

Expected results:
'Katello' roles inherited from user groups should work on users.

Actual results:
"Permission Denied" message seen when providing roles to user_groups.

I've submitted this ticket in Redmine with this description.
http://projects.theforeman.org/issues/9100
Comment 4 Stephen Benjamin 2015-02-23 10:45:47 UTC 
Looks like the fix is upstream: 


Applied in changeset bastion:bastion|a78e4a115d7b312be36cb9371db990134b3ba47d.
Comment 7 Kedar Bidarkar 2015-03-03 11:16:21 UTC 
This has FAILEDQA.

Looks like the fix is not in sat6.1 beta snap4.
Comment 8 Kedar Bidarkar 2015-03-03 11:29:53 UTC 
Update:

I checked again in more detail and below are my findings.

a) Now katello roles work for individual roles being added.
b) but not when admin checkbox is selected.

Actual Results:
When admin is selected, now again only "foreman" roles can be performed and not "katello"  roles. 

Expected Results:
Both foreman and katello roles should be performed by the user when admin is selected.

NOTE: I did select Org while trying katello roles. :)
Comment 9 Eric Helms 2015-03-09 16:36:50 UTC 
This was fixed as of Bastion 0.2.9
Comment 12 Kedar Bidarkar 2015-03-16 16:13:01 UTC 
VERIFIED with sat6.1 Beta snap6 compose2

Now users-groups provided with roles of foreman tasks and katello tasks work.

Also Admin user too can perform both the foreman tasks as well as katello tasks.

Exception: currently roles related to activation-keys cannot be performed, I think will track that issue separately.
Comment 13 Bryan Kearney 2015-08-11 13:28:58 UTC 
This bug is slated to be released with Satellite 6.1.
Comment 14 errata-xmlrpc 2015-08-12 05:22:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592