Bug 1293716 – Unable to control where users can build hosts

Bug 1293716 - Unable to control where users can build hosts

Summary:	Unable to control where users can build hosts

Status:	ON_QA

Aliases:	None

Product:	Red Hat Satellite 6
Classification:	Red Hat
Component:	Users & Roles (Show other bugs)
Sub Component:
Version:	6.1.5
Hardware:	All All

Priority	urgent Severity high (vote)
Target Milestone:	GA
Target Release:	--
Assigned To:	Tomer Brisker
QA Contact:	Peter Ondrejka
Docs Contact:

URL:	http://projects.theforeman.org/issues...
Whiteboard:
Keywords:	Triaged

Duplicates:	1118312 (view as bug list)
Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-12-22 14:45 EST by Andrew Schofield
Modified:	2017-06-09 02:22 EDT (History)
CC List:	11 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
screenshot_1 (53.27 KB, image/png) 2016-10-31 09:12 EDT, Peter Ondrejka	no flags	Details
screenshot_2 (7.33 KB, image/png) 2016-10-31 09:12 EDT, Peter Ondrejka	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	17176	None	None	None	2016-11-01 18:51 EDT
Foreman Issue Tracker	4477	None	None	None	2016-04-26 13:08 EDT

Groups: None (edit)

Description Andrew Schofield 2015-12-22 14:45:48 EST

Description of problem:
When a user has the 'create_hosts' permission then there are no controls to limit what Location, Host Group, Lifecycle Environment, Content View that the user can create the host in. 

Version-Release number of selected component (if applicable):
6.1.5

How reproducible:
Create a user, assign to a role. Give the following roles
access_dashboard
assign_organizations, view_organizations
assign_locations, view_locations
edit_products, view_products	name = P_GIRAFFE
promote_or_remove_content_views, view_content_views, publish_content_views	name = CCV_CSL3.1_GIRAFFE or name = CV_GIRAFFE
promote_or_remove_content_views_to_environments, view_lifecycle_environments	name = ENG
create_hosts, view_hosts	hostgroup_fullname = HG_Capsule

Notice in the New Host as this user you can view ALL Host Groups, ALL Lifecycle Environments, ALL Content View's etc and initiate the build of a host.

Actual results:
Host is created by in host groups, lifecycle environments we have tried to limit.

Expected results:
Host creation to only show resources that the user has access too.

Additional info:

Comment 1 David Caplan 2016-01-05 13:20:03 EST

Please help us to understand the affected user's context:

1. is the affected user logged into a specific organization context (vs. any context)
2. Has the user been constrained to only view specific location?

Comment 2 Andrew Schofield 2016-01-05 15:10:20 EST

1. The user is assigned to a organization (we only have one org configured) and is a member of that organization when attempting to create a host.
2. Yes. The user is assigned and constrained to a location.

Comment 5 Tomer Brisker 2016-03-17 07:38:47 EDT

Created redmine issue http://projects.theforeman.org/issues/14248 from this bug

Comment 6 Bryan Kearney 2016-03-17 08:08:52 EDT

Upstream bug component is Provisioning

Comment 7 Bryan Kearney 2016-03-17 08:43:16 EDT

Connecting redmine issue http://projects.theforeman.org/issues/7289 from this bug

Comment 8 Bryan Kearney 2016-03-17 10:08:50 EDT

Upstream bug component is Users & Roles

Comment 10 Tomer Brisker 2016-03-27 10:50:54 EDT

*** Bug 1118312 has been marked as a duplicate of this bug. ***

Comment 12 Bryan Kearney 2016-06-27 08:10:23 EDT

Moving to POST since upstream bug http://projects.theforeman.org/issues/4477 has been closed

Comment 15 Peter Ondrejka 2016-10-31 09:10:03 EDT

Checked in Satellite 6.3 snap 5, the host creation dialog is correctly limited by user's privileges, with the exception of Lifecycle environments.

Having a role with permissions:
    promote_or_remove_content_views_to_environments, view_lifecycle_environments
and search fitler as:
    name = testenv
(see screenshot1)

This doesn't prevent the user from seeing all available lifecycle environments when creating a host as well as at the Contnet > Lifecycle Environment page.(see screenshot2)

Comment 16 Peter Ondrejka 2016-10-31 09:12 EDT

Created attachment 1215800 [details]
screenshot_1

Comment 17 Peter Ondrejka 2016-10-31 09:12 EDT

Created attachment 1215801 [details]
screenshot_2

Comment 18 Justin Sherrill 2016-11-01 12:01:44 EDT

Taking over to fix the FAILED_QE issue in katello

Comment 19 Bryan Kearney 2016-11-01 12:18:59 EDT

Upstream bug assigned to tbrisker@redhat.com

Comment 20 Justin Sherrill 2016-11-01 18:50:56 EDT

Connecting redmine issue http://projects.theforeman.org/issues/17176 from this bug

Comment 21 pm-sat@redhat.com 2017-01-09 16:18:37 EST

Upstream bug assigned to tbrisker@redhat.com

Comment 22 Tomer Brisker 2017-03-16 10:12:00 EDT

Second upstream bug has been closed for a while, looks like it wasn't picked up by the bot. Moving to POST.

Note You need to log in before you can comment on or make changes to this bug.