Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1202279 - UI throws permission denied message when providing discovery roles to a normal user
Summary: UI throws permission denied message when providing discovery roles to a norma...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Discovery Plugin
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Sachin Ghai
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks: 1193977
TreeView+ depends on / blocked
 
Reported: 2015-03-16 09:47 UTC by Sachin Ghai
Modified: 2019-09-26 17:38 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-27 11:35:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
permission denied message when login with user who has been subscribed to "Discovery reader" role (23.89 KB, image/png)
2015-03-16 09:47 UTC, Sachin Ghai 		no flags Details
discovery_reader role doesn't have view_hosts permission (34.77 KB, image/png)
2016-04-07 10:42 UTC, Sachin Ghai 		no flags Details
discovery_manager doesn't include view_hosts permission (28.64 KB, image/png)
2016-04-07 10:43 UTC, Sachin Ghai 		no flags Details
discovery_manager includes "view_host" permission (58.42 KB, image/png)
2016-05-06 12:18 UTC, Sachin Ghai 		no flags Details
discovery_reader role includes "view_host" permission (46.69 KB, image/png)
2016-05-06 12:18 UTC, Sachin Ghai 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 13829 0 None None None 2016-04-22 16:42:20 UTC

Description Sachin Ghai 2015-03-16 09:47:03 UTC 
Created attachment 1002173 [details]
permission denied message when login with user who has been subscribed  to "Discovery reader" role

Description of problem:
we assigned "Discovery Manager" role to a user. But when I logged in with user, UI throws permission denied error on UI though we can browse the menu items. Please see the attached screenshot.


Version-Release number of selected component (if applicable):
sat6.1 beta snap6 compose2 (Satellite-6.1.0-RHEL-6-20150311.1).

How reproducible:
always

Steps to Reproduce:
1. create a user
2. assign "Discover reader" role
3. logout with admin user
4. login with normal user created in step1

Actual results:
permission denied message as soon as user logs in.

Expected results:
UI shouldn't show permission denied message on login.

Additional info:
production.logs when user login:

2015-03-16 09:46:52 [I] Processing by UsersController#login as HTML
2015-03-16 09:46:52 [I]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"xiI66GRVpAfZvPbTTW2TDZMo9isLuCU9/SxowpJD1PE=", "login"=>{"login"=>"sghai", "password"=>"[FILTERED]"}, "commit"=>"Login"}
2015-03-16 09:46:52 [I] Expire fragment views/tabs_and_title_records-4 (0.6ms)
2015-03-16 09:46:52 [I] Expire fragment views/tabs_and_title_records-4 (0.1ms)
2015-03-16 09:46:52 [I] Redirected to https://dhcp201-163.englab.pnq.redhat.com/hosts
2015-03-16 09:46:52 [I] Completed 302 Found in 34ms (ActiveRecord: 13.0ms)
2015-03-16 09:46:52 [I] Processing by HostsController#index as HTML
2015-03-16 09:46:52 [I]   Rendered common/403.html.erb within layouts/application (1.1ms)
2015-03-16 09:46:52 [I]   Rendered home/_submenu.html.erb (3.0ms)
2015-03-16 09:46:52 [I]   Rendered home/_user_dropdown.html.erb (1.8ms)
2015-03-16 09:46:52 [I] Read fragment views/tabs_and_title_records-4 (0.1ms)
2015-03-16 09:46:52 [I]   Rendered home/_organization_dropdown.html.erb (7.0ms)
2015-03-16 09:46:52 [I]   Rendered home/_location_dropdown.html.erb (5.0ms)
2015-03-16 09:46:52 [I]   Rendered home/_org_switcher.html.erb (12.5ms)
2015-03-16 09:46:52 [I]   Rendered home/_submenu.html.erb (1.6ms)
2015-03-16 09:46:52 [I]   Rendered home/_submenu.html.erb (1.6ms)
2015-03-16 09:46:52 [I]   Rendered home/_submenu.html.erb (1.6ms)
2015-03-16 09:46:52 [I]   Rendered home/_submenu.html.erb (1.5ms)
2015-03-16 09:46:52 [I] Write fragment views/tabs_and_title_records-4 (1.2ms)
2015-03-16 09:46:52 [I]   Rendered home/_topbar.html.erb (38.6ms)
2015-03-16 09:46:52 [I]   Rendered layouts/base.html.erb (40.3ms)
2015-03-16 09:46:52 [I] Filter chain halted as :authorize rendered or redirected
2015-03-16 09:46:52 [I] Completed 403 Forbidden in 69ms (Views: 42.7ms | ActiveRecord: 5.0ms)
Comment 1 Sachin Ghai 2015-03-16 09:48:53 UTC 
Also, please note that when user login, UI auto select the "default Location" but not the default_org.. I think that's the issue why we are getting permission denied.

Just to clear, when we created the user, we selected the 'Default_org" and default_location"
Comment 3 Sachin Ghai 2015-03-16 11:26:31 UTC 
on login, firebug raises this error:

"NetworkError: 403 Forbidden - https://dhcp201-163.englab.pnq.redhat.com/hosts"
Comment 4 Sachin Ghai 2015-03-25 11:09:44 UTC 
If I assign "view_host" permission to same user along with "Discovery Manager" role then I don't see the permission denied error.

So I think we need to add view_host permissions to "Discovery Reader" and "Discovery_Manager"  roles.
Comment 5 Bryan Kearney 2016-02-23 15:02:03 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/13829 has been closed
-------------
Anonymous
Applied in changeset commit:foreman_discovery|ee63dc3c74e7e799de43896dc199ea0c7324aa5e.
Comment 8 Sachin Ghai 2016-04-07 10:39:16 UTC 
Verified with sat6.2 snap6.2

I don't see view_host permission in discovery_reader and discovery_manager role.


Please see the attached screenshots.
Comment 9 Sachin Ghai 2016-04-07 10:42:24 UTC 
Created attachment 1144665 [details]
discovery_reader role doesn't have view_hosts permission
Comment 10 Sachin Ghai 2016-04-07 10:43:11 UTC 
Created attachment 1144668 [details]
discovery_manager doesn't include view_hosts permission
Comment 11 Lukas Zapletal 2016-04-07 14:33:24 UTC 
The bug was not going through the cherry-picking process properly (again I assumed we will be rebasing). Please cherry pick the linked upstream code:

https://github.com/theforeman/foreman_discovery/commit/ee63dc3c74e7e799de43896dc199ea0c7324aa5e
Comment 13 Sachin Ghai 2016-05-06 12:17:40 UTC 
Verified with sat6.2 GA snap10.

I can see "view_host" permission in discovery_reader and discovery_manager role
Comment 14 Sachin Ghai 2016-05-06 12:18:22 UTC 
Created attachment 1154604 [details]
discovery_manager includes "view_host" permission
Comment 15 Sachin Ghai 2016-05-06 12:18:55 UTC 
Created attachment 1154605 [details]
discovery_reader role includes "view_host" permission
Comment 16 Sachin Ghai 2016-05-06 12:20:06 UTC 
I don't see permission denied error on login with user who has assigned either "discovery_manager" role or "discovery_reader" role.
Comment 17 Bryan Kearney 2016-07-27 11:35:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501
Note You need to log in before you can comment on or make changes to this bug.