Bug 1694868 - Non-Admin user can see All Remote Execution Jobs initiated by other users
Summary: Non-Admin user can see All Remote Execution Jobs initiated by other users
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Remote Execution
Version: 6.4
Hardware: Unspecified
OS: Linux
high
medium
Target Milestone: 6.9.0
Assignee: Leos Stejskal
QA Contact: Peter Ondrejka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-01 21:41 UTC by Shekhar Raut
Modified: 2023-12-15 16:25 UTC (History)
6 users (show)

Fixed In Version: tfm-rubygem-foreman_remote_execution-4.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-21 13:11:45 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
filter set used for verification (61.73 KB, image/png)
2020-11-25 09:40 UTC, Peter Ondrejka
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 27988 0 High Closed Non-Admin user can see All Remote Execution Jobs initiated by other users 2020-11-24 06:20:03 UTC
Red Hat Product Errata RHSA-2021:1313 0 None None None 2021-04-21 13:12:12 UTC

Description Shekhar Raut 2019-04-01 21:41:54 UTC
Non-Admin user can see All Remote Execution Jobs initiated by other users


Description of problem:

- Assign Remote Execution permissions to Non-Admin User.
- These permissions are restricted to some hosts
- Problem is, this user can see all Remote Execution Jobs under "Satellite Web UI --> Monitor --> Jobs"
- And if User clicked on the job then there are not much details can see in Overview tab but from Preview templates tab, host and action info still visible.

Version-Release number of selected component (if applicable): 6.4.x

How reproducible:

Steps to Reproduce:
  1. Create Non-Admin user on Satellite server
  2. Assign below permissions to user and restrict user to view HostCollection (HostCollection1) :

----|--------------------|-----------------------------------|-----------|-----------|----------------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE      | SEARCH                            | UNLIMITED?| OVERRIDE? | ROLE           | PERMISSIONS                                                                    
----|--------------------|-----------------------------------|-----------|-----------|----------------|---------------------------------------------------------------------------------
301 | (Miscellaneous)    | none                              | yes       | no        | 01 Custom Role | access_dashboard                                                               
302 | Host               | host_collection = HostCollection1 | no        | no        | 01 Custom Role | view_hosts, edit_hosts, build_hosts, console_hosts                             
306 | Organization       | none                              | no        | no        | 01 Custom Role | view_organizations                                                             
308 | JobInvocation      | none                              | yes       | no        | 01 Custom Role | create_job_invocations, view_job_invocations, cancel_job_invocations           
312 | TemplateInvocation | none                              | yes       | no        | 01 Custom Role | view_template_invocations, create_template_invocations, filter_autocompletion...
314 | JobTemplate        | none                              | no        | no        | 01 Custom Role | view_job_templates, create_job_templates, edit_job_templates                   
------|------------------|-----------------------------------|-----------|-----------|----------------|---------------------------------------------------------------------------------

  3. Login with User and go to "Satellite Web UI --> Monitor --> Jobs"
  4. USer can see all Remote Execution Jobs

Actual results:
- USer can see all Remote Execution Jobs

Expected results:
- User can not see Remote Execution Jobs on which user does not have permission
- Need restrict user to see Jobs initiate by the user only

Additional info:

Comment 4 Adam Ruzicka 2019-10-02 11:03:03 UTC
Created redmine issue https://projects.theforeman.org/issues/27988 from this bug

Comment 5 Bryan Kearney 2020-07-23 12:05:34 UTC
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/27988 has been resolved.

Comment 6 Peter Ondrejka 2020-11-19 14:59:46 UTC
Tested on Satellite 6.9 snap 1 using the permission list from the problem description, the user can still see job invocations from other users.

Reproduction machine available upon request

Comment 7 Leos Stejskal 2020-11-25 09:09:18 UTC
The problem is in Role filter settings. Limiting job invocations to current user works only when "Job invocations > view_job_invocations" permission have search filter set to "user = current_user".

Comment 8 Peter Ondrejka 2020-11-25 09:40:00 UTC
Created attachment 1733302 [details]
filter set used for verification

Comment 9 Peter Ondrejka 2020-11-25 09:41:20 UTC
Using additional filter from comment 7 just for the view permission the limitation works as expected, only user's invocations are listed, invocation creation remains unhampered. Verified on Satellite 6.9 snap 2

Comment 12 errata-xmlrpc 2021-04-21 13:11:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.9 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1313


Note You need to log in before you can comment on or make changes to this bug.