Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1993679 - Creating a Job via an user with selective permissions will not show "Job template" in the form unless refreshing the result of Search Query
Summary: Creating a Job via an user with selective permissions will not show "Job temp...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Remote Execution
Version: 6.10.0
Hardware: All
OS: All
unspecified
medium
Target Milestone: 6.10.0
Assignee: Adam Ruzicka
QA Contact: Jaroslav Henner
URL:
Whiteboard:
: 1908150 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-15 12:06 UTC by Sayan Das
Modified: 2024-12-20 20:42 UTC (History)
8 users (show)

Fixed In Version: tfm-rubygem-foreman_remote_execution-4.5.6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-16 14:13:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
reproducer script to create the role and user (1.12 KB, application/x-shellscript)
2021-08-15 12:07 UTC, Sayan Das 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 33340 0 None None None 2021-08-25 07:50:05 UTC
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:13:18 UTC

Description Sayan Das 2021-08-15 12:06:17 UTC 
Description of problem:

The idea here is to ensure that an user should only be able to see one Ansible Playbook and run it on hosts.

So we created a role with custom permissions and then assigned to a user.

Creating a Job via that user will not show "Job template" field in the form unless refreshing the result of Search Query, using that refresh button.


Version-Release number of selected component (if applicable):

Satellite 6.10 [ as well as Satellite 6.9 ]


How reproducible:

Always


Steps to Reproduce:

1. Create a small Ansible Playbook based job template called "Testing" with the following content.
##
---
- name: Test Play
  hosts: all
  gather_facts: false
  tasks:
  
    - name: Check current user
      command: whoami
      register: def_user
      
    - debug: var=def_user.stdout
##


2. Create a role called REX, a user called rexuser with password set as password@123 using the rex_role_create.sh script

3. Go to Administer --> Users --> and Impersonate the rexuser user.

4. Now go to Hosts --> All Hosts --> Select one host using checkbox --> From Select Action dropdown click on "Schedule Remote Task"


Actual results:

* It will take us to the "Job Invocation" Page and we could see the following data.

Job category: Ansible Playbook

Bookmark: <Blank>

Search Query: name ^ (host.example.com)

Resolves to button

Type of query 

Schedule


But the "Job template " dropdown is completely missing.

So now, if we hit the refresh button just beside "Resolves to ", the  "Job template" option suddenly comes out and It has the "Testing" playbook selected as expected.


Expected results:


We should not need to do the last step to see the "Job template " dropdown. It should show up automatically.


Additional info:

* The role actually looks like the following.

----|--------------------|------------------------------------------------------|------------|-----------|------|-------------------------------------------------------
ID  | RESOURCE TYPE      | SEARCH                                               | UNLIMITED? | OVERRIDE? | ROLE | PERMISSIONS                                           
----|--------------------|------------------------------------------------------|------------|-----------|------|-------------------------------------------------------
335 | Organization       | none                                                 | yes        | no        | REX  | view_organizations                                    
336 | Location           | none                                                 | yes        | no        | REX  | view_locations                                        
337 | Host               | none                                                 | yes        | no        | REX  | view_hosts                                            
338 | SmartProxy         | none                                                 | yes        | no        | REX  | view_smart_proxies                                    
339 | TemplateInvocation | job_category = "Ansible Playbook"                    | no         | no        | REX  | view_template_invocations, create_template_invocations
340 | JobTemplate        | job_category = "Ansible Playbook" and name = Testing | no         | no        | REX  | view_job_templates                                    
341 | JobInvocation      | job_category = "Ansible Playbook"                    | no         | no        | REX  | create_job_invocations, view_job_invocations          
----|--------------------|------------------------------------------------------|------------|-----------|------|-------------------------------------------------------

and It is being suspected that one of these three resource_types is creating an issue here i.e. TemplateInvocation \ JobTemplate \ JobInvocation. It's either a misconfiguration or a bug or expected behavior.


* Also We are trying to find out the relation between, "TemplateInvocation" "JobTemplate" and "JobInvocation" as all three of them gives us common search options to filter "Job Category"
Comment 1 Sayan Das 2021-08-15 12:07:11 UTC 
Created attachment 1814252 [details]
reproducer script to create the role and user
Comment 2 Adam Ruzicka 2021-08-25 07:50:03 UTC 
Created redmine issue https://projects.theforeman.org/issues/33340 from this bug
Comment 3 Bryan Kearney 2021-08-26 16:05:31 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/33340 has been resolved.
Comment 4 Adam Ruzicka 2021-09-07 11:15:29 UTC 
*** Bug 1908150 has been marked as a duplicate of this bug. ***
Comment 5 Jaroslav Henner 2021-10-13 13:17:28 UTC 
VERIFIED

The script needs to have an Organisation Red Hat in place before starting and the Job template name has to be Testing. Then I was able to reproduce on older snap (18) and on newer snap (22) it worked fine.
Comment 8 errata-xmlrpc 2021-11-16 14:13:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702
Note You need to log in before you can comment on or make changes to this bug.