Description of problem: Authentication issue for checking status of Task API via EvmRole_administrator privileged User Version-Release number of selected component (if applicable): 5.8.1.5 How reproducible: Always Steps to Reproduce: 1.Create "xyz" with EvmRole_Administrator privilege which I can see has the required permissions to view the status of task as shown under Settings Section. 2. execute the report with user "xyz" and it can successfully execute the report like below: POST https://<cfme ip>/api/reports/1000000000002 { "action":"run" } Response: { "success": true, "message": "running report 1000000000002", "href": "https://<cfme ip>/api/reports/1000000000002", "result_id": 1000000000009, "result_href": "https://<cfme ip>/api/results/1000000000009", "task_id": 1000000000013, "task_href": "https://<cfme ip>/api/tasks/1000000000013" } 3.But when I check the status of task via API then it is giving forbidden error GET https://<cfme-api>/api/tasks/1000000000013 { "error": { "kind": "forbidden", "message": "Use of the read action is forbidden", "klass": "Api::ForbiddenError" } } Though I can see the Task status via Cloudforms GUI mode with the same user but not through API. Actual results: It is throwing below exception while checking the status of task: [----] E, [2018-01-18T02:15:06.130098 #2829:c88354] ERROR -- : <API> MIQ(Api::TasksController.api_error) API Error [----] E, [2018-01-18T02:15:06.130185 #2829:c88354] ERROR -- : <API> MIQ(Api::TasksController.api_error) Api::ForbiddenError: Use of the read action is forbidden Expected results: EvmRole_Administrator priviliged User should able to check the status of Task via API. Additional info:
I was able to reproduce the issue on 5.9.0.16
This issue stems from the use of the identifier that is present in the api.yml. While the api.yml uses the "tasks_view" product feature, the two children identifiers, "miq_task_all_ui" and "miq_task_my_ui" are the ones that are used for the Administrator role as well as others. Working on a fix to allow for either one of those child identifiers to work for viewing of tasks.
PR: https://github.com/ManageIQ/manageiq-api/pull/296
New commit detected on ManageIQ/manageiq-api/master: https://github.com/ManageIQ/manageiq-api/commit/d759db8162475ee7160c7aec9f996fcd5bd63415 commit d759db8162475ee7160c7aec9f996fcd5bd63415 Author: Jillian Tullo <jtullo> AuthorDate: Mon Jan 22 08:09:07 2018 -0500 Commit: Jillian Tullo <jtullo> CommitDate: Mon Jan 22 08:45:44 2018 -0500 Update role identifiers for tasks collection to be the same as those used in the UI When user roles are seeded, they have either the miq_task_all_ui feature or miq_task_my_ui feature (or both), which is what the UI also uses to validate that they can view requests. However, the API uses tasks_view. This is causing a problem where users that are able to see tasks in the UI are unable to see tasks through the API. This updates the product features used in the API to match what is used in the UI. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1535962 config/api.yml | 12 ++++++-- spec/lib/api/api_config_spec.rb | 3 +- spec/requests/tasks_spec.rb | 62 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 73 insertions(+), 4 deletions(-)
Verified with 5.10.0.19. EvmRole-administrator user can view task status over API.