Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1636426 - with "Ansible Roles Manager" and "View hosts" roles, user still needs "Remote Excution User" to run roles on host
Summary: with "Ansible Roles Manager" and "View hosts" roles, user still needs "Remote...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Ansible - Configuration Management
Version: 6.8.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: 6.10.0
Assignee: Ondřej Ezr
QA Contact: Danny Synk
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-05 11:09 UTC by Jan Hutař
Modified: 2021-11-16 14:08 UTC (History)
4 users (show)

Fixed In Version: tfm-rubygem-foreman_ansible-6.3.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-16 14:08:27 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 25579 0 None None None 2018-11-29 08:17:43 UTC
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:08:40 UTC

Description Jan Hutař 2018-10-05 11:09:33 UTC
Description of problem:
User with "Ansible Roles Manager" and "View hosts" roles, still needs "Remote Excution User" to run roles on host.


Version-Release number of selected component (if applicable):
satellite-6.4.0-15.el7sat.noarch


How reproducible:
always


Steps to Reproduce:
1. Create user with "Ansible Roles Manager" and "View hosts" roles
2. Have host with 2 Ansible roles attached
3. Login as that new user
4. Hosts -> All hosts -> <host>


Actual results:
There is no "Run Ansible roles" button, although I have "play_roles_on_host" permission


Expected results:
I would expect role and permission names matches to what they allow you to do


Additional info:
If this is expected in this specific case, how can we import the situation? E.g. there is missing description of Ansible Roles Manager and that could help.

Note that when I add "Remote Excution User" role, it works

Comment 1 Jan Hutař 2018-10-05 11:12:49 UTC
Another confusing thing is that if I have parameter mine roles are consuming in, say, organization, mine roles do not see that parameter.

Comment 3 Ondřej Pražák 2018-11-29 08:17:41 UTC
Created redmine issue http://projects.theforeman.org/issues/25579 from this bug

Comment 4 Bryan Kearney 2019-11-04 14:33:58 UTC
The Satellite Team is attempting to provide an accurate backlog of bugzilla requests which we feel will be resolved in the next few releases. We do not believe this bugzilla will meet that criteria, and have plans to close it out in 1 month. This is not a reflection on the validity of the request, but a reflection of the many priorities for the product. If you have any concerns about this, feel free to contact Red Hat Technical Support or your account team. If we do not hear from you, we will close this bug out. Thank you.

Comment 5 Bryan Kearney 2019-12-03 12:53:28 UTC
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you.

Comment 7 Bryan Kearney 2021-04-20 19:48:57 UTC
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/25579 has been resolved.

Comment 11 Danny Synk 2021-07-23 15:14:18 UTC
Failed QA on Satellite 6.10, snap 10 (tfm-rubygem-foreman_ansible-6.3.1-1.el7sat.noarch).

Steps to Test: 

1. Create a new user, ansible_test, with only the "Ansible Roles Manager" and "View hosts" roles assigned.
2. Register a RHEL system to Satellite and configure it for remote execution using the Global Registration Template.
3. As the admin user in the Satellite webUI, navigate to Hosts > All Hosts > [hostname] > Edit > Ansible Roles. 
4. Assign two Ansible roles to the host.
5. Log in to Satellite as the ansible_test user.
6. In the Satellite webUI, navigate to Hosts > All Hosts > [hostname].
7. Select the "Run Ansible roles" option from the dropdown menu.

Expected Results:
A user with only the "Ansible Roles Manager" and "View hosts" roles assigned is able to run Ansible roles on a host.

Actual Results:
The user receives a "Permission denied" response with the following message: "You are not authorized to perform this action. Please request one of the required permissions listed below from a Satellite administrator: create_job_invocations"

Comment 12 Bryan Kearney 2021-07-26 16:00:59 UTC
Upstream bug assigned to oezr

Comment 13 Bryan Kearney 2021-07-26 16:01:01 UTC
Upstream bug assigned to oezr

Comment 14 Danny Synk 2021-08-12 17:58:10 UTC
Steps to Test: 

1. Create a new user, ansible_test, with only the "Ansible Roles Manager" and "View hosts" roles assigned.
2. Register a RHEL system to Satellite and configure it for remote execution using the Global Registration Template.
3. As the admin user in the Satellite webUI, navigate to Hosts > All Hosts > [hostname] > Edit > Ansible Roles. 
4. Assign two Ansible roles to the host.
5. Log in to Satellite as the ansible_test user.
6. In the Satellite webUI, navigate to Hosts > All Hosts > [hostname].
7. Select the "Run Ansible roles" option from the dropdown menu.

Expected Results:
A user with only the "Ansible Roles Manager" and "View hosts" roles assigned is able to run Ansible roles on a host.

Actual Results:
The ansible_test user, which has only the "Ansible Roles Manager" and "View hosts" roles assigned, is able to run Ansible roles on a host successfully.

Verified on Satellite 6.10, snap 13.

Comment 17 errata-xmlrpc 2021-11-16 14:08:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702


Note You need to log in before you can comment on or make changes to this bug.