1845498 – 50/50 chance to create role filter with non-admin user and enough permissions

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1845498 - 50/50 chance to create role filter with non-admin user and enough permissions

Summary: 50/50 chance to create role filter with non-admin user and enough permissions

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Users & Roles
Sub Component:
Version:	6.6.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	6.10.0
Assignee:	Ondřej Ezr
QA Contact:	Peter Ondrejka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-09 12:01 UTC by Rafael Cardoso
Modified:	2024-06-13 22:41 UTC (History)
CC List:	9 users (show)
Fixed In Version:	foreman-2.5.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-16 14:09:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	30394	Normal	New	50/50 chance to create role filter with non-admin user and enough permissions	2020-12-08 14:46:55 UTC
Github	theforeman/foreman/commit/2a0ad9140655b1c1604ddb948dca0c3e5968a42c	None	None	None	2021-06-22 08:49:30 UTC
Red Hat Product Errata	RHSA-2021:4702	None	None	None	2021-11-16 14:09:23 UTC

Description Rafael Cardoso 2020-06-09 12:01:04 UTC

Description of problem:
The error "Could not create the permission filter:
You don't have permission create_filters with attributes that you have specified or you don't have access to specified organizations or locations" is printed sometimes even with enough permissions for execution of the command:

# hammer --config configFile.yml --output json filter create --role roleName --permissions "permissionName"

Version-Release number of selected component (if applicable):
hammer 0.17.1

How reproducible:
hammer will sometimes success and sometimes not. When in loop you may see fails and success with not changed user role.

Steps to Reproduce:
1. Create Satellite user x
2. Create a /root/.hammer/cli_test.yml config file with the following content:

:foreman:
:host: <hostname>
:username: <userName>
:password: <password>

3. Create Role and add permissions below to the user created in the step 1.
(Miscellaneous) escalate_roles
Auth source view_authenticators
Bookmark view_bookmarks, create_bookmarks, edit_bookmarks, destroy_bookmarks
External usergroup view_external_usergroups, create_external_usergroups, edit_external_usergroups, destroy_external_usergroups
Filter view_filters, create_filters, edit_filters, destroy_filters
Organization view_organizations
Role view_roles, create_roles, edit_roles, destroy_roles
Subscription attach_subscriptions, unattach_subscriptions
Usergroup view_usergroups, create_usergroups, edit_usergroups, destroy_usergroups

4. Add Role from 3. to user from 1.
5. Create new role

# hammer --config /root/.hammer/cli_test.yml role create --name test_role --organizations <organization>

6. Create new filter for test_role

# hammer --config /root/.hammer/cli_test.yml filter create --role test_role --permissions "access_dashboard"

Actual results:
Sometimes
"Could not create the permission filter:
You don't have permission create_filters with attributes that you have specified or you don't have access to specified organizations or locations"

Sometimes
"Permission filter for [] created."

Expected results:
"Permission filter for [] created."

Comment 2 Shira Maximov 2020-06-11 07:19:54 UTC

Hi Rafael, I wasn't able to reproduce this, could you please provide hammer logs and development logs?

Comment 8 Shira Maximov 2020-07-14 07:29:55 UTC

Created redmine issue https://projects.theforeman.org/issues/30394 from this bug

Comment 10 Bryan Kearney 2021-04-01 00:01:15 UTC

Upstream bug assigned to oezr

Comment 11 Bryan Kearney 2021-04-01 00:01:18 UTC

Upstream bug assigned to oezr

Comment 12 Ondřej Ezr 2021-04-15 13:34:52 UTC

Hi,

I've pinpointed the issue to a bug, that we consider Locations and Organizations assigned to filters as 'Belongs to', but this assignment means 'Applies to'.

This causes Role with permissions to manage Filters to be able to manage only Filters that have the same Locations and Organizations as this Role (specificaly as the Filter on Filter resource).
This is wrong and permissions to manage filters should apply globally as it is a global resource and some filters don't have Locations and Organizations (e.g. Miscallenous).
My upstream patch is removing the ability to chose what Orgs/Locs the permissions to manage filters apply to thus Role with such permissions will be allowed to manage all Filters in Satellite.

This will probably land in 6.10, so until then I have a workaround.
To achive this without the patch (before 6.10) you need to navigate to the Role that allows managing Filters, edit the Filter on resource Filter, check `override` checkbox and deselect all the Organizations and Locations in the tabs that appear.
After saving, this Role will be able to manage all the filters in Satellite as with the patch and thus it will always succeed to create Filter.

Comment 14 Bryan Kearney 2021-06-18 16:01:13 UTC

Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/30394 has been resolved.

Comment 16 Peter Ondrejka 2021-07-09 08:51:41 UTC

Verified on Satellite 6.10 sn 8 using steps from problem description and comment 1. Non admin user with relevant permissions can now create roles with 100% success rate.

Comment 19 errata-xmlrpc 2021-11-16 14:09:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702

Note You need to log in before you can comment on or make changes to this bug.