Bug 1304608 - [RFE] Manager and viewer role do not contain permissions for katello, rex and other plugins actions
Summary: [RFE] Manager and viewer role do not contain permissions for katello, rex and...
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.1.6
Hardware: All
OS: Linux
medium vote
Target Milestone: Unspecified
Assignee: Ondřej Pražák
QA Contact: Renzo Nuccitelli
: 1279947 1387240 (view as bug list)
Depends On:
Blocks: 260381 1122832 1373844 1479962
TreeView+ depends on / blocked
Reported: 2016-02-04 07:19 UTC by Komal
Modified: 2021-06-10 11:09 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2018-02-21 12:33:41 UTC
Target Upstream Version:

Attachments (Terms of Use)
Manager's view - no content (30.79 KB, image/png)
2017-08-30 08:41 UTC, Daniel Lobato Garcia
no flags Details
Manager permissions 6.3 snap 13 - 1 (78.06 KB, image/png)
2017-08-30 08:42 UTC, Daniel Lobato Garcia
no flags Details
Manager permissions 6.3 snap 13 - 2 (97.60 KB, image/png)
2017-08-30 08:43 UTC, Daniel Lobato Garcia
no flags Details
Manager permissions 6.3 snap 13 - 3 (106.47 KB, image/png)
2017-08-30 08:43 UTC, Daniel Lobato Garcia
no flags Details
Manager permissions 6.3 snap 13 - 4 (78.06 KB, image/png)
2017-08-30 08:44 UTC, Daniel Lobato Garcia
no flags Details

System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 17954 0 Normal Closed Unify roles and permissions across plugins 2020-05-06 13:07:14 UTC
Red Hat Bugzilla 1473212 0 unspecified CLOSED Default role Viewer does not contain resource permissions view_content_views and view_lifecycle_environments 2021-03-11 15:28:33 UTC
Red Hat Knowledge Base (Solution) 2122151 0 None None None 2016-02-04 07:21:01 UTC
Red Hat Product Errata RHSA-2018:0336 0 normal SHIPPED_LIVE Important: Satellite 6.3 security, bug fix, and enhancement update 2018-02-21 22:43:42 UTC

Internal Links: 1473212

Comment 9 Bryan Kearney 2016-07-08 20:21:10 UTC
Per 6.3 planning, moving out non acked bugs to the backlog

Comment 11 Marek Hulan 2016-12-02 10:34:38 UTC
*** Bug 1387240 has been marked as a duplicate of this bug. ***

Comment 12 Marek Hulan 2016-12-02 10:39:01 UTC
Updating the subject of the BZ. The root cause is that Manager role does not contain Katello and possibly other plugins permissions. Rex defines it's own manager role but it would be better to have this in shared Manager role too.

Comment 13 Marek Hulan 2016-12-02 10:41:19 UTC
Other plugins should be checked too, e.g. Insight,Openscap,Discovery

Comment 14 Marek Hulan 2016-12-02 10:41:38 UTC
*** Bug 1279947 has been marked as a duplicate of this bug. ***

Comment 15 Ondřej Pražák 2017-01-04 17:24:59 UTC
We will add permissions from plugins to Manager and Viewer + create plugin-specific roles to be consistent across all plugins. I'll go over plugins and start creating tickets.

Comment 16 Ondřej Pražák 2017-01-06 09:22:55 UTC
Connecting redmine issue http://projects.theforeman.org/issues/17954 from this bug

Comment 17 Satellite Program 2017-01-10 15:16:17 UTC
Upstream bug assigned to oprazak

Comment 22 Daniel Lobato Garcia 2017-08-30 08:40:22 UTC
Failed verification.

Version tested - Satelite 6.3 snap 13.

The mechanisms to add roles to Manager are in place, and some plugins have added their own permissions to Manager. As you can see in the screenshots, Remote Execution, Discovery, OpenSCAP, etc.. permissions are available on the Manager.

However no Content permissions other than permissions of Content hosts have been added to Manager. This causes users with the Manager role to not be able to add products, sync content views, etc... as requested in the 1st comment of the BZ. 

I would say this is probably a candidate for a blocker of 6.3.

Comment 23 Daniel Lobato Garcia 2017-08-30 08:41:01 UTC
Created attachment 1319935 [details]
Manager's view - no content

Comment 24 Daniel Lobato Garcia 2017-08-30 08:42:01 UTC
Created attachment 1319936 [details]
Manager permissions 6.3 snap 13 - 1

Comment 25 Daniel Lobato Garcia 2017-08-30 08:43:26 UTC
Created attachment 1319937 [details]
Manager permissions 6.3 snap 13 - 2

Comment 26 Daniel Lobato Garcia 2017-08-30 08:43:56 UTC
Created attachment 1319938 [details]
Manager permissions 6.3 snap 13 - 3

Comment 27 Daniel Lobato Garcia 2017-08-30 08:44:25 UTC
Created attachment 1319939 [details]
Manager permissions 6.3 snap 13 - 4

Comment 28 Daniel Lobato Garcia 2017-08-30 08:46:03 UTC
Set this as 6.3 blocker to ensure we don't ship 6.3 without a Manager role that can't manage Content.

Comment 29 Marek Hulan 2017-08-30 10:51:32 UTC
Daniel, this is already tracked under BZ 1473212. If you can see all the other permissions, I think this could be considered verified. If you prefer to verify it here as well, I suggest you remove FailedQA and move it to POST with fixed_in_version set to Katello 3.4.5.

The only plugin I'm aware of that is not yet released with the patch is foreman_bootdisk. The last released version 9.0.0 does not contain the patch, it's in master only.

Comment 30 Satellite Program 2017-08-31 08:16:54 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17954 has been resolved.

Comment 31 Eric Helms 2017-09-14 01:29:01 UTC

Please advise how you'd like this BZ to be treated so I can either move it to ON_DEV now or push it back to ASSIGNED.

Comment 32 Daniel Lobato Garcia 2017-10-02 09:15:39 UTC
ON_DEV, as https://bugzilla.redhat.com/show_bug.cgi?id=1473212 shows it was fixed on Snap 14 https://github.com/Katello/katello/pull/6703.

Comment 33 Renzo Nuccitelli 2018-01-30 13:03:32 UTC
I was able to create a user with Manager Role and access Content on Satellite 6.3 snap 34. Thus I am moving this VERIFIED

Comment 36 errata-xmlrpc 2018-02-21 12:33:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.