1304608 – [RFE] Manager and viewer role do not contain permissions for katello, rex and other plugins actions

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1304608 - [RFE] Manager and viewer role do not contain permissions for katello, rex and other plugins actions

Summary: [RFE] Manager and viewer role do not contain permissions for katello, rex and...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Users & Roles
Sub Component:
Version:	6.1.6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Ondřej Pražák
QA Contact:	Renzo Nuccitelli
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1279947 1387240 (view as bug list)
Depends On:
Blocks:	260381 1122832 1373844 1479962
TreeView+	depends on / blocked

Reported:	2016-02-04 07:19 UTC by Komal
Modified:	2021-06-10 11:09 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-21 12:33:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Manager's view - no content (30.79 KB, image/png) 2017-08-30 08:41 UTC, Daniel Lobato Garcia	no flags	Details
Manager permissions 6.3 snap 13 - 1 (78.06 KB, image/png) 2017-08-30 08:42 UTC, Daniel Lobato Garcia	no flags	Details
Manager permissions 6.3 snap 13 - 2 (97.60 KB, image/png) 2017-08-30 08:43 UTC, Daniel Lobato Garcia	no flags	Details
Manager permissions 6.3 snap 13 - 3 (106.47 KB, image/png) 2017-08-30 08:43 UTC, Daniel Lobato Garcia	no flags	Details
Manager permissions 6.3 snap 13 - 4 (78.06 KB, image/png) 2017-08-30 08:44 UTC, Daniel Lobato Garcia	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	17954	Normal	Closed	Unify roles and permissions across plugins	2020-05-06 13:07:14 UTC
Red Hat Bugzilla	1473212	unspecified	CLOSED	Default role Viewer does not contain resource permissions view_content_views and view_lifecycle_environments	2021-03-11 15:28:33 UTC
Red Hat Knowledge Base (Solution)	2122151	None	None	None	2016-02-04 07:21:01 UTC
Red Hat Product Errata	RHSA-2018:0336	normal	SHIPPED_LIVE	Important: Satellite 6.3 security, bug fix, and enhancement update	2018-02-21 22:43:42 UTC

Internal Links: 1473212

Comment 9 Bryan Kearney 2016-07-08 20:21:10 UTC

Per 6.3 planning, moving out non acked bugs to the backlog

Comment 11 Marek Hulan 2016-12-02 10:34:38 UTC

*** Bug 1387240 has been marked as a duplicate of this bug. ***

Comment 12 Marek Hulan 2016-12-02 10:39:01 UTC

Updating the subject of the BZ. The root cause is that Manager role does not contain Katello and possibly other plugins permissions. Rex defines it's own manager role but it would be better to have this in shared Manager role too.

Comment 13 Marek Hulan 2016-12-02 10:41:19 UTC

Other plugins should be checked too, e.g. Insight,Openscap,Discovery

Comment 14 Marek Hulan 2016-12-02 10:41:38 UTC

*** Bug 1279947 has been marked as a duplicate of this bug. ***

Comment 15 Ondřej Pražák 2017-01-04 17:24:59 UTC

We will add permissions from plugins to Manager and Viewer + create plugin-specific roles to be consistent across all plugins. I'll go over plugins and start creating tickets.

Comment 16 Ondřej Pražák 2017-01-06 09:22:55 UTC

Connecting redmine issue http://projects.theforeman.org/issues/17954 from this bug

Comment 17 Satellite Program 2017-01-10 15:16:17 UTC

Upstream bug assigned to oprazak

Comment 22 Daniel Lobato Garcia 2017-08-30 08:40:22 UTC

Failed verification.

Version tested - Satelite 6.3 snap 13.

The mechanisms to add roles to Manager are in place, and some plugins have added their own permissions to Manager. As you can see in the screenshots, Remote Execution, Discovery, OpenSCAP, etc.. permissions are available on the Manager.

However no Content permissions other than permissions of Content hosts have been added to Manager. This causes users with the Manager role to not be able to add products, sync content views, etc... as requested in the 1st comment of the BZ. 

I would say this is probably a candidate for a blocker of 6.3.

Comment 23 Daniel Lobato Garcia 2017-08-30 08:41:01 UTC

Created attachment 1319935 [details]
Manager's view - no content

Comment 24 Daniel Lobato Garcia 2017-08-30 08:42:01 UTC

Created attachment 1319936 [details]
Manager permissions 6.3 snap 13 - 1

Comment 25 Daniel Lobato Garcia 2017-08-30 08:43:26 UTC

Created attachment 1319937 [details]
Manager permissions 6.3 snap 13 - 2

Comment 26 Daniel Lobato Garcia 2017-08-30 08:43:56 UTC

Created attachment 1319938 [details]
Manager permissions 6.3 snap 13 - 3

Comment 27 Daniel Lobato Garcia 2017-08-30 08:44:25 UTC

Created attachment 1319939 [details]
Manager permissions 6.3 snap 13 - 4

Comment 28 Daniel Lobato Garcia 2017-08-30 08:46:03 UTC

Set this as 6.3 blocker to ensure we don't ship 6.3 without a Manager role that can't manage Content.

Comment 29 Marek Hulan 2017-08-30 10:51:32 UTC

Daniel, this is already tracked under BZ 1473212. If you can see all the other permissions, I think this could be considered verified. If you prefer to verify it here as well, I suggest you remove FailedQA and move it to POST with fixed_in_version set to Katello 3.4.5.

The only plugin I'm aware of that is not yet released with the patch is foreman_bootdisk. The last released version 9.0.0 does not contain the patch, it's in master only.

Comment 30 Satellite Program 2017-08-31 08:16:54 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17954 has been resolved.

Comment 31 Eric Helms 2017-09-14 01:29:01 UTC

Daniel,

Please advise how you'd like this BZ to be treated so I can either move it to ON_DEV now or push it back to ASSIGNED.

Comment 32 Daniel Lobato Garcia 2017-10-02 09:15:39 UTC

ON_DEV, as https://bugzilla.redhat.com/show_bug.cgi?id=1473212 shows it was fixed on Snap 14 https://github.com/Katello/katello/pull/6703.

Comment 33 Renzo Nuccitelli 2018-01-30 13:03:32 UTC

I was able to create a user with Manager Role and access Content on Satellite 6.3 snap 34. Thus I am moving this VERIFIED

Comment 36 errata-xmlrpc 2018-02-21 12:33:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336

Note You need to log in before you can comment on or make changes to this bug.