Bug 1296662 - view_params is missing
view_params is missing
Status: VERIFIED
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles (Show other bugs)
6.1.5
All All
urgent Severity urgent (vote)
: GA
: --
Assigned To: orabin
Roman Plevka
http://projects.theforeman.org/issues...
: Reopened, Triaged
Depends On:
Blocks: 1351766 1353104 1353465 1352054
  Show dependency treegraph
 
Reported: 2016-01-07 14:10 EST by Andrew Schofield
Modified: 2017-01-12 01:47 EST (History)
13 users (show)

See Also:
Fixed In Version: foreman-1.11.0.40-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-27 07:07:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 13164 None None None 2016-04-26 12:55 EDT

  None (edit)
Description Andrew Schofield 2016-01-07 14:10:15 EST
Description of problem:
The view_params permission in the Parameter resource is missing. This prevents us from allowing users to be able to view parameters.

Version-Release number of selected component (if applicable):
6.1.5

How reproducible:
Repeatable:

Actual results:

# hammer filter available-permissions --resource-type Parameter
---|----------------|----------
ID | NAME           | RESOURCE
---|----------------|----------
67 | create_params  | Parameter
68 | edit_params    | Parameter
69 | destroy_params | Parameter
---|----------------|----------

Expected results:

I'd expect to be assign the view_params permission to users (as edit_params is useless without this!).
Comment 2 Andrew Schofield 2016-01-11 17:18:24 EST
This seems to fix things nicely:

# diff ./app/services/foreman/access_permissions.rb.orig ./app/services/foreman/access_permissions.rb
375a376,378
>     map.permission :view_params,    {:host_editing => [:view_params],
>                                      :"api/v2/parameters" => [:view]
>     }

# grep view_params db/seeds.d/03-permissions.rb
  ['Parameter', 'view_params'],

Then ran a foreman-rake db:seed
Comment 3 Andrew Schofield 2016-01-11 17:19:18 EST
# hammer filter available-permissions --resource-type Parameter
----|----------------|----------
ID  | NAME           | RESOURCE
----|----------------|----------
67  | create_params  | Parameter
68  | edit_params    | Parameter
69  | destroy_params | Parameter
239 | view_params    | Parameter
----|----------------|----------
Comment 4 orabin 2016-01-12 14:33:37 EST
Created redmine issue http://projects.theforeman.org/issues/13164 from this bug
Comment 5 Bryan Kearney 2016-01-12 16:01:18 EST
Upstream bug component is Provisioning
Comment 6 orabin 2016-01-13 08:50:38 EST
Currently if you don't assign create_params/edit_params you can still view then if you have permissions to edit the host/hostgroup/domain (wherever you are looking at the parameters).

Would you want to hide the parameters on all objects unless you give the specific permission?
What about the roles that currently only have permissions like edit_host but expect to continue seeing the parameters as they did until now?
Comment 7 Bryan Kearney 2016-01-13 10:01:07 EST
Upstream bug component is Users & Roles
Comment 8 Andrew Schofield 2016-01-13 10:17:47 EST
(In reply to orabin from comment #6)

I'm not looking (at the moment!) to change the behavior of the params permissions. We wanted to give users the ability to view and edit the params on locations. I noticed there was no view_param role (despite view_param being referred to in numerous views). So *simply* adding this should suffice for now thanks.

view should allow users the ability to view
edit should allow users to edit existing parameters
create should allow users to create new parameters

Hence I'd expect ALL users who need to edit params to also have the view_params role. I would expect that in order to view parameters on hosts / hostgroups etc that you would need view_params permission... Checking this I can see the with NO params permissions I can indeed see hosts params which I'd suggest is wrong (you're assuming that edit_hosts should also allow edit_params - we could probably debate endlessly!). That is probably a separate bug for now though which I'll raise. I think the permissions model overall needs some work....!
Comment 13 Ivan Necas 2016-06-07 09:16:32 EDT
@andrew: adding the view_params permissions turned out to be more complex than it seemed at the beginning and it might take some time to finish properly.

If I understand your case properly, the main priority right now is to be able to edit the parameters in locations by non-admin users.

What we can do to unblock you, before the proper view_params permission is finalized, is to change the behavior in the locations to use `edit_params` permissions instead of the `view_params`.

Would this approach unblock you at your use case?
Comment 14 Bryan Kearney 2016-06-23 10:10:34 EDT
Moving to POST since upstream bug http://projects.theforeman.org/issues/13164 has been closed
Comment 15 Roman Plevka 2016-06-30 11:39:51 EDT
FAILED QA
for sat 6.2.0 GA18.1

This filter works, however having only `view_hosts` filter does not allow user to list host info now. I believe this is not a desired behavior.

# hammer filter available-permissions --resource-type Parameter
[Foreman] Password for admin: 
----|----------------|----------
ID  | NAME           | RESOURCE 
----|----------------|----------
104 | create_params  | Parameter
105 | edit_params    | Parameter
106 | destroy_params | Parameter
259 | view_params    | Parameter
----|----------------|----------

#My user utilizes the 'View hosts' role:
# hammer -u admin -p changeme user info --id 4
Id:                   4
Login:                rplevka
Name:                  
... 
Roles:                
    View hosts
    Anonymous
User groups:          

Organizations:        
    Default Organization
...
# which i modified to contain the following filters:
# hammer -u admin -p changeme role filters --name="View hosts"
----|---------------|--------|------------|------------|-------------------
ID  | RESOURCE TYPE | SEARCH | UNLIMITED? | ROLE       | PERMISSIONS       
----|---------------|--------|------------|------------|-------------------
244 | Organization  | none   | yes        | View hosts | view_organizations
248 | Host          | none   | yes        | View hosts | view_hosts        
----|---------------|--------|------------|------------|-------------------

# Getting a list of hosts works just fine:
# hammer -u rplevka -p changeme host list
---|--------------------------------|------------------|------------|---------------|------------------
ID | NAME                           | OPERATING SYSTEM | HOST GROUP | IP            | MAC              
---|--------------------------------|------------------|------------|---------------|------------------
2  | my-centos-1.blah.com | CentOS 7         | my-hg-1    | 192.168.100.2 | 52:54:00:b0:c1:3a
3  | my-centos-2.blah.com | CentOS 7         | my-hg-2    | 192.168.100.4 | 52:54:00:1b:c6:db
---|--------------------------------|------------------|------------|---------------|------------------

# However listing a host information does not (as it contains parameter info and i didn't add a view_parameter role):
# hammer -u rplevka -p changeme host info --id 2
Forbidden - server refused to process the request

- this pretty much renders whole view_hosts filter useless as one sees 'all or nothing'.

Not sure what should be the desired behavior, but I would vote for cutting off the 'Parameters:' part and print out the rest.
Comment 23 Roman Plevka 2016-07-11 07:13:54 EDT
VERIFIED
(sat6.2 snap19.1)
putting this to verified since regressions mentioned above have been reported as new BZ's.

`view_params` filter is in place and working.
Comment 26 Ivan Necas 2016-07-11 12:03:31 EDT
The changes to introduce the view_parmas proper turned out to be to be quite big and risky and need some time to stabilize. Before we have a better confidence that they actually work well with the rest of the product, we will go to use the edit_params instead of view_params permission in the locations/organizations form to unblock it's usage from non-admin users, as part of https://bugzilla.redhat.com/show_bug.cgi?id=1354572
Comment 27 Andrew Schofield 2016-07-12 09:28:18 EDT
Apologies for my late entry into this.

@Ivan:

Some comments:

1) view_params really needs to be *view* throughout (and needs to work with *all* params in locations, hosts, hostgroups, subnets, domains and where ever else you can set a param)

2) edit_params needs to allow *edit* for the above.

These are both distinct and separate. The reason being that we have a need to be able to use the roles to restrict users from editing some parameters (for example we define the root password as a crypted string in the locations, but we don't want host owners (or hostgroup owners) to be able to modify this.)
Comment 28 Bryan Kearney 2016-07-27 07:07:08 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501
Comment 29 Ivan Necas 2016-08-08 07:45:11 EDT
The code is merged upstream, just not delivered as 6.2 GA, moving back to POST
Comment 31 Roman Plevka 2016-10-19 09:40:33 EDT
VERIFIED
sat6.3 snap#5

- not having the view_param permission now prints entity info excepting hte parameters section.

Note You need to log in before you can comment on or make changes to this bug.