Bug 1293716 - Unable to control where users can build hosts
Unable to control where users can build hosts
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles (Show other bugs)
All All
urgent Severity high (vote)
: GA
: --
Assigned To: Tomer Brisker
Peter Ondrejka
: Triaged
: 1118312 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2015-12-22 14:45 EST by Andrew Schofield
Modified: 2017-11-29 07:35 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
screenshot_1 (53.27 KB, image/png)
2016-10-31 09:12 EDT, Peter Ondrejka
no flags Details
screenshot_2 (7.33 KB, image/png)
2016-10-31 09:12 EDT, Peter Ondrejka
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 17176 None None None 2016-11-01 18:51 EDT
Foreman Issue Tracker 4477 None None None 2016-04-26 13:08 EDT

  None (edit)
Description Andrew Schofield 2015-12-22 14:45:48 EST
Description of problem:
When a user has the 'create_hosts' permission then there are no controls to limit what Location, Host Group, Lifecycle Environment, Content View that the user can create the host in. 

Version-Release number of selected component (if applicable):

How reproducible:
Create a user, assign to a role. Give the following roles
assign_organizations, view_organizations
assign_locations, view_locations
edit_products, view_products	name = P_GIRAFFE
promote_or_remove_content_views, view_content_views, publish_content_views	name = CCV_CSL3.1_GIRAFFE or name = CV_GIRAFFE
promote_or_remove_content_views_to_environments, view_lifecycle_environments	name = ENG
create_hosts, view_hosts	hostgroup_fullname = HG_Capsule

Notice in the New Host as this user you can view ALL Host Groups, ALL Lifecycle Environments, ALL Content View's etc and initiate the build of a host.

Actual results:
Host is created by in host groups, lifecycle environments we have tried to limit.

Expected results:
Host creation to only show resources that the user has access too.

Additional info:
Comment 1 David Caplan 2016-01-05 13:20:03 EST
Please help us to understand the affected user's context:

1. is the affected user logged into a specific organization context (vs. any context)
2. Has the user been constrained to only view specific location?
Comment 2 Andrew Schofield 2016-01-05 15:10:20 EST
1. The user is assigned to a organization (we only have one org configured) and is a member of that organization when attempting to create a host.
2. Yes. The user is assigned and constrained to a location.
Comment 5 Tomer Brisker 2016-03-17 07:38:47 EDT
Created redmine issue http://projects.theforeman.org/issues/14248 from this bug
Comment 6 Bryan Kearney 2016-03-17 08:08:52 EDT
Upstream bug component is Provisioning
Comment 7 Bryan Kearney 2016-03-17 08:43:16 EDT
Connecting redmine issue http://projects.theforeman.org/issues/7289 from this bug
Comment 8 Bryan Kearney 2016-03-17 10:08:50 EDT
Upstream bug component is Users & Roles
Comment 10 Tomer Brisker 2016-03-27 10:50:54 EDT
*** Bug 1118312 has been marked as a duplicate of this bug. ***
Comment 12 Bryan Kearney 2016-06-27 08:10:23 EDT
Moving to POST since upstream bug http://projects.theforeman.org/issues/4477 has been closed
Comment 15 Peter Ondrejka 2016-10-31 09:10:03 EDT
Checked in Satellite 6.3 snap 5, the host creation dialog is correctly limited by user's privileges, with the exception of Lifecycle environments.

Having a role with permissions:
    promote_or_remove_content_views_to_environments, view_lifecycle_environments
and search fitler as:
    name = testenv
(see screenshot1)

This doesn't prevent the user from seeing all available lifecycle environments when creating a host as well as at the Contnet > Lifecycle Environment page.(see screenshot2)
Comment 16 Peter Ondrejka 2016-10-31 09:12 EDT
Created attachment 1215800 [details]
Comment 17 Peter Ondrejka 2016-10-31 09:12 EDT
Created attachment 1215801 [details]
Comment 18 Justin Sherrill 2016-11-01 12:01:44 EDT
Taking over to fix the FAILED_QE issue in katello
Comment 19 Bryan Kearney 2016-11-01 12:18:59 EDT
Upstream bug assigned to tbrisker@redhat.com
Comment 20 Justin Sherrill 2016-11-01 18:50:56 EDT
Connecting redmine issue http://projects.theforeman.org/issues/17176 from this bug
Comment 21 pm-sat@redhat.com 2017-01-09 16:18:37 EST
Upstream bug assigned to tbrisker@redhat.com
Comment 22 Tomer Brisker 2017-03-16 10:12:00 EDT
Second upstream bug has been closed for a while, looks like it wasn't picked up by the bot. Moving to POST.
Comment 23 Peter Ondrejka 2017-10-25 11:15:52 EDT
Verified in satellite-6.3.0-21.0.beta.el7sat.noarch, create host dialog has options correctly limited according to permissions including lc environments

Note You need to log in before you can comment on or make changes to this bug.