Bug 1999604 - Unable to assign ansible roles to a host group via hammer/api with non-admin user
Summary: Unable to assign ansible roles to a host group via hammer/api with non-admin ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.8.0
Hardware: x86_64
OS: Linux
unspecified
medium vote
Target Milestone: 6.11.0
Assignee: satellite6-bugs
QA Contact: sganar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-31 12:17 UTC by Jan Senkyrik
Modified: 2022-07-05 14:29 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-07-05 14:29:38 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 33727 0 Normal Closed Unable to assign ansible roles to a host group via hammer/api with non-admin user 2021-11-18 14:35:00 UTC
Red Hat Product Errata RHSA-2022:5498 0 None None None 2022-07-05 14:29:46 UTC

Description Jan Senkyrik 2021-08-31 12:17:43 UTC
Description of problem:
It's not possible to assign ansible roles to a host group via hammer/api with a non-admin user.

Version-Release number of selected component (if applicable):
Satellite 6.10 beta

How reproducible:
Always

Steps to Reproduce:
1. Create a role with the following permission set:

# hammer role filters --id 33
~~~
----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE          | SEARCH | UNLIMITED? | OVERRIDE? | ROLE | PERMISSIONS                                                                     
----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
335 | AnsibleRole            | none   | yes        | no        | api  | view_ansible_roles                                                              
336 | Architecture           | none   | yes        | no        | api  | view_architectures                                                              
337 | Operatingsystem        | none   | yes        | no        | api  | view_operatingsystems                                                           
338 | Parameter              | none   | yes        | no        | api  | view_params, create_params, edit_params, destroy_params                         
339 | Katello::ActivationKey | none   | no         | no        | api  | view_activation_keys                                                            
340 | Katello::ContentView   | none   | no         | no        | api  | view_content_views                                                              
341 | Katello::KTEnvironment | none   | no         | no        | api  | view_lifecycle_environments                                                     
342 | Hostgroup              | none   | no         | no        | api  | view_hostgroups, create_hostgroups, edit_hostgroups, destroy_hostgroups, play...
343 | Organization           | none   | no         | no        | api  | view_organizations, assign_organizations                                        
344 | Domain                 | none   | no         | no        | api  | view_domains                                                                    
345 | Environment            | none   | no         | no        | api  | view_environments                                                               
346 | Host                   | none   | no         | no        | api  | view_hosts, create_hosts, edit_hosts, destroy_hosts, play_roles_on_host         
347 | Location               | none   | no         | no        | api  | view_locations, assign_locations                                                
348 | Subnet                 | none   | no         | no        | api  | view_subnets, create_subnets, edit_subnets, destroy_subnets                     
349 | SmartProxy             | none   | no         | no        | api  | view_smart_proxies                                                              
----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
~~~

2. Assign this role to a user.
3. Try to assign ansible roles to a HG with this user via WebUI --> SUCCESS
4. Try to assign ansible roles to a HG with this user via hammer --> FAIL:

# hammer -u api -p redhat hostgroup ansible-roles assign --id 1 --ansible-role-ids 3
~~~
Could not assign roles to the hostgroup:
  Access denied
  Missing one of the required permissions: edit_hostgroups
~~~

Additional info:
- I've been able to reproduce this on both Satellite 6.8 and Satellite 6.10 beta.
- I can provide reproducer details.


Kind regards,
Jan

Comment 1 Dominik Matoulek 2021-10-19 11:08:59 UTC
Created redmine issue https://projects.theforeman.org/issues/33727 from this bug

Comment 2 Bryan Kearney 2021-11-04 13:51:17 UTC
Upstream bug assigned to dmatoule

Comment 3 Bryan Kearney 2021-11-04 13:51:19 UTC
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/33727 has been resolved.

Comment 8 sganar 2022-03-01 12:23:31 UTC
Verified.

Tested on Satellite 7.0

Steps followed: 
1. 1. Create a role with the following permission set:

# hammer role filters --id 35
----|------------------------|--------|------------|-----------|--------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE          | SEARCH | UNLIMITED? | OVERRIDE? | ROLE   | PERMISSIONS                                                                     
----|------------------------|--------|------------|-----------|--------|---------------------------------------------------------------------------------
374 | AnsibleRole            | none   | yes        | no        | test99 | view_ansible_roles                                                              
375 | Architecture           | none   | yes        | no        | test99 | view_architectures                                                              
376 | Operatingsystem        | none   | yes        | no        | test99 | view_operatingsystems                                                           
377 | Parameter              | none   | yes        | no        | test99 | view_params, create_params, edit_params, destroy_params                         
378 | Katello::ContentView   | none   | yes        | no        | test99 | view_content_views                                                              
379 | Katello::ActivationKey | none   | yes        | no        | test99 | view_activation_keys                                                            
380 | Katello::KTEnvironment | none   | yes        | no        | test99 | view_lifecycle_environments                                                     
381 | Hostgroup              | none   | yes        | no        | test99 | view_hostgroups, create_hostgroups, edit_hostgroups, destroy_hostgroups, play...
382 | Organization           | none   | yes        | no        | test99 | view_organizations, assign_organizations                                        
383 | Domain                 | none   | yes        | no        | test99 | view_domains                                                                    
384 | Location               | none   | yes        | no        | test99 | view_locations, assign_locations                                                
385 | Subnet                 | none   | yes        | no        | test99 | view_subnets, create_subnets, edit_subnets, destroy_subnets                     
386 | HttpProxy              | none   | yes        | no        | test99 | view_http_proxies                                                               
387 | Host                   | none   | yes        | no        | test99 | view_hosts, create_hosts, edit_hosts, destroy_hosts, play_roles_on_host         
----|------------------------|--------|------------|-----------|--------|---------------------------------------------------------------------------------
2. Assign this role to a user.
3. Try to assign ansible roles to a HG with this user via WebUI 
4. Try to assign ansible roles to a HG with this user via hammer

Observation:
Assigning ansible roles to a Hostgroup with this user via WebUI and hammer was success 

#hammer -u test_user -p redhat hostgroup ansible-roles assign --id 1 --ansible-role-ids 3
Ansible roles were assigned to the hostgroup

Comment 11 errata-xmlrpc 2022-07-05 14:29:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498


Note You need to log in before you can comment on or make changes to this bug.