1605195 – [RFE] Please provide a Pre-made role for registration-only usage

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1605195 - [RFE] Please provide a Pre-made role for registration-only usage

Summary: [RFE] Please provide a Pre-made role for registration-only usage

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Sergei Petrosian
QA Contact:	Melanie Corr
Docs Contact:
URL:
Whiteboard:
Depends On:	1500979
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-20 12:28 UTC by Marek Hulan
Modified:	2021-09-09 15:09 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:	1500979
Environment:
Last Closed:	2018-09-03 06:23:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SAT-5077	0	None	None	None	2021-09-09 15:09:02 UTC

Description Marek Hulan 2018-07-20 12:28:46 UTC

In 6.4 we are adding a role "Register host" which contains also permissions for host editing and deletion. This is required for re-registering, unregistrering the host. That also means user with this role can delete other hosts, which users might not be aware of. So product documentation should document this. Also it should say that if this is not desired, the role can be cloned and these two permissions removed.

+++ This bug was initially created as a clone of Bug #1500979 +++

Description of problem:

Because bootstrap.py requires a login and password in clear text, I decided to follow https://access.redhat.com/solutions/1570203 to create an unpriviledged role to which I could assign that user.

In the end, on sat 6.2.12, this proved to be a daunting task because the KB article was incomplete.
Here's the set of permissions which worked for me:

[root@sat6 ~]# hammer  role filters --id 22
----|-------------------------|--------|------------|----------------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE           | SEARCH | UNLIMITED? | ROLE           | PERMISSIONS
----|-------------------------|--------|------------|----------------|---------------------------------------------------------------------------------
171 | Hostgroup               | none   | yes        | Register Hosts | view_hostgroups
173 | Katello::ActivationKey  | none   | yes        | Register Hosts | view_activation_keys
174 | Katello::System         | none   | yes        | Register Hosts | view_content_hosts, create_content_hosts, edit_content_hosts, destroy_content...
175 | Katello::ContentView    | none   | yes        | Register Hosts | view_content_views
176 | Katello::GpgKey         | none   | yes        | Register Hosts | view_gpg_keys
177 | Katello::Subscription   | none   | yes        | Register Hosts | view_subscriptions, attach_subscriptions
178 | Host                    | none   | yes        | Register Hosts | view_hosts
179 | Katello::HostCollection | none   | yes        | Register Hosts | view_host_collections
180 | Organization            | none   | yes        | Register Hosts | view_organizations
182 | Katello::KTEnvironment  | none   | yes        | Register Hosts | view_lifecycle_environments
183 | Katello::Product        | none   | yes        | Register Hosts | view_products
184 | Location                | none   | yes        | Register Hosts | view_locations
185 | Domain                  | none   | yes        | Register Hosts | view_domains
186 | Architecture            | none   | yes        | Register Hosts | view_architectures
187 | Operatingsystem         | none   | yes        | Register Hosts | view_operatingsystems
----|-------------------------|--------|------------|----------------|------------------------------------------------------------------------

This allowed me to use bootstrap like this:
bootstrap.py -l register -p password -s ${SAT_HOSTNAME} -o ${SAT_ORGANIZATION} -a ${ACTIVATION_KEY} -L ${SAT_LOCATION} -g ${SAT_HOSTGROUP} -O ${SAT_OS_NAME} --enablerepos=* --skip-puppet --force

Most importantly, view_operatingsystems, view_architectures, view_domains and view_locations are missing from the above KB article.

Please provide a pre-defined role in 6.2.z/6.3.z so people don't have to go through this.
Thank you,

--- Additional comment from Marek Hulan on 2017-10-12 03:52:00 EDT ---

Thanks for great report. Since the permission list contains Katello and Foreman core permissions only I think it should be added from Katello. It should be easy to achieve on 6.3+. I can't promise the version in which we can ship it but I'll try to prioritize this.

--- Additional comment from Marek Hulan on 2017-10-12 04:14:16 EDT ---

Created redmine issue http://projects.theforeman.org/issues/21307 from this bug

--- Additional comment from pm-sat on 2017-11-21 08:19:38 EST ---

Upstream bug assigned to dlobatog

--- Additional comment from pm-sat on 2017-11-21 08:19:41 EST ---

Upstream bug assigned to dlobatog

--- Additional comment from pm-sat on 2017-11-29 16:19:42 EST ---

Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/21307 has been resolved.

--- Additional comment from Lukáš Hellebrandt on 2018-07-20 05:47:47 EDT ---

FailedQA with Sat 6.4 snap 12.

Tried registration through

1) Create Host dialogue
2) Subscription manager
3) bootstrap

... and everything was successfull.

HOWEVER, the user with registration role is also able to edit and delete hosts. That means, a person with credentials of this "register-only" user can:

* Edit any property of any host
* Completely unregister any host
* Delete any host's VM from a Compute Resource!!

That doesn't seem like "registration-only" to me. I understand these privileges might be set so the host can be unregistered/re-registered but the current state seems like a security issue.

--- Additional comment from Marek Hulan on 2018-07-20 06:19:51 EDT ---

Have you read the BZ description? The suggested list of permission contained edit_content_hosts, destroy_content permissions in the list. While we could adjust the list, this is what the reporter expects. If you believe they should be dropped, I'd suggest creating a separate BZ and not failing this one. If you agree, please switch back to ON_QA and remove FailedQA flag, thanks.

Comment 1 Andrew Dahms 2018-08-30 13:26:18 UTC

Assigning to Sergei for review.

Comment 10 Sergei Petrosian 2018-09-03 06:23:07 UTC

These changes are pushed to master and cherry-picked to 6.4-beta.

Thank you

Note You need to log in before you can comment on or make changes to this bug.