Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
[RFE] Satellite 6 permissions: roles - feature to be able to lock the visibility/manageability of content hosts in a specific "host collection" to a specific group of users.
This is possible with 6.2. Create a role and add host permissions with filter set to "host_collection = name" or "host_collection_id = 1". Note that the user must also have 'view_organization' permission and likely permissions to see the host_collection itself. Note that the name of host_collection may change and the filter would stop working. This might or might not be desired, so you can also use id if it's preferred in your use case.
I think the permission system is covered well in product documentation, please see https://access.redhat.com/documentation/en/red-hat-satellite/6.2/paged/server-administration-guide/54-granular-permission-filtering
The example uses hostgroup instead of host_collection but the principle is the same. Please let us know whether this works for customer and whether we can close as current release. I'm afraid the change is too big to backport to 6.1 where Host and Content Host were two separate objects.
I'll also open documentation bug for renaming resource type from Host/managed to Host since it's no longer displayed this way.
Did some testing and managed to get something that looks like it works. This was with satellite 6.2.7. Please review and see if I missed something. In this test the host collection is "QA Servers" :
role filters:
Resource: Host
Permissions: view_hosts
Search: host_collection = "QA servers"
Resource: Host Collections
Permissions: view_host_collections
Search: name = "QA servers"
Resource: Organization
Permissions: view_organizations
Search: none
Now not sure if this is all of the permissions that the customer needs but I can see the servers in the host collection in question and none others.
Closing this BZ since:
- The permissions needed for viewing hosts only in specific collection are listed in comment #10.
- BZ 1390919 has been opened to fix the issue with permissions needed to assign/remove hosts from host collections and is already verified for 6.3.
If you feel this is in error and there are further issues in this BZ that haven't been addressed by one of the above, please reopen and explain what is still missing.