Bug 1464137 - API - non-admin user can't create entities within org and loc he belongs to
API - non-admin user can't create entities within org and loc he belongs to
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Organizations and Locations (Show other bugs)
6.3.0
Unspecified Unspecified
unspecified Severity high (vote)
: GA
: --
Assigned To: Marek Hulan
Sanket Jagtap
: Triaged
: 1462388 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-22 09:45 EDT by Stanislav Tkachenko
Modified: 2018-02-21 11:54 EST (History)
8 users (show)

See Also:
Fixed In Version: foreman-1.16.0
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-21 11:54:17 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 20165 None None None 2017-06-29 09:31 EDT

  None (edit)
Description Stanislav Tkachenko 2017-06-22 09:45:39 EDT
Description of problem:
Newly created non-admin user with create permissions can't create entity within organization and location he belongs to (in example below it is Subnet and 'create_subnets'). Other entities affected as well (tested with Subnet, Host and Domain).

> Making HTTP POST request to https://sat6.com/api/v2/users with options... and data {"user": {..., "location_ids": [491], "organization_ids": [490]}}.

> Received HTTP 201 response: {"default_location":null,"locations":[{"id":491,"name":"OgyTrUojzLM","title":"OgyTrUojzLM","description":null}],"default_organization":null,"organizations":[{"id":490,"name":"hfspaJbBY","title":"hfspaJbBY","description":null}],...}

> Making HTTP POST request to https://sat6.com/api/v2/subnets with options ... and data {"subnet": {..., "location_ids": [491], "organization_ids": [490]}}.

> Received HTTP 422 response: {
>  "error": {"id":null,"errors":{"organization_ids":["Invalid organizations selection, you must select at least one of yours"],"location_ids":["Invalid locations selection, you must select at least one of yours"]},"full_messages":["Organization ids Invalid organizations selection, you must select at least one of yours","Location ids Invalid locations selection, you must select at least one of yours"]}

Version-Release number of selected component (if applicable):
Satellite 6.3 Snap 3.0:
* satellite-6.3.0-15.0.beta.el7sat.noarch
* foreman-1.15.0-1.el7sat.noarch
* katello-3.4.1-1.el7sat.noarch

How reproducible:
Always

Steps to Reproduce:
1. Create non-admin user with org and loc and grant create permissions (e.g. create_domains)
2. Try to create entity (e.g. Domain)
3. Check whether it was created or error is raised

Actual results:
422 error

Expected results:
Entity should be created

Additional info:
Comment 2 Marek Hulan 2017-06-26 07:43:24 EDT
Could you please provide the full reproducer? Ideally curl/wget commands you're using ideally also for user creation and permission setup. I can't reproduce the behavior.

Following hammer commands did the trick for me

    hammer user create --login orgtest --mail ares@igloonet.cz --password changeme --organization-ids 1 --location-ids 2 --auth-source-id 1

    hammer user add-role --login orgtest --role Manager

    hammer -u orgtest -p changeme subnet create --organization-ids 1 --location-ids 2 --name Test --network 192.168.0.1 --mask 255.255.255.0

Also please list all roles and their configuration that the user is assigned.
Comment 5 Marek Hulan 2017-06-28 11:01:54 EDT
Thanks Stanislav, now I see what's going on. Your user does not have permissions "assign_location" and "assign_organization" which are required to create resources assigned to orgs and locs. I think the validation message could be more descriptive, e.g. 'Organization ids Invalid organizations selection, you must select at least one of yours for which you have permission to `assign_organization`'. Would that be a good solution? Also if you agree, I think this is not a 6.3 blocker so I'd move it to sat-backlog even though I'd provide the fix right away.
Comment 7 Stanislav Tkachenko 2017-06-29 01:15:45 EDT
(In reply to Marek Hulan from comment #5)
I've checked with additional permissions, now tests are passing :)

> I think the validation
> message could be more descriptive, e.g. 'Organization ids Invalid
> organizations selection, you must select at least one of yours for which you
> have permission to `assign_organization`'. Would that be a good solution?
Yes, more descriptive message would be great.

> Also if you agree, I think this is not a 6.3 blocker so I'd move it to
> sat-backlog even though I'd provide the fix right away.
Agree.
Comment 8 Marek Hulan 2017-06-29 09:31:07 EDT
Created redmine issue http://projects.theforeman.org/issues/20165 from this bug
Comment 9 pm-sat@redhat.com 2017-06-29 10:14:51 EDT
Upstream bug assigned to mhulan@redhat.com
Comment 10 pm-sat@redhat.com 2017-06-29 10:14:54 EDT
Upstream bug assigned to mhulan@redhat.com
Comment 11 Marek Hulan 2017-06-30 10:00:28 EDT
*** Bug 1462388 has been marked as a duplicate of this bug. ***
Comment 12 pm-sat@redhat.com 2017-06-30 14:14:41 EDT
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/20165 has been resolved.
Comment 13 Sanket Jagtap 2017-12-01 02:22:03 EST
Build: Satellite 6.3.0 snap 26

Using the reproducer steps

The new error generated is more detailed and the require permission are display in error 

curl -s -H "Content-Type: application/json" -H "Accept:application/json" -k -u "apple:apple" -X POST -d '{"domain": {"name": "apple", "location_ids": [8], "organization_ids": [7]}}'  https://sathost/api/v2/domains
{
  "error": {"id":null,"errors":{"organization_ids":["Invalid organizations selection, you must select at least one of yours and have 'assign_organizations' permission."],"location_ids":["Invalid locations selection, you must select at least one of yours and have 'assign_locations' permission."]},"full_messages":["Organization ids Invalid organizations selection, you must select at least one of yours and have 'assign_organizations' permission.","Location ids Invalid locations selection, you must select at least one of yours and have 'assign_locations' permission."]}
}
Comment 14 pm-sat@redhat.com 2018-02-21 11:54:17 EST
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://access.redhat.com/errata/RHSA-2018:0336

Note You need to log in before you can comment on or make changes to this bug.