Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1199408 - non-admin user cannot register content host
Summary: non-admin user cannot register content host
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Registration
Version: 6.0.8
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: Unspecified
Assignee: Christine Fouant
QA Contact: Tazim Kolhar
David O'Brien
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks: sat61-release-notes
TreeView+ depends on / blocked
 
Reported: 2015-03-06 07:52 UTC by Neil Miao
Modified: 2019-08-15 04:20 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-09-15 07:21:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
foreman-debug output (192.69 KB, application/x-xz)
2015-03-06 07:52 UTC, Neil Miao 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1786 0 normal SHIPPED_LIVE Satellite 6.1.2 bug fix update 2015-09-15 11:20:04 UTC

Description Neil Miao 2015-03-06 07:52:53 UTC 
Created attachment 998691 [details]
foreman-debug output

Description of problem:

Created a non-admin user (jdoe) with the following permissions:

# hammer --csv role filters --id 11
Id,Resource type,Search,Unlimited?,Role,Permissions
123,Katello::ActivationKey,none,false,test,"view_activation_keys, create_activation_keys, edit_activation_keys, destroy_activation_keys"
124,Katello::System,none,false,test,"view_content_hosts, create_content_hosts, edit_content_hosts, destroy_content_hosts"
125,Katello::ContentView,none,false,test,view_content_views
126,Katello::GpgKey,none,false,test,view_gpg_keys
127,Katello::HostCollection,none,false,test,view_host_collections
128,Katello::KTEnvironment,none,false,test,view_lifecycle_environments
129,Organization,none,true,test,view_organizations
130,Katello::Product,none,false,test,view_products

try to register a content host and failed with a ruby exception.
# subscription-manager register --org="platops" --environment="Library"
Username: jdoe
Password: 
undefined local variable or method `anonymous_admin' for #<User:0x00000009734318>


--- production.log ---
[ERROR 2015-03-06 02:06:14 cp_proxy  #8043] NameError: undefined local variable or method `anonymous_admin' for #<User:0x0000000c620348>
 | /opt/rh/ruby193/root/usr/share/gems/gems/activemodel-3.2.8/lib/active_model/attribute_methods.rb:407:in `method_missing'
 | /opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/attribute_methods.rb:149:in `method_missing'
 | /opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/models/katello/concerns/user_extensions.rb:212:in `allowed_organizations'
 | /opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/controllers/katello/api/rhsm/candlepin_proxies_controller.rb:327:in `find_organization'
 | /opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/controllers/katello/api/rhsm/candlepin_proxies_controller.rb:90:in `rhsm_index'
 | /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/implicit_render.rb:4:in `send_action'
 | /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/base.rb:167:in `process_action'
 | /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/rendering.rb:10:in `process_action'
 | /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/callbacks.rb:18:in `block in process_action'
 | /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:560:in `block (3 levels) in _run__3457411624030313466__process_action__3351353520943957048__callbacks'


Version-Release number of selected component (if applicable):

Satellite Version: 6.0.8

Installed Packages

    candlepin-0.9.23.1-1.el7.noarch
    candlepin-common-1.0.1-1.el7.noarch
    candlepin-guice-3.0-2_redhat_1.el7.noarch
    candlepin-scl-1-5.el7.noarch
    candlepin-scl-quartz-2.1.5-6.el7.noarch
    candlepin-scl-rhino-1.7R3-3.el7.noarch
    candlepin-scl-runtime-1-5.el7.noarch
    candlepin-selinux-0.9.23.1-1.el7.noarch
    candlepin-tomcat-0.9.23.1-1.el7.noarch
    elasticsearch-0.90.10-6.el7sat.noarch
    katello-certs-tools-1.5.6-1.el7sat.noarch
    katello-default-ca-1.0-1.noarch
    katello-installer-0.0.67-1.el7sat.noarch
    katello-server-ca-1.0-1.noarch
    nil-sat6-02.devlab.redhat.com-qpid-broker-1.0-1.noarch
    nil-sat6-02.devlab.redhat.com-qpid-client-cert-1.0-1.noarch
    pulp-katello-0.3-4.el7sat.noarch
    pulp-nodes-common-2.4.4-1.el7sat.noarch
    pulp-nodes-parent-2.4.4-1.el7sat.noarch
    pulp-puppet-plugins-2.4.4-1.el7sat.noarch
    pulp-puppet-tools-2.4.4-1.el7sat.noarch
    pulp-rpm-plugins-2.4.4-1.1.el7sat.noarch
    pulp-selinux-2.4.4-1.el7sat.noarch
    pulp-server-2.4.4-1.el7sat.noarch
    python-gofer-qpid-1.3.0-1.el7sat.noarch
    python-isodate-0.5.0-1.pulp.el7sat.noarch
    python-kombu-3.0.15-12.pulp.el7sat.noarch
    python-pulp-bindings-2.4.4-1.el7sat.noarch
    python-pulp-common-2.4.4-1.el7sat.noarch
    python-pulp-puppet-common-2.4.4-1.el7sat.noarch
    python-pulp-rpm-common-2.4.4-1.1.el7sat.noarch
    python-qpid-0.22-15.el7.noarch
    python-qpid-qmf-0.22-37.el7.x86_64
    qpid-cpp-client-0.22-42.el7.x86_64
    qpid-cpp-server-0.22-42.el7.x86_64
    qpid-cpp-server-linearstore-0.22-42.el7.x86_64
    qpid-java-client-0.22-7.el7.noarch
    qpid-java-common-0.22-7.el7.noarch
    qpid-proton-c-0.7-2.el7.x86_64
    qpid-qmf-0.22-37.el7.x86_64
    qpid-tools-0.22-13.el7.noarch
    ruby193-rubygem-katello-1.5.0-98.el7sat.noarch
    rubygem-hammer_cli_katello-0.0.4-14.el7sat.noarch
    rubygem-smart_proxy_pulp-1.0.1-1.1.el7sat.noarch

How reproducible:
always

Steps to Reproduce:
1. add a non-admin internal user with the above permissions
2. run subscription-manager to register a client with the non-admin user

Actual results:
non-admin should be able to register a content host while the necessary permissions are supplied.

Expected results:
ruby exception

Additional info:

It seems the allowed_organization method is trying to call anonymous_admin as a instance method

(/opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/models/katello/concerns/user_extensions.rb)

        def allowed_organizations
          (admin? || anonymous_admin) ? Organization.all : self.organizations
        end

while anonymous_admin is actually a class method

(/usr/share/foreman/app/models/user.rb)

  def self.anonymous_admin
    unscoped.find_by_login ANONYMOUS_ADMIN or raise Foreman::Exception.new(N_("Anonymous admin user %s is missing, run foreman-rake db:seed", ANONYMOUS_ADMIN))
  end

Document URL: 

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

Additional information: 


Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:


Document URL: 

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

Additional information: 


Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Neil Miao 2015-03-06 07:56:20 UTC 
"Actual results:" and "Expected results:" are reversed ... sorry.
Comment 2 RHEL Program Management 2015-03-06 08:03:08 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 4 Christine Fouant 2015-07-15 19:53:03 UTC 
Connecting redmine issue http://projects.theforeman.org/issues/10132 from this bug
Comment 5 Christine Fouant 2015-07-15 20:03:22 UTC 
Connecting redmine issue http://projects.theforeman.org/issues/10132 from this bug
Comment 6 David O'Brien 2015-08-11 04:31:10 UTC 
Is there any workaround or other info I can include in  a rel note to help the customer?

thanks
Comment 7 Mike McCune 2015-08-11 05:18:46 UTC 
WORKAROUND:

Use a user with the 'Admin' role or use an Activation Key
Comment 9 Tazim Kolhar 2015-08-27 10:51:43 UTC 
VERIFIED:
# rpm -qa | grep foreman
foreman-vmware-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman-redhat_access-0.2.3-1.el6_6sat.noarch
foreman-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el6_6sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.7-1.el6_6sat.noarch
tyan-gt24-03.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch
tyan-gt24-03.rhts.eng.bos.redhat.com-foreman-proxy-client-1.0-1.noarch
foreman-libvirt-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman_discovery-2.0.0.19-1.el6_6sat.noarch
ruby193-rubygem-foreman-tasks-0.6.15.5-1.el6_6sat.noarch
foreman-postgresql-1.7.2.35-1.el6_6sat.noarch
rubygem-hammer_cli_foreman-0.1.4.14-1.el6_6sat.noarch
tyan-gt24-03.rhts.eng.bos.redhat.com-foreman-proxy-1.0-1.noarch
foreman-selinux-1.7.2.13-1.el6_6sat.noarch
ruby193-rubygem-foreman_docker-1.2.0.20-1.el6_6sat.noarch
foreman-ovirt-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.5-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_docker-0.0.3.9-1.el6_6sat.noarch
foreman-compute-1.7.2.35-1.el6_6sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.13-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_discovery-0.0.1.10-1.el6_6sat.noarch
foreman-gce-1.7.2.35-1.el6_6sat.noarch
foreman-proxy-1.7.2.5-1.el6_6sat.noarch
foreman-debug-1.7.2.35-1.el6_6sat.noarch

steps:
 hammer --csv role filters --id 11
[Foreman] Username: admin
[Foreman] Password for admin: 
Id,Resource type,Search,Unlimited?,Role,Permissions
48,Host,none,true,View hosts,view_hosts
153,Katello::ActivationKey,none,true,View hosts,"view_activation_keys, create_activation_keys, edit_activation_keys, destroy_activation_keys"
154,Katello::System,none,true,View hosts,"view_content_hosts, create_content_hosts, edit_content_hosts, destroy_content_hosts"
155,Katello::ContentView,none,true,View hosts,view_content_views
156,Katello::GpgKey,none,true,View hosts,view_gpg_keys
157,Katello::HostCollection,none,true,View hosts,view_host_collections
158,Katello::KTEnvironment,none,true,View hosts,view_lifecycle_environments
159,Organization,none,true,View hosts,view_organizations
160,Katello::Product,none,true,View hosts,view_products

# subscription-manager register --org="Default_Organization" --environment="Library" --force
Username: testuser
Password: 
The system has been registered with ID: c71688cb-86b8-4fb3-960c-c97993a17d13 

# tail -f production.log
2015-08-27 06:49:23 [I] Completed 200 OK in 155ms (Views: 0.4ms | ActiveRecord: 0.0ms)
2015-08-27 06:49:50 [I] Processing by Api::V2::FiltersController#index as JSON
2015-08-27 06:49:50 [I]   Parameters: {"search"=>"role_id = \"11\"", "apiv"=>"v2", "filter"=>{}}
2015-08-27 06:49:50 [I] Authorized user admin(Admin User)
2015-08-27 06:49:51 [I]   Rendered api/v2/filters/index.json.rabl within api/v2/layouts/index_layout (97.0ms)
2015-08-27 06:49:51 [I] Completed 200 OK in 167ms (Views: 100.0ms | ActiveRecord: 26.6ms)
2015-08-27 06:51:07 [I] Processing by HostsController#externalNodes as YML
2015-08-27 06:51:07 [I]   Parameters: {"name"=>"tyan-gt24-03.rhts.eng.bos.redhat.com"}
2015-08-27 06:51:09 [I]   Rendered text template (0.0ms)
2015-08-27 06:51:09 [I] Completed 200 OK in 1850ms (Views: 14.4ms | ActiveRecord: 426.4ms)
Comment 11 errata-xmlrpc 2015-09-15 07:21:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:1786
Note You need to log in before you can comment on or make changes to this bug.