Bug 1500979 - [RFE] Please provide a Pre-made role for registration-only usage
Summary: [RFE] Please provide a Pre-made role for registration-only usage
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.2.12
Hardware: Unspecified
OS: Unspecified
unspecified
medium vote
Target Milestone: Unspecified
Assignee: Daniel Lobato Garcia
QA Contact: Lukáš Hellebrandt
URL:
Whiteboard:
Depends On:
Blocks: 1122832 1605195
TreeView+ depends on / blocked
 
Reported: 2017-10-11 21:54 UTC by Vincent S. Cojot
Modified: 2021-09-09 12:44 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1605195 (view as bug list)
Environment:
Last Closed: 2019-02-21 23:19:19 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 21307 0 None None None 2017-10-12 08:14:18 UTC
Red Hat Issue Tracker SAT-5003 0 None None None 2021-09-09 12:44:18 UTC
Red Hat Knowledge Base (Solution) 1570203 0 None None None 2018-08-08 13:51:08 UTC

Description Vincent S. Cojot 2017-10-11 21:54:08 UTC
Description of problem:

Because bootstrap.py requires a login and password in clear text, I decided to follow https://access.redhat.com/solutions/1570203 to create an unpriviledged role to which I could assign that user.

In the end, on sat 6.2.12, this proved to be a daunting task because the KB article was incomplete.
Here's the set of permissions which worked for me:

[root@sat6 ~]# hammer  role filters --id 22
----|-------------------------|--------|------------|----------------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE           | SEARCH | UNLIMITED? | ROLE           | PERMISSIONS
----|-------------------------|--------|------------|----------------|---------------------------------------------------------------------------------
171 | Hostgroup               | none   | yes        | Register Hosts | view_hostgroups
173 | Katello::ActivationKey  | none   | yes        | Register Hosts | view_activation_keys
174 | Katello::System         | none   | yes        | Register Hosts | view_content_hosts, create_content_hosts, edit_content_hosts, destroy_content...
175 | Katello::ContentView    | none   | yes        | Register Hosts | view_content_views
176 | Katello::GpgKey         | none   | yes        | Register Hosts | view_gpg_keys
177 | Katello::Subscription   | none   | yes        | Register Hosts | view_subscriptions, attach_subscriptions
178 | Host                    | none   | yes        | Register Hosts | view_hosts
179 | Katello::HostCollection | none   | yes        | Register Hosts | view_host_collections
180 | Organization            | none   | yes        | Register Hosts | view_organizations
182 | Katello::KTEnvironment  | none   | yes        | Register Hosts | view_lifecycle_environments
183 | Katello::Product        | none   | yes        | Register Hosts | view_products
184 | Location                | none   | yes        | Register Hosts | view_locations
185 | Domain                  | none   | yes        | Register Hosts | view_domains
186 | Architecture            | none   | yes        | Register Hosts | view_architectures
187 | Operatingsystem         | none   | yes        | Register Hosts | view_operatingsystems
----|-------------------------|--------|------------|----------------|------------------------------------------------------------------------

This allowed me to use bootstrap like this:
bootstrap.py -l register -p password -s ${SAT_HOSTNAME} -o ${SAT_ORGANIZATION} -a ${ACTIVATION_KEY} -L ${SAT_LOCATION} -g ${SAT_HOSTGROUP} -O ${SAT_OS_NAME} --enablerepos=* --skip-puppet --force

Most importantly, view_operatingsystems, view_architectures, view_domains and view_locations are missing from the above KB article.

Please provide a pre-defined role in 6.2.z/6.3.z so people don't have to go through this.
Thank you,

Comment 1 Marek Hulan 2017-10-12 07:52:00 UTC
Thanks for great report. Since the permission list contains Katello and Foreman core permissions only I think it should be added from Katello. It should be easy to achieve on 6.3+. I can't promise the version in which we can ship it but I'll try to prioritize this.

Comment 2 Marek Hulan 2017-10-12 08:14:16 UTC
Created redmine issue http://projects.theforeman.org/issues/21307 from this bug

Comment 3 Satellite Program 2017-11-21 13:19:38 UTC
Upstream bug assigned to dlobatog@redhat.com

Comment 4 Satellite Program 2017-11-21 13:19:41 UTC
Upstream bug assigned to dlobatog@redhat.com

Comment 5 Satellite Program 2017-11-29 21:19:42 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/21307 has been resolved.

Comment 6 Lukáš Hellebrandt 2018-07-20 09:47:47 UTC
FailedQA with Sat 6.4 snap 12.

Tried registration through

1) Create Host dialogue
2) Subscription manager
3) bootstrap

... and everything was successfull.

HOWEVER, the user with registration role is also able to edit and delete hosts. That means, a person with credentials of this "register-only" user can:

* Edit any property of any host
* Completely unregister any host
* Delete any host's VM from a Compute Resource!!

That doesn't seem like "registration-only" to me. I understand these privileges might be set so the host can be unregistered/re-registered but the current state seems like a security issue.

Comment 7 Marek Hulan 2018-07-20 10:19:51 UTC
Have you read the BZ description? The suggested list of permission contained edit_content_hosts, destroy_content permissions in the list. While we could adjust the list, this is what the reporter expects. If you believe they should be dropped, I'd suggest creating a separate BZ and not failing this one. If you agree, please switch back to ON_QA and remove FailedQA flag, thanks.

Comment 8 Lukáš Hellebrandt 2018-07-20 12:38:48 UTC
After discussion with Marek, we decided to document potentially unexpected permissions of the role. I will verify this BZ once bug 1605195 gets verified. That means this BZ should probably be moved to GA.

Comment 9 Corey Welton 2018-07-29 15:27:02 UTC
Should this be moved back to ONQA?

Comment 12 Lukáš Hellebrandt 2018-08-20 12:40:24 UTC
Corey, I'd only move this to ON_QA once bug 1605195 gets fixed.

Comment 13 Marek Hulan 2018-09-04 08:22:12 UTC
Lukáš, the linked bug is now closed. Could you please adjust the state now? IMHO it should be VERIFIED. I do not understand why it was ASSIGNED until now as engineering couldn't do anything so ON_QA was IMHO better state as it was pending verification until documentation was updated. Anyway, please move the bug to correct state now.

Comment 14 Lukáš Hellebrandt 2018-09-05 09:25:40 UTC
Verified as per comment 6, comment 8 and the fact that the docs BZ is now CLOSED_NEXTRELEASE.

Comment 20 Brad Buckingham 2019-02-21 23:19:19 UTC
This was resolved in Satellite 6.4; therefore, moving to CLOSED:CURRENTRELEASE.  Thanks!


Note You need to log in before you can comment on or make changes to this bug.