Non-Admin user can see All Remote Execution Jobs initiated by other users Description of problem: - Assign Remote Execution permissions to Non-Admin User. - These permissions are restricted to some hosts - Problem is, this user can see all Remote Execution Jobs under "Satellite Web UI --> Monitor --> Jobs" - And if User clicked on the job then there are not much details can see in Overview tab but from Preview templates tab, host and action info still visible. Version-Release number of selected component (if applicable): 6.4.x How reproducible: Steps to Reproduce: 1. Create Non-Admin user on Satellite server 2. Assign below permissions to user and restrict user to view HostCollection (HostCollection1) : ----|--------------------|-----------------------------------|-----------|-----------|----------------|--------------------------------------------------------------------------------- ID | RESOURCE TYPE | SEARCH | UNLIMITED?| OVERRIDE? | ROLE | PERMISSIONS ----|--------------------|-----------------------------------|-----------|-----------|----------------|--------------------------------------------------------------------------------- 301 | (Miscellaneous) | none | yes | no | 01 Custom Role | access_dashboard 302 | Host | host_collection = HostCollection1 | no | no | 01 Custom Role | view_hosts, edit_hosts, build_hosts, console_hosts 306 | Organization | none | no | no | 01 Custom Role | view_organizations 308 | JobInvocation | none | yes | no | 01 Custom Role | create_job_invocations, view_job_invocations, cancel_job_invocations 312 | TemplateInvocation | none | yes | no | 01 Custom Role | view_template_invocations, create_template_invocations, filter_autocompletion... 314 | JobTemplate | none | no | no | 01 Custom Role | view_job_templates, create_job_templates, edit_job_templates ------|------------------|-----------------------------------|-----------|-----------|----------------|--------------------------------------------------------------------------------- 3. Login with User and go to "Satellite Web UI --> Monitor --> Jobs" 4. USer can see all Remote Execution Jobs Actual results: - USer can see all Remote Execution Jobs Expected results: - User can not see Remote Execution Jobs on which user does not have permission - Need restrict user to see Jobs initiate by the user only Additional info:
Created redmine issue https://projects.theforeman.org/issues/27988 from this bug
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/27988 has been resolved.
Tested on Satellite 6.9 snap 1 using the permission list from the problem description, the user can still see job invocations from other users. Reproduction machine available upon request
The problem is in Role filter settings. Limiting job invocations to current user works only when "Job invocations > view_job_invocations" permission have search filter set to "user = current_user".
Created attachment 1733302 [details] filter set used for verification
Using additional filter from comment 7 just for the view permission the limitation works as expected, only user's invocations are listed, invocation creation remains unhampered. Verified on Satellite 6.9 snap 2
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.9 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1313