Description of problem: Some of the "filters" permission changed after the upgrade. Version-Release number of selected component (if applicable): 6.9 Snap7 How reproducible: always Steps to Reproduce: 1. Install the 6.8 base version. 2. Check the filter's permission before the upgrade. {'id': '361', 'resource type': 'katello::syncplan', 'search': 'none', 'unlimited?': 'true', 'override?': 'false', 'role': 'organization admin', 'permissions': 'view_sync_plans, create_sync_plans, edit_sync_plans, destroy_sync_plans'} {'id': '365', 'resource type': 'katello::gpgkey', 'search': 'none', 'unlimited?': 'true', 'override?': 'false', 'role': 'viewer', 'permissions': 'view_gpg_keys, view_content_credentials'} 4. Upgrade the satellite from 6.8 to 6.9. 5. permission of "katello::syncplan" and "katello::gpgkey" change. {'id': '361', 'resource type': 'katello::syncplan', 'search': 'none', 'unlimited?': 'true', 'override?': 'false', 'role': 'organization admin', 'permissions': 'view_sync_plans, create_sync_plans, edit_sync_plans, destroy_sync_plans, sync_sync_plans'} {'id': '365', 'resource type': 'katello::gpgkey', 'search': 'none', 'unlimited?': 'true', 'override?': 'false', 'role': 'viewer', 'permissions': 'view_content_credentials, view_content_credentials'} Actual results: permission of "katello::syncplan" and "katello::gpgkey" changed after upgrade. Expected results: permission of "katello::syncplan" and "katello::gpgkey" should not change after upgrade. Additional info:
Devendra, We've been working on fixing some permission issues we've recently found. The sync plan changes are 100% expected, as previously the ability to 'sync' a sync plan wasn't even governed by a permission, and thus only an admin user could do that. For the Gpg key permissions, these have been replaced with content_credentials. in 6.7 and older, there was a mix of content credentials and gpg key permissions and neither really covered the full apis. However it looks like we might need to 'delete' the old gpg key permissions, i'll leave this bug open to do that.
After digging into this more, its actually working as expected. "Content Credentials' are called 'GpgKeys' under the hood. We've renamed just about everything else (Permission names, for example view_content_credentials, controller name, UI), but this internal model name is still around we can work on changing it too, but i think its too risky for 6.9 as its a good bit of refactoring.
Based upon comment 2, moving this one to 6.10 as it should have no negative impact on users.
Proposing we move to 7.0 due to the risk of backporting this, but going ahead and doing the work now so that it will be ready for 7.0 (and doesn't get kicked down the road again).
Upstream bug assigned to chrobert
Verified on 6.11 Snap15. Before Upgrade the filter's permission Permissions: "view_sync_plans, create_sync_plans, edit_sync_plans, destroy_sync_plans, sync_sync_plans" After Upgrade the filter's permission Permissions: "view_sync_plans, create_sync_plans, edit_sync_plans, destroy_sync_plans, sync_sync_plans"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5498