Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1510079 - [RFE] Tasks are visible to everybody, regardless of organization access rights
Summary: [RFE] Tasks are visible to everybody, regardless of organization access rights
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Tasks Plugin
Version: 6.2.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Jan Hutař
URL:
Whiteboard:
: 1322566 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-06 16:32 UTC by Prajeesh
Modified: 2021-06-10 13:32 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-02 17:53:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Prajeesh 2017-11-06 16:32:11 UTC 
Tasks are visible to everybody, regardless of organization access rights.

Users with permissions view_foreman_tasks and edit_foreman_tasks, granted to inspect tasks results and error messages, are able to cancel ANY canceable task. This is far from the advertised multi tenancy.

Visibility should be limited to own tasks, or at least to task from the own organization. To see all tasks, and kill task submitted by others, a special administrative filter should be available.
Comment 1 Marek Hulan 2017-11-07 06:50:24 UTC 
This is not easy to do, since tasks are not scoped per organization. I believe filter can be finegrained by tasks attributes including owner, but you'd need to create separate filter for each user, since we can't define a condition such as "owner = $current_user".

Personally I consider tasks page as maintanance tool and would not expect non admin users to interact with it. If users need cancelling, it should be provided by page that generates the tadk, e.g. rex jobs have their cancel button.

Moving to tasks component to consider.
Comment 3 Bengt Giger 2017-11-13 15:21:44 UTC 
This depends on the definition of "non admin", or "admin". Multi tenant environments do not simply have adminstrators, they have administrators responsible for the system, and administrators local to the tenant (organization). Delegation of responsibilities to the organizational level is vital, as is separation. 

There are worse separation issues than this, with severe security consequences. But regarding the advertised features, everything breaking the borders of tenants is more than just a feature nice to have.
Comment 4 Marek Hulan 2017-11-15 12:08:28 UTC 
I understand your point and you're right. By admin I meant system administrator of Satellite. In ideal case, organization admin should have no need to visit tasks page. Or we should start scoping tasks by the context (organizaton/location) in which they have been created. Similarly to audits, where we have the same problem I believe.
Comment 5 Marek Hulan 2017-11-15 15:10:53 UTC 
*** Bug 1322566 has been marked as a duplicate of this bug. ***
Comment 17 Bryan Kearney 2019-07-02 17:53:20 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you.
Note You need to log in before you can comment on or make changes to this bug.