Bug 1199408 - non-admin user cannot register content host
Summary: non-admin user cannot register content host
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Registration
Version: 6.0.8
Hardware: Unspecified
OS: Unspecified
unspecified
high vote
Target Milestone: Unspecified
Assignee: Christine Fouant
QA Contact: Tazim Kolhar
David O'Brien
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks: sat61-release-notes
TreeView+ depends on / blocked
 
Reported: 2015-03-06 07:52 UTC by Neil Miao
Modified: 2019-08-15 04:20 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-09-15 07:21:43 UTC


Attachments (Terms of Use)
foreman-debug output (192.69 KB, application/x-xz)
2015-03-06 07:52 UTC, Neil Miao
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1786 normal SHIPPED_LIVE Satellite 6.1.2 bug fix update 2015-09-15 11:20:04 UTC

Description Neil Miao 2015-03-06 07:52:53 UTC
Created attachment 998691 [details]
foreman-debug output

Description of problem:

Created a non-admin user (jdoe) with the following permissions:

# hammer --csv role filters --id 11
Id,Resource type,Search,Unlimited?,Role,Permissions
123,Katello::ActivationKey,none,false,test,"view_activation_keys, create_activation_keys, edit_activation_keys, destroy_activation_keys"
124,Katello::System,none,false,test,"view_content_hosts, create_content_hosts, edit_content_hosts, destroy_content_hosts"
125,Katello::ContentView,none,false,test,view_content_views
126,Katello::GpgKey,none,false,test,view_gpg_keys
127,Katello::HostCollection,none,false,test,view_host_collections
128,Katello::KTEnvironment,none,false,test,view_lifecycle_environments
129,Organization,none,true,test,view_organizations
130,Katello::Product,none,false,test,view_products

try to register a content host and failed with a ruby exception.
# subscription-manager register --org="platops" --environment="Library"
Username: jdoe
Password: 
undefined local variable or method `anonymous_admin' for #<User:0x00000009734318>


--- production.log ---
[ERROR 2015-03-06 02:06:14 cp_proxy  #8043] NameError: undefined local variable or method `anonymous_admin' for #<User:0x0000000c620348>
 | /opt/rh/ruby193/root/usr/share/gems/gems/activemodel-3.2.8/lib/active_model/attribute_methods.rb:407:in `method_missing'
 | /opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/attribute_methods.rb:149:in `method_missing'
 | /opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/models/katello/concerns/user_extensions.rb:212:in `allowed_organizations'
 | /opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/controllers/katello/api/rhsm/candlepin_proxies_controller.rb:327:in `find_organization'
 | /opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/controllers/katello/api/rhsm/candlepin_proxies_controller.rb:90:in `rhsm_index'
 | /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/implicit_render.rb:4:in `send_action'
 | /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/base.rb:167:in `process_action'
 | /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/rendering.rb:10:in `process_action'
 | /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/callbacks.rb:18:in `block in process_action'
 | /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:560:in `block (3 levels) in _run__3457411624030313466__process_action__3351353520943957048__callbacks'


Version-Release number of selected component (if applicable):

Satellite Version: 6.0.8

Installed Packages

    candlepin-0.9.23.1-1.el7.noarch
    candlepin-common-1.0.1-1.el7.noarch
    candlepin-guice-3.0-2_redhat_1.el7.noarch
    candlepin-scl-1-5.el7.noarch
    candlepin-scl-quartz-2.1.5-6.el7.noarch
    candlepin-scl-rhino-1.7R3-3.el7.noarch
    candlepin-scl-runtime-1-5.el7.noarch
    candlepin-selinux-0.9.23.1-1.el7.noarch
    candlepin-tomcat-0.9.23.1-1.el7.noarch
    elasticsearch-0.90.10-6.el7sat.noarch
    katello-certs-tools-1.5.6-1.el7sat.noarch
    katello-default-ca-1.0-1.noarch
    katello-installer-0.0.67-1.el7sat.noarch
    katello-server-ca-1.0-1.noarch
    nil-sat6-02.devlab.redhat.com-qpid-broker-1.0-1.noarch
    nil-sat6-02.devlab.redhat.com-qpid-client-cert-1.0-1.noarch
    pulp-katello-0.3-4.el7sat.noarch
    pulp-nodes-common-2.4.4-1.el7sat.noarch
    pulp-nodes-parent-2.4.4-1.el7sat.noarch
    pulp-puppet-plugins-2.4.4-1.el7sat.noarch
    pulp-puppet-tools-2.4.4-1.el7sat.noarch
    pulp-rpm-plugins-2.4.4-1.1.el7sat.noarch
    pulp-selinux-2.4.4-1.el7sat.noarch
    pulp-server-2.4.4-1.el7sat.noarch
    python-gofer-qpid-1.3.0-1.el7sat.noarch
    python-isodate-0.5.0-1.pulp.el7sat.noarch
    python-kombu-3.0.15-12.pulp.el7sat.noarch
    python-pulp-bindings-2.4.4-1.el7sat.noarch
    python-pulp-common-2.4.4-1.el7sat.noarch
    python-pulp-puppet-common-2.4.4-1.el7sat.noarch
    python-pulp-rpm-common-2.4.4-1.1.el7sat.noarch
    python-qpid-0.22-15.el7.noarch
    python-qpid-qmf-0.22-37.el7.x86_64
    qpid-cpp-client-0.22-42.el7.x86_64
    qpid-cpp-server-0.22-42.el7.x86_64
    qpid-cpp-server-linearstore-0.22-42.el7.x86_64
    qpid-java-client-0.22-7.el7.noarch
    qpid-java-common-0.22-7.el7.noarch
    qpid-proton-c-0.7-2.el7.x86_64
    qpid-qmf-0.22-37.el7.x86_64
    qpid-tools-0.22-13.el7.noarch
    ruby193-rubygem-katello-1.5.0-98.el7sat.noarch
    rubygem-hammer_cli_katello-0.0.4-14.el7sat.noarch
    rubygem-smart_proxy_pulp-1.0.1-1.1.el7sat.noarch

How reproducible:
always

Steps to Reproduce:
1. add a non-admin internal user with the above permissions
2. run subscription-manager to register a client with the non-admin user

Actual results:
non-admin should be able to register a content host while the necessary permissions are supplied.

Expected results:
ruby exception

Additional info:

It seems the allowed_organization method is trying to call anonymous_admin as a instance method

(/opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/models/katello/concerns/user_extensions.rb)

        def allowed_organizations
          (admin? || anonymous_admin) ? Organization.all : self.organizations
        end

while anonymous_admin is actually a class method

(/usr/share/foreman/app/models/user.rb)

  def self.anonymous_admin
    unscoped.find_by_login ANONYMOUS_ADMIN or raise Foreman::Exception.new(N_("Anonymous admin user %s is missing, run foreman-rake db:seed", ANONYMOUS_ADMIN))
  end

Document URL: 

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

Additional information: 


Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:


Document URL: 

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

Additional information: 


Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Neil Miao 2015-03-06 07:56:20 UTC
"Actual results:" and "Expected results:" are reversed ... sorry.

Comment 2 RHEL Product and Program Management 2015-03-06 08:03:08 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 4 Christine Fouant 2015-07-15 19:53:03 UTC
Connecting redmine issue http://projects.theforeman.org/issues/10132 from this bug

Comment 5 Christine Fouant 2015-07-15 20:03:22 UTC
Connecting redmine issue http://projects.theforeman.org/issues/10132 from this bug

Comment 6 David O'Brien 2015-08-11 04:31:10 UTC
Is there any workaround or other info I can include in  a rel note to help the customer?

thanks

Comment 7 Mike McCune 2015-08-11 05:18:46 UTC
WORKAROUND:

Use a user with the 'Admin' role or use an Activation Key

Comment 9 Tazim Kolhar 2015-08-27 10:51:43 UTC
VERIFIED:
# rpm -qa | grep foreman
foreman-vmware-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman-redhat_access-0.2.3-1.el6_6sat.noarch
foreman-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el6_6sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.7-1.el6_6sat.noarch
tyan-gt24-03.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch
tyan-gt24-03.rhts.eng.bos.redhat.com-foreman-proxy-client-1.0-1.noarch
foreman-libvirt-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman_discovery-2.0.0.19-1.el6_6sat.noarch
ruby193-rubygem-foreman-tasks-0.6.15.5-1.el6_6sat.noarch
foreman-postgresql-1.7.2.35-1.el6_6sat.noarch
rubygem-hammer_cli_foreman-0.1.4.14-1.el6_6sat.noarch
tyan-gt24-03.rhts.eng.bos.redhat.com-foreman-proxy-1.0-1.noarch
foreman-selinux-1.7.2.13-1.el6_6sat.noarch
ruby193-rubygem-foreman_docker-1.2.0.20-1.el6_6sat.noarch
foreman-ovirt-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.5-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_docker-0.0.3.9-1.el6_6sat.noarch
foreman-compute-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.13-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_discovery-0.0.1.10-1.el6_6sat.noarch
foreman-gce-1.7.2.35-1.el6_6sat.noarch
foreman-proxy-1.7.2.5-1.el6_6sat.noarch
foreman-debug-1.7.2.35-1.el6_6sat.noarch

steps:
 hammer --csv role filters --id 11
[Foreman] Username: admin
[Foreman] Password for admin: 
Id,Resource type,Search,Unlimited?,Role,Permissions
48,Host,none,true,View hosts,view_hosts
153,Katello::ActivationKey,none,true,View hosts,"view_activation_keys, create_activation_keys, edit_activation_keys, destroy_activation_keys"
154,Katello::System,none,true,View hosts,"view_content_hosts, create_content_hosts, edit_content_hosts, destroy_content_hosts"
155,Katello::ContentView,none,true,View hosts,view_content_views
156,Katello::GpgKey,none,true,View hosts,view_gpg_keys
157,Katello::HostCollection,none,true,View hosts,view_host_collections
158,Katello::KTEnvironment,none,true,View hosts,view_lifecycle_environments
159,Organization,none,true,View hosts,view_organizations
160,Katello::Product,none,true,View hosts,view_products

# subscription-manager register --org="Default_Organization" --environment="Library" --force
Username: testuser
Password: 
The system has been registered with ID: c71688cb-86b8-4fb3-960c-c97993a17d13 

# tail -f production.log
2015-08-27 06:49:23 [I] Completed 200 OK in 155ms (Views: 0.4ms | ActiveRecord: 0.0ms)
2015-08-27 06:49:50 [I] Processing by Api::V2::FiltersController#index as JSON
2015-08-27 06:49:50 [I]   Parameters: {"search"=>"role_id = \"11\"", "apiv"=>"v2", "filter"=>{}}
2015-08-27 06:49:50 [I] Authorized user admin(Admin User)
2015-08-27 06:49:51 [I]   Rendered api/v2/filters/index.json.rabl within api/v2/layouts/index_layout (97.0ms)
2015-08-27 06:49:51 [I] Completed 200 OK in 167ms (Views: 100.0ms | ActiveRecord: 26.6ms)
2015-08-27 06:51:07 [I] Processing by HostsController#externalNodes as YML
2015-08-27 06:51:07 [I]   Parameters: {"name"=>"tyan-gt24-03.rhts.eng.bos.redhat.com"}
2015-08-27 06:51:09 [I]   Rendered text template (0.0ms)
2015-08-27 06:51:09 [I] Completed 200 OK in 1850ms (Views: 14.4ms | ActiveRecord: 426.4ms)

Comment 11 errata-xmlrpc 2015-09-15 07:21:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:1786


Note You need to log in before you can comment on or make changes to this bug.