Hide Forgot
Description of problem: When a user has the 'create_hosts' permission then there are no controls to limit what Location, Host Group, Lifecycle Environment, Content View that the user can create the host in. Version-Release number of selected component (if applicable): 6.1.5 How reproducible: Create a user, assign to a role. Give the following roles access_dashboard assign_organizations, view_organizations assign_locations, view_locations edit_products, view_products name = P_GIRAFFE promote_or_remove_content_views, view_content_views, publish_content_views name = CCV_CSL3.1_GIRAFFE or name = CV_GIRAFFE promote_or_remove_content_views_to_environments, view_lifecycle_environments name = ENG create_hosts, view_hosts hostgroup_fullname = HG_Capsule Notice in the New Host as this user you can view ALL Host Groups, ALL Lifecycle Environments, ALL Content View's etc and initiate the build of a host. Actual results: Host is created by in host groups, lifecycle environments we have tried to limit. Expected results: Host creation to only show resources that the user has access too. Additional info:
Please help us to understand the affected user's context: 1. is the affected user logged into a specific organization context (vs. any context) 2. Has the user been constrained to only view specific location?
1. The user is assigned to a organization (we only have one org configured) and is a member of that organization when attempting to create a host. 2. Yes. The user is assigned and constrained to a location.
Created redmine issue http://projects.theforeman.org/issues/14248 from this bug
Upstream bug component is Provisioning
Connecting redmine issue http://projects.theforeman.org/issues/7289 from this bug
Upstream bug component is Users & Roles
*** Bug 1118312 has been marked as a duplicate of this bug. ***
Moving to POST since upstream bug http://projects.theforeman.org/issues/4477 has been closed
Checked in Satellite 6.3 snap 5, the host creation dialog is correctly limited by user's privileges, with the exception of Lifecycle environments. Having a role with permissions: promote_or_remove_content_views_to_environments, view_lifecycle_environments and search fitler as: name = testenv (see screenshot1) This doesn't prevent the user from seeing all available lifecycle environments when creating a host as well as at the Contnet > Lifecycle Environment page.(see screenshot2)
Created attachment 1215800 [details] screenshot_1
Created attachment 1215801 [details] screenshot_2
Taking over to fix the FAILED_QE issue in katello
Upstream bug assigned to tbrisker@redhat.com
Connecting redmine issue http://projects.theforeman.org/issues/17176 from this bug
Second upstream bug has been closed for a while, looks like it wasn't picked up by the bot. Moving to POST.
Verified in satellite-6.3.0-21.0.beta.el7sat.noarch, create host dialog has options correctly limited according to permissions including lc environments
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336