Red Hat Bugzilla – Bug 1293716
Unable to control where users can build hosts
Last modified: 2017-11-29 07:35:52 EST
Description of problem:
When a user has the 'create_hosts' permission then there are no controls to limit what Location, Host Group, Lifecycle Environment, Content View that the user can create the host in.
Version-Release number of selected component (if applicable):
Create a user, assign to a role. Give the following roles
edit_products, view_products name = P_GIRAFFE
promote_or_remove_content_views, view_content_views, publish_content_views name = CCV_CSL3.1_GIRAFFE or name = CV_GIRAFFE
promote_or_remove_content_views_to_environments, view_lifecycle_environments name = ENG
create_hosts, view_hosts hostgroup_fullname = HG_Capsule
Notice in the New Host as this user you can view ALL Host Groups, ALL Lifecycle Environments, ALL Content View's etc and initiate the build of a host.
Host is created by in host groups, lifecycle environments we have tried to limit.
Host creation to only show resources that the user has access too.
Please help us to understand the affected user's context:
1. is the affected user logged into a specific organization context (vs. any context)
2. Has the user been constrained to only view specific location?
1. The user is assigned to a organization (we only have one org configured) and is a member of that organization when attempting to create a host.
2. Yes. The user is assigned and constrained to a location.
Created redmine issue http://projects.theforeman.org/issues/14248 from this bug
Upstream bug component is Provisioning
Connecting redmine issue http://projects.theforeman.org/issues/7289 from this bug
Upstream bug component is Users & Roles
*** Bug 1118312 has been marked as a duplicate of this bug. ***
Moving to POST since upstream bug http://projects.theforeman.org/issues/4477 has been closed
Checked in Satellite 6.3 snap 5, the host creation dialog is correctly limited by user's privileges, with the exception of Lifecycle environments.
Having a role with permissions:
and search fitler as:
name = testenv
This doesn't prevent the user from seeing all available lifecycle environments when creating a host as well as at the Contnet > Lifecycle Environment page.(see screenshot2)
Created attachment 1215800 [details]
Created attachment 1215801 [details]
Taking over to fix the FAILED_QE issue in katello
Upstream bug assigned to firstname.lastname@example.org
Connecting redmine issue http://projects.theforeman.org/issues/17176 from this bug
Second upstream bug has been closed for a while, looks like it wasn't picked up by the bot. Moving to POST.
Verified in satellite-6.3.0-21.0.beta.el7sat.noarch, create host dialog has options correctly limited according to permissions including lc environments