Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1500979 - [RFE] Please provide a Pre-made role for registration-only usage
Summary: [RFE] Please provide a Pre-made role for registration-only usage
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.2.12
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Daniel Lobato Garcia
QA Contact: Lukáš Hellebrandt
URL:
Whiteboard:
Depends On:
Blocks: 1122832 1605195
TreeView+ depends on / blocked
 
Reported: 2017-10-11 21:54 UTC by Vincent S. Cojot
Modified: 2021-09-09 12:44 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1605195 (view as bug list)
Environment:
Last Closed: 2019-02-21 23:19:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 21307 0 None None None 2017-10-12 08:14:18 UTC
Red Hat Issue Tracker SAT-5003 0 None None None 2021-09-09 12:44:18 UTC
Red Hat Knowledge Base (Solution) 1570203 0 None None None 2018-08-08 13:51:08 UTC

Description Vincent S. Cojot 2017-10-11 21:54:08 UTC 
Description of problem:

Because bootstrap.py requires a login and password in clear text, I decided to follow https://access.redhat.com/solutions/1570203 to create an unpriviledged role to which I could assign that user.

In the end, on sat 6.2.12, this proved to be a daunting task because the KB article was incomplete.
Here's the set of permissions which worked for me:

[root@sat6 ~]# hammer  role filters --id 22
----|-------------------------|--------|------------|----------------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE           | SEARCH | UNLIMITED? | ROLE           | PERMISSIONS
----|-------------------------|--------|------------|----------------|---------------------------------------------------------------------------------
171 | Hostgroup               | none   | yes        | Register Hosts | view_hostgroups
173 | Katello::ActivationKey  | none   | yes        | Register Hosts | view_activation_keys
174 | Katello::System         | none   | yes        | Register Hosts | view_content_hosts, create_content_hosts, edit_content_hosts, destroy_content...
175 | Katello::ContentView    | none   | yes        | Register Hosts | view_content_views
176 | Katello::GpgKey         | none   | yes        | Register Hosts | view_gpg_keys
177 | Katello::Subscription   | none   | yes        | Register Hosts | view_subscriptions, attach_subscriptions
178 | Host                    | none   | yes        | Register Hosts | view_hosts
179 | Katello::HostCollection | none   | yes        | Register Hosts | view_host_collections
180 | Organization            | none   | yes        | Register Hosts | view_organizations
182 | Katello::KTEnvironment  | none   | yes        | Register Hosts | view_lifecycle_environments
183 | Katello::Product        | none   | yes        | Register Hosts | view_products
184 | Location                | none   | yes        | Register Hosts | view_locations
185 | Domain                  | none   | yes        | Register Hosts | view_domains
186 | Architecture            | none   | yes        | Register Hosts | view_architectures
187 | Operatingsystem         | none   | yes        | Register Hosts | view_operatingsystems
----|-------------------------|--------|------------|----------------|------------------------------------------------------------------------

This allowed me to use bootstrap like this:
bootstrap.py -l register -p password -s ${SAT_HOSTNAME} -o ${SAT_ORGANIZATION} -a ${ACTIVATION_KEY} -L ${SAT_LOCATION} -g ${SAT_HOSTGROUP} -O ${SAT_OS_NAME} --enablerepos=* --skip-puppet --force

Most importantly, view_operatingsystems, view_architectures, view_domains and view_locations are missing from the above KB article.

Please provide a pre-defined role in 6.2.z/6.3.z so people don't have to go through this.
Thank you,
Comment 1 Marek Hulan 2017-10-12 07:52:00 UTC 
Thanks for great report. Since the permission list contains Katello and Foreman core permissions only I think it should be added from Katello. It should be easy to achieve on 6.3+. I can't promise the version in which we can ship it but I'll try to prioritize this.
Comment 2 Marek Hulan 2017-10-12 08:14:16 UTC 
Created redmine issue http://projects.theforeman.org/issues/21307 from this bug
Comment 3 Satellite Program 2017-11-21 13:19:38 UTC 
Upstream bug assigned to dlobatog
Comment 4 Satellite Program 2017-11-21 13:19:41 UTC 
Upstream bug assigned to dlobatog
Comment 5 Satellite Program 2017-11-29 21:19:42 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/21307 has been resolved.
Comment 6 Lukáš Hellebrandt 2018-07-20 09:47:47 UTC 
FailedQA with Sat 6.4 snap 12.

Tried registration through

1) Create Host dialogue
2) Subscription manager
3) bootstrap

... and everything was successfull.

HOWEVER, the user with registration role is also able to edit and delete hosts. That means, a person with credentials of this "register-only" user can:

* Edit any property of any host
* Completely unregister any host
* Delete any host's VM from a Compute Resource!!

That doesn't seem like "registration-only" to me. I understand these privileges might be set so the host can be unregistered/re-registered but the current state seems like a security issue.
Comment 7 Marek Hulan 2018-07-20 10:19:51 UTC 
Have you read the BZ description? The suggested list of permission contained edit_content_hosts, destroy_content permissions in the list. While we could adjust the list, this is what the reporter expects. If you believe they should be dropped, I'd suggest creating a separate BZ and not failing this one. If you agree, please switch back to ON_QA and remove FailedQA flag, thanks.
Comment 8 Lukáš Hellebrandt 2018-07-20 12:38:48 UTC 
After discussion with Marek, we decided to document potentially unexpected permissions of the role. I will verify this BZ once bug 1605195 gets verified. That means this BZ should probably be moved to GA.
Comment 9 Corey Welton 2018-07-29 15:27:02 UTC 
Should this be moved back to ONQA?
Comment 12 Lukáš Hellebrandt 2018-08-20 12:40:24 UTC 
Corey, I'd only move this to ON_QA once bug 1605195 gets fixed.
Comment 13 Marek Hulan 2018-09-04 08:22:12 UTC 
Lukáš, the linked bug is now closed. Could you please adjust the state now? IMHO it should be VERIFIED. I do not understand why it was ASSIGNED until now as engineering couldn't do anything so ON_QA was IMHO better state as it was pending verification until documentation was updated. Anyway, please move the bug to correct state now.
Comment 14 Lukáš Hellebrandt 2018-09-05 09:25:40 UTC 
Verified as per comment 6, comment 8 and the fact that the docs BZ is now CLOSED_NEXTRELEASE.
Comment 20 Brad Buckingham 2019-02-21 23:19:19 UTC 
This was resolved in Satellite 6.4; therefore, moving to CLOSED:CURRENTRELEASE.  Thanks!
Note You need to log in before you can comment on or make changes to this bug.