Description of problem: It's not possible to assign ansible roles to a host group via hammer/api with a non-admin user. Version-Release number of selected component (if applicable): Satellite 6.10 beta How reproducible: Always Steps to Reproduce: 1. Create a role with the following permission set: # hammer role filters --id 33 ~~~ ----|------------------------|--------|------------|-----------|------|--------------------------------------------------------------------------------- ID | RESOURCE TYPE | SEARCH | UNLIMITED? | OVERRIDE? | ROLE | PERMISSIONS ----|------------------------|--------|------------|-----------|------|--------------------------------------------------------------------------------- 335 | AnsibleRole | none | yes | no | api | view_ansible_roles 336 | Architecture | none | yes | no | api | view_architectures 337 | Operatingsystem | none | yes | no | api | view_operatingsystems 338 | Parameter | none | yes | no | api | view_params, create_params, edit_params, destroy_params 339 | Katello::ActivationKey | none | no | no | api | view_activation_keys 340 | Katello::ContentView | none | no | no | api | view_content_views 341 | Katello::KTEnvironment | none | no | no | api | view_lifecycle_environments 342 | Hostgroup | none | no | no | api | view_hostgroups, create_hostgroups, edit_hostgroups, destroy_hostgroups, play... 343 | Organization | none | no | no | api | view_organizations, assign_organizations 344 | Domain | none | no | no | api | view_domains 345 | Environment | none | no | no | api | view_environments 346 | Host | none | no | no | api | view_hosts, create_hosts, edit_hosts, destroy_hosts, play_roles_on_host 347 | Location | none | no | no | api | view_locations, assign_locations 348 | Subnet | none | no | no | api | view_subnets, create_subnets, edit_subnets, destroy_subnets 349 | SmartProxy | none | no | no | api | view_smart_proxies ----|------------------------|--------|------------|-----------|------|--------------------------------------------------------------------------------- ~~~ 2. Assign this role to a user. 3. Try to assign ansible roles to a HG with this user via WebUI --> SUCCESS 4. Try to assign ansible roles to a HG with this user via hammer --> FAIL: # hammer -u api -p redhat hostgroup ansible-roles assign --id 1 --ansible-role-ids 3 ~~~ Could not assign roles to the hostgroup: Access denied Missing one of the required permissions: edit_hostgroups ~~~ Additional info: - I've been able to reproduce this on both Satellite 6.8 and Satellite 6.10 beta. - I can provide reproducer details. Kind regards, Jan
Created redmine issue https://projects.theforeman.org/issues/33727 from this bug
Upstream bug assigned to dmatoule
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/33727 has been resolved.
Verified. Tested on Satellite 7.0 Steps followed: 1. 1. Create a role with the following permission set: # hammer role filters --id 35 ----|------------------------|--------|------------|-----------|--------|--------------------------------------------------------------------------------- ID | RESOURCE TYPE | SEARCH | UNLIMITED? | OVERRIDE? | ROLE | PERMISSIONS ----|------------------------|--------|------------|-----------|--------|--------------------------------------------------------------------------------- 374 | AnsibleRole | none | yes | no | test99 | view_ansible_roles 375 | Architecture | none | yes | no | test99 | view_architectures 376 | Operatingsystem | none | yes | no | test99 | view_operatingsystems 377 | Parameter | none | yes | no | test99 | view_params, create_params, edit_params, destroy_params 378 | Katello::ContentView | none | yes | no | test99 | view_content_views 379 | Katello::ActivationKey | none | yes | no | test99 | view_activation_keys 380 | Katello::KTEnvironment | none | yes | no | test99 | view_lifecycle_environments 381 | Hostgroup | none | yes | no | test99 | view_hostgroups, create_hostgroups, edit_hostgroups, destroy_hostgroups, play... 382 | Organization | none | yes | no | test99 | view_organizations, assign_organizations 383 | Domain | none | yes | no | test99 | view_domains 384 | Location | none | yes | no | test99 | view_locations, assign_locations 385 | Subnet | none | yes | no | test99 | view_subnets, create_subnets, edit_subnets, destroy_subnets 386 | HttpProxy | none | yes | no | test99 | view_http_proxies 387 | Host | none | yes | no | test99 | view_hosts, create_hosts, edit_hosts, destroy_hosts, play_roles_on_host ----|------------------------|--------|------------|-----------|--------|--------------------------------------------------------------------------------- 2. Assign this role to a user. 3. Try to assign ansible roles to a HG with this user via WebUI 4. Try to assign ansible roles to a HG with this user via hammer Observation: Assigning ansible roles to a Hostgroup with this user via WebUI and hammer was success #hammer -u test_user -p redhat hostgroup ansible-roles assign --id 1 --ansible-role-ids 3 Ansible roles were assigned to the hostgroup
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5498