Bug 1269997 - [RFE] Satellite 6 permissions: roles - feature to be able to lock the visibility/manageability of content hosts in a specific "host collection" to a specific group of users.
Summary: [RFE] Satellite 6 permissions: roles - feature to be able to lock the visibi...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.1.1
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Katello QA List
URL:
Whiteboard:
: 1168738 1341585 1391081 (view as bug list)
Depends On:
Blocks: 1316897
TreeView+ depends on / blocked
 
Reported: 2015-10-08 18:01 UTC by Prakash Ghadge
Modified: 2023-03-24 13:38 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-27 07:31:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2349641 0 None None None 2017-01-04 11:52:04 UTC

Comment 3 Marek Hulan 2017-01-04 11:13:16 UTC 
This is possible with 6.2. Create a role and add host permissions with filter set to "host_collection = name" or "host_collection_id = 1". Note that the user must also have 'view_organization' permission and likely permissions to see the host_collection itself. Note that the name of host_collection may change and the filter would stop working. This might or might not be desired, so you can also use id if it's preferred in your use case.

I think the permission system is covered well in product documentation, please see https://access.redhat.com/documentation/en/red-hat-satellite/6.2/paged/server-administration-guide/54-granular-permission-filtering

The example uses hostgroup instead of host_collection but the principle is the same. Please let us know whether this works for customer and whether we can close as current release. I'm afraid the change is too big to backport to 6.1 where Host and Content Host were two separate objects.

I'll also open documentation bug for renaming resource type from Host/managed to Host since it's no longer displayed this way.
Comment 4 Marek Hulan 2017-01-04 11:20:32 UTC 
Documentation bug opened as BZ 1410060
Comment 5 Marek Hulan 2017-01-04 11:39:34 UTC 
*** Bug 1391081 has been marked as a duplicate of this bug. ***
Comment 6 Marek Hulan 2017-01-04 11:48:51 UTC 
*** Bug 1341585 has been marked as a duplicate of this bug. ***
Comment 7 Marek Hulan 2017-01-04 13:41:59 UTC 
*** Bug 1168738 has been marked as a duplicate of this bug. ***
Comment 10 Calvin Smith 2017-03-15 20:59:42 UTC 
Did some testing and managed to get something that looks like it works. This was with satellite 6.2.7. Please review and see if I missed something. In this test the host collection is "QA Servers" :

role filters:
Resource:    Host 	
Permissions: view_hosts 		
Search:      host_collection = "QA servers" 	

Resource:    Host Collections 	
Permissions: view_host_collections		
Search:      name = "QA servers" 	

Resource:    Organization 	
Permissions: view_organizations 		
Search:      none 	

Now not sure if this is all of the permissions that the customer needs but I can see the servers in the host collection in question and none others.
Comment 21 Tomer Brisker 2017-11-27 07:31:33 UTC 
Closing this BZ since:
- The permissions needed for viewing hosts only in specific collection are listed in comment #10.
- BZ 1390919 has been opened to fix the issue with permissions needed to assign/remove hosts from host collections and is already verified for 6.3.

If you feel this is in error and there are further issues in this BZ that haven't been addressed by one of the above, please reopen and explain what is still missing.
Comment 22 Marek Hulan 2017-11-27 11:09:36 UTC 
Also the ask for better UI/wizard that would make it easy to create such role, perhaps using some template role should be asked as a separate BZ.
Note You need to log in before you can comment on or make changes to this bug.