Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1999604 - Unable to assign ansible roles to a host group via hammer/api with non-admin user
Summary: Unable to assign ansible roles to a host group via hammer/api with non-admin ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.8.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: 6.11.0
Assignee: satellite6-bugs
QA Contact: sganar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-31 12:17 UTC by Jan Senkyrik
Modified: 2022-07-05 14:29 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-07-05 14:29:38 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 33727 0 Normal Closed Unable to assign ansible roles to a host group via hammer/api with non-admin user 2021-11-18 14:35:00 UTC
Red Hat Product Errata RHSA-2022:5498 0 None None None 2022-07-05 14:29:46 UTC

Description Jan Senkyrik 2021-08-31 12:17:43 UTC
Description of problem:
It's not possible to assign ansible roles to a host group via hammer/api with a non-admin user.

Version-Release number of selected component (if applicable):
Satellite 6.10 beta

How reproducible:
Always

Steps to Reproduce:
1. Create a role with the following permission set:

# hammer role filters --id 33
~~~
----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE          | SEARCH | UNLIMITED? | OVERRIDE? | ROLE | PERMISSIONS                                                                     
----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
335 | AnsibleRole            | none   | yes        | no        | api  | view_ansible_roles                                                              
336 | Architecture           | none   | yes        | no        | api  | view_architectures                                                              
337 | Operatingsystem        | none   | yes        | no        | api  | view_operatingsystems                                                           
338 | Parameter              | none   | yes        | no        | api  | view_params, create_params, edit_params, destroy_params                         
339 | Katello::ActivationKey | none   | no         | no        | api  | view_activation_keys                                                            
340 | Katello::ContentView   | none   | no         | no        | api  | view_content_views                                                              
341 | Katello::KTEnvironment | none   | no         | no        | api  | view_lifecycle_environments                                                     
342 | Hostgroup              | none   | no         | no        | api  | view_hostgroups, create_hostgroups, edit_hostgroups, destroy_hostgroups, play...
343 | Organization           | none   | no         | no        | api  | view_organizations, assign_organizations                                        
344 | Domain                 | none   | no         | no        | api  | view_domains                                                                    
345 | Environment            | none   | no         | no        | api  | view_environments                                                               
346 | Host                   | none   | no         | no        | api  | view_hosts, create_hosts, edit_hosts, destroy_hosts, play_roles_on_host         
347 | Location               | none   | no         | no        | api  | view_locations, assign_locations                                                
348 | Subnet                 | none   | no         | no        | api  | view_subnets, create_subnets, edit_subnets, destroy_subnets                     
349 | SmartProxy             | none   | no         | no        | api  | view_smart_proxies                                                              
----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
~~~

2. Assign this role to a user.
3. Try to assign ansible roles to a HG with this user via WebUI --> SUCCESS
4. Try to assign ansible roles to a HG with this user via hammer --> FAIL:

# hammer -u api -p redhat hostgroup ansible-roles assign --id 1 --ansible-role-ids 3
~~~
Could not assign roles to the hostgroup:
  Access denied
  Missing one of the required permissions: edit_hostgroups
~~~

Additional info:
- I've been able to reproduce this on both Satellite 6.8 and Satellite 6.10 beta.
- I can provide reproducer details.


Kind regards,
Jan

Comment 1 Dominik Matoulek 2021-10-19 11:08:59 UTC
Created redmine issue https://projects.theforeman.org/issues/33727 from this bug

Comment 2 Bryan Kearney 2021-11-04 13:51:17 UTC
Upstream bug assigned to dmatoule

Comment 3 Bryan Kearney 2021-11-04 13:51:19 UTC
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/33727 has been resolved.

Comment 8 sganar 2022-03-01 12:23:31 UTC
Verified.

Tested on Satellite 7.0

Steps followed: 
1. 1. Create a role with the following permission set:

# hammer role filters --id 35
----|------------------------|--------|------------|-----------|--------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE          | SEARCH | UNLIMITED? | OVERRIDE? | ROLE   | PERMISSIONS                                                                     
----|------------------------|--------|------------|-----------|--------|---------------------------------------------------------------------------------
374 | AnsibleRole            | none   | yes        | no        | test99 | view_ansible_roles                                                              
375 | Architecture           | none   | yes        | no        | test99 | view_architectures                                                              
376 | Operatingsystem        | none   | yes        | no        | test99 | view_operatingsystems                                                           
377 | Parameter              | none   | yes        | no        | test99 | view_params, create_params, edit_params, destroy_params                         
378 | Katello::ContentView   | none   | yes        | no        | test99 | view_content_views                                                              
379 | Katello::ActivationKey | none   | yes        | no        | test99 | view_activation_keys                                                            
380 | Katello::KTEnvironment | none   | yes        | no        | test99 | view_lifecycle_environments                                                     
381 | Hostgroup              | none   | yes        | no        | test99 | view_hostgroups, create_hostgroups, edit_hostgroups, destroy_hostgroups, play...
382 | Organization           | none   | yes        | no        | test99 | view_organizations, assign_organizations                                        
383 | Domain                 | none   | yes        | no        | test99 | view_domains                                                                    
384 | Location               | none   | yes        | no        | test99 | view_locations, assign_locations                                                
385 | Subnet                 | none   | yes        | no        | test99 | view_subnets, create_subnets, edit_subnets, destroy_subnets                     
386 | HttpProxy              | none   | yes        | no        | test99 | view_http_proxies                                                               
387 | Host                   | none   | yes        | no        | test99 | view_hosts, create_hosts, edit_hosts, destroy_hosts, play_roles_on_host         
----|------------------------|--------|------------|-----------|--------|---------------------------------------------------------------------------------
2. Assign this role to a user.
3. Try to assign ansible roles to a HG with this user via WebUI 
4. Try to assign ansible roles to a HG with this user via hammer

Observation:
Assigning ansible roles to a Hostgroup with this user via WebUI and hammer was success 

#hammer -u test_user -p redhat hostgroup ansible-roles assign --id 1 --ansible-role-ids 3
Ansible roles were assigned to the hostgroup

Comment 11 errata-xmlrpc 2022-07-05 14:29:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498


Note You need to log in before you can comment on or make changes to this bug.