Bug 1243055
| Summary: | [RFE] Allow non admin users access to utilize hammer cli based on their roles and privileges | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Dave Sullivan <dsulliva> |
| Component: | Hammer | Assignee: | Katello Bug Bin <katello-bugs> |
| Status: | CLOSED NOTABUG | QA Contact: | Katello QA List <katello-qa-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1.0 | CC: | bkearney, dsulliva, xdmoon |
| Target Milestone: | Unspecified | Keywords: | FutureFeature, Reopened |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-08-26 20:34:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Dave Sullivan
2015-07-14 16:24:35 UTC
The hammer commands will not allow access to the data if the user is no authenticated. We do not have plans to have the hammer commands reconfigure based on the roles. We will expose all the hammer commands and enforce RBAC on the server. Just putting a note here before I forget, this is not about authentication. This is more about why in cli we have to provide --admin true for a user. We don't think this is necessary in UI. Also does adding --admin true in cli bypass the user RBAC/Filters. The expectation here is that a user would just need to authenticate and RBAC rules would allow/disallow cli usage. So why is --admin true required here and is there a corresponding requirement in the UI? Going to reopen to ensure this is answered properly. the --admin flag is an attribute of the users. The example which that issue is showing users create, so the command user create --admin true --firstname Example --lastname User --login example1 --mail root@localhost --password redhat --auth-source-id 1 is not saying, I __as an admin__ create user "Example User" it is saying I create user "Example User" __and make her an admin__ Based on my tests below I will close
I just tested this on 6.1.1 and all seems to work ok
In the UI when adding a field under Roles there is an "Administrator" that corresponds to the cli --admin true.
But it's not needed per se I didn't check it.
But you do have to provide a role, I added a "Viewer" roll.
And all works fine from the hammer cli.
[root@cragsat61 ~]# hammer -u admin user list
[Foreman] Password for admin:
---|--------|------------------|--------------------
ID | LOGIN | NAME | EMAIL
---|--------|------------------|--------------------
7 | dave | | dsulliva
4 | admin | admin admin | crag
3 | crag | Craig Donnelly | crag
5 | kdixon | Kathryn Dixon | kdixon
6 | test | test permissions |
---|--------|------------------|--------------------
[root@cragsat61 ~]# hammer -u admin user info --id 7
[Foreman] Password for admin:
Id: 7
Login: dave
Name:
Email: dsulliva
Admin: no
Authorized by: Internal
Last login: 2015/08/26 20:22:09
Default organization:
Default location:
Roles:
Anonymous
Viewer
User groups:
Organizations:
CragSat61
Created at: 2015/08/26 20:09:45
Updated at: 2015/08/26 20:22:09
[root@cragsat61 ~]# hammer -u dave content-view info --name "davequicktest" --organization CragSat61
[Foreman] Password for dave:
ID: 4
Name: davequicktest
Label: davequicktest
Composite:
Description:
Content Host Count: 0
Organization: CragSat61
Yum Repositories:
1) ID: 6
Name: Red Hat Enterprise Linux 6 Server RPMs x86_64 6Server
Label: Red_Hat_Enterprise_Linux_6_Server_RPMs_x86_64_6Server
Docker Repositories:
Puppet Modules:
Lifecycle Environments:
1) ID: 2
Name: Library
Versions:
1) ID: 4
Version: 1.0
Published: 2015/08/24 20:36:59
2) ID: 5
Version: 2.0
Published: 2015/08/24 21:04:28
Components:
Activation Keys:
|