Bug 1293716 - Unable to control where users can build hosts
Summary: Unable to control where users can build hosts
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.1.5
Hardware: All
OS: All
high vote
Target Milestone: Unspecified
Assignee: Tomer Brisker
QA Contact: Peter Ondrejka
URL: http://projects.theforeman.org/issues...
: 1118312 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2015-12-22 19:45 UTC by Andrew Schofield
Modified: 2021-06-10 11:05 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2018-02-21 17:07:02 UTC
Target Upstream Version:

Attachments (Terms of Use)
screenshot_1 (53.27 KB, image/png)
2016-10-31 13:12 UTC, Peter Ondrejka
no flags Details
screenshot_2 (7.33 KB, image/png)
2016-10-31 13:12 UTC, Peter Ondrejka
no flags Details

System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 4477 0 Normal Closed Improve permissions on resources in host creation/editing form 2020-04-15 16:33:30 UTC
Foreman Issue Tracker 17176 0 Normal Closed New host creation ignores permissions for lifecycle envs, content views, and conent sources (smart proxies) 2020-04-15 16:33:30 UTC

Description Andrew Schofield 2015-12-22 19:45:48 UTC
Description of problem:
When a user has the 'create_hosts' permission then there are no controls to limit what Location, Host Group, Lifecycle Environment, Content View that the user can create the host in. 

Version-Release number of selected component (if applicable):

How reproducible:
Create a user, assign to a role. Give the following roles
assign_organizations, view_organizations
assign_locations, view_locations
edit_products, view_products	name = P_GIRAFFE
promote_or_remove_content_views, view_content_views, publish_content_views	name = CCV_CSL3.1_GIRAFFE or name = CV_GIRAFFE
promote_or_remove_content_views_to_environments, view_lifecycle_environments	name = ENG
create_hosts, view_hosts	hostgroup_fullname = HG_Capsule

Notice in the New Host as this user you can view ALL Host Groups, ALL Lifecycle Environments, ALL Content View's etc and initiate the build of a host.

Actual results:
Host is created by in host groups, lifecycle environments we have tried to limit.

Expected results:
Host creation to only show resources that the user has access too.

Additional info:

Comment 1 David Caplan 2016-01-05 18:20:03 UTC
Please help us to understand the affected user's context:

1. is the affected user logged into a specific organization context (vs. any context)
2. Has the user been constrained to only view specific location?

Comment 2 Andrew Schofield 2016-01-05 20:10:20 UTC
1. The user is assigned to a organization (we only have one org configured) and is a member of that organization when attempting to create a host.
2. Yes. The user is assigned and constrained to a location.

Comment 5 Tomer Brisker 2016-03-17 11:38:47 UTC
Created redmine issue http://projects.theforeman.org/issues/14248 from this bug

Comment 6 Bryan Kearney 2016-03-17 12:08:52 UTC
Upstream bug component is Provisioning

Comment 7 Bryan Kearney 2016-03-17 12:43:16 UTC
Connecting redmine issue http://projects.theforeman.org/issues/7289 from this bug

Comment 8 Bryan Kearney 2016-03-17 14:08:50 UTC
Upstream bug component is Users & Roles

Comment 10 Tomer Brisker 2016-03-27 14:50:54 UTC
*** Bug 1118312 has been marked as a duplicate of this bug. ***

Comment 12 Bryan Kearney 2016-06-27 12:10:23 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/4477 has been closed

Comment 15 Peter Ondrejka 2016-10-31 13:10:03 UTC
Checked in Satellite 6.3 snap 5, the host creation dialog is correctly limited by user's privileges, with the exception of Lifecycle environments.

Having a role with permissions:
    promote_or_remove_content_views_to_environments, view_lifecycle_environments
and search fitler as:
    name = testenv
(see screenshot1)

This doesn't prevent the user from seeing all available lifecycle environments when creating a host as well as at the Contnet > Lifecycle Environment page.(see screenshot2)

Comment 16 Peter Ondrejka 2016-10-31 13:12:10 UTC
Created attachment 1215800 [details]

Comment 17 Peter Ondrejka 2016-10-31 13:12:47 UTC
Created attachment 1215801 [details]

Comment 18 Justin Sherrill 2016-11-01 16:01:44 UTC
Taking over to fix the FAILED_QE issue in katello

Comment 19 Bryan Kearney 2016-11-01 16:18:59 UTC
Upstream bug assigned to tbrisker@redhat.com

Comment 20 Justin Sherrill 2016-11-01 22:50:56 UTC
Connecting redmine issue http://projects.theforeman.org/issues/17176 from this bug

Comment 21 Satellite Program 2017-01-09 21:18:37 UTC
Upstream bug assigned to tbrisker@redhat.com

Comment 22 Tomer Brisker 2017-03-16 14:12:00 UTC
Second upstream bug has been closed for a while, looks like it wasn't picked up by the bot. Moving to POST.

Comment 23 Peter Ondrejka 2017-10-25 15:15:52 UTC
Verified in satellite-6.3.0-21.0.beta.el7sat.noarch, create host dialog has options correctly limited according to permissions including lc environments

Comment 25 Bryan Kearney 2018-02-21 17:07:02 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.