Description of problem: "Permission Denied" message is seen for a user which was part of a "Active Directory" "User Group" and content view access permission was provided to it, at the group level. Version-Release number of selected component (if applicable): nightly How reproducible: always Steps to Reproduce: 1) Have AD setup and add a user "foobar". 2) Create a group in AD and add the "foobar" user to the group. 3) Configure the "Linking groups to LDAP" using the docs. http://theforeman.org/manuals/1.7/index.html#4.1.1LDAPAuthentication 4) create a new role "new_abc" in sat6 5) Assign permission to "view content_view" to "new_abc" role. 6) Just assign this role to the user_group, which has the "foobar" user from "Active Directory" 4. Now login using this user "foobar" and try to access the content-view page, to notice the "Permission Denied" message. NOTE: Providing this role to the user directly allows the views of the content-view page. 5) Now logout and login as admin. 6) remove the role assigned to the User_group and try assigning the role now directly to the user "foobar". 7) Login as "foobar" user to view the content-views when accessing the content-view page. In short assigning roles to User_groups fails to allow access. Actual results: "Permission Denied" message seen when providing roles to user_groups. NOTE: Providing the same role to the user works. Expected results: Assigning roles to the User_groups, should allow access to the users of the particular group. Additional info:
It turns out that even without the step 3) being performed we face this issue. Few updates: 1) for "new_abc" role and permissions "view content view", assigning the role to User_group level does not permit the view access. 2) for "new_foreman" role and permission "view hosts" assigning the role to User_group level permits the view access. 3) for "new_katello" role and permission "view activation key" assigning the role to User_group level does not permit the view access. 4) for "new_foreman2" role and permission "view compute resource" assigning the role to USer_group level does permit the view access. So it looks like User_group functionality works fine for "foreman" but not for "katello" features.
I could reproduce this on nightly doing the following: Steps I followed: 1) As admin, create a user without any roles, or taxonomies. 2) Log in as said user. It doesn't show anything that requires a permission as expected. 3) As admin create a role, with three filters to view lifecycle environments, activation keys, and compute resources 4) As admin, create an user group, and add the previously created user and role to it. 5) Refresh the page with the non-admin user. You should see the Content menu with Lifecycle Environments, Activation Keys and Compute Resources, as expected. 6) Click on any of Lifecycle Environments and Activation Keys. You will get a 403 and a Permission denied error. 7) Click on Infrastructure > Compute Resources. It will show the list of compute resources Expected results: 'Katello' roles inherited from user groups should work on users. Actual results: "Permission Denied" message seen when providing roles to user_groups. I've submitted this ticket in Redmine with this description. http://projects.theforeman.org/issues/9100
Looks like the fix is upstream: Applied in changeset bastion:bastion|a78e4a115d7b312be36cb9371db990134b3ba47d.
This has FAILEDQA. Looks like the fix is not in sat6.1 beta snap4.
Update: I checked again in more detail and below are my findings. a) Now katello roles work for individual roles being added. b) but not when admin checkbox is selected. Actual Results: When admin is selected, now again only "foreman" roles can be performed and not "katello" roles. Expected Results: Both foreman and katello roles should be performed by the user when admin is selected. NOTE: I did select Org while trying katello roles. :)
This was fixed as of Bastion 0.2.9
VERIFIED with sat6.1 Beta snap6 compose2 Now users-groups provided with roles of foreman tasks and katello tasks work. Also Admin user too can perform both the foreman tasks as well as katello tasks. Exception: currently roles related to activation-keys cannot be performed, I think will track that issue separately.
This bug is slated to be released with Satellite 6.1.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:1592