Description of problem: The documentation [1] states that in order to use the API call /api/v2/hosts/bulk/installable_errata the role 'view_hosts' is required. This API call returns a permission error. After having enabled debug logs for permissions [2] on my test Satellite I can see the following: $ cat /var/log/foreman/production.log 2021-12-01T08:43:35 [I|app|c961b70e] Started POST "/api/v2/hosts/bulk/installable_errata" for 127.0.0.1 at 2021-12-01 08:43:35 +0100 2021-12-01T08:43:35 [I|app|c961b70e] Processing by Katello::Api::V2::HostsBulkActionsController#installable_errata as */* 2021-12-01T08:43:35 [I|app|c961b70e] Parameters: {"included"=>{"ids"=>[3]}, "organization_id"=>1, "api_version"=>"v2", "hosts_bulk_action"=>{"included"=>{"ids"=>[3]}, "organization_id"=>1}} 2021-12-01T08:43:36 [D|app|c961b70e] Authenticated user saime against INTERNAL authentication source 2021-12-01T08:43:36 [D|per|c961b70e] Current user set to foreman_admin (admin) 2021-12-01T08:43:36 [D|app|c961b70e] Post-login processing for saime 2021-12-01T08:43:36 [D|per|c961b70e] Current user set to foreman_admin (admin) 2021-12-01T08:43:36 [I|per|c961b70e] Current user set to saime (regular) 2021-12-01T08:43:36 [I|app|c961b70e] Authorized user saime(sebastien aime) 2021-12-01T08:43:36 [D|app|c961b70e] Post-login processing for saime 2021-12-01T08:43:36 [D|per|c961b70e] Current user set to foreman_admin (admin) 2021-12-01T08:43:36 [D|dyn|] Executor heartbeat 2021-12-01T08:43:36 [I|per|c961b70e] Current user set to saime (regular) 2021-12-01T08:43:36 [I|per|c961b70e] Current user set to saime (regular) 2021-12-01T08:43:36 [I|per|c961b70e] Current user set to saime (regular) 2021-12-01T08:43:36 [D|tax|c961b70e] Current location set to none 2021-12-01T08:43:36 [D|tax|c961b70e] Current organization set to ACME 2021-12-01T08:43:36 [D|tax|c961b70e] Current location set to none 2021-12-01T08:43:36 [D|tax|c961b70e] Current organization set to ACME 2021-12-01T08:43:36 [D|per|c961b70e] checking permission edit_hosts for class Host::Managed 2021-12-01T08:43:36 [D|per|c961b70e] organization_ids: [] 2021-12-01T08:43:36 [D|per|c961b70e] location_ids: [] 2021-12-01T08:43:36 [D|per|c961b70e] 2021-12-01T08:43:36 [D|per|c961b70e] no filters found for given permission 2021-12-01T08:43:36 [E|app|c961b70e] *** ERROR: Action unauthorized to be performed on selected hosts. (403) *** 2021-12-01T08:43:36 [E|app|c961b70e] REQUEST URL: /api/v2/hosts/bulk/installable_errata 2021-12-01T08:43:36 [E|app|c961b70e] Katello::HttpErrors::Forbidden: Action unauthorized to be performed on selected hosts. It seems that the system checks for the edit_hosts role, not the view_hosts one. The same behaviour can be observed with the API call /api/v2/hosts/bulk/applicable_errata --- references --- [1] https://access.redhat.com/documentation/en-us/red_hat_satellite/6.9/html/api_guide/apipermsmatrix [2] https://access.redhat.com/solutions/2252291 How reproducible: I could reproduce it on a fully updated Satellite 6.9. The customer who has initially reported this issue has mentioned that this error has started to occur only after their Satellite has been upgraded to 6.9. Steps to Reproduce: 1. Have a Satellite 6.9 2. Create a user with 'view_hosts' role 3. curl -k -u <USER>:<PASSWD> -X POST -d '{"included": {"ids": [3]}, "organization_id": 1}' -H 'Content-Type: application/json' https://<SAT_URL>/api/v2/hosts/bulk/installable_errata | python -m json.tool Change hosts and organization id according to your own environment. Actual results: { "displayMessage": "Action unauthorized to be performed on selected hosts.", "errors": [ "Action unauthorized to be performed on selected hosts." ] } Expected results: No error Additional info: While working with SBR it looked that the issue could also be reproduced with a 6.7 Satellite, but not 100%. The call worked for some hosts and it didn't for others.
This should only require the :view_hosts permission. You can confirm this in foreman-rake console: [24] pry(main)> ::Foreman::AccessControl::permissions_for_controller_action({ controller: "katello/api/v2/hosts_bulk_actions", action: "installable_errata" }).map(&:name) => [:view_hosts] [25] pry(main)> ::Foreman::AccessControl::permissions_for_controller_action({ controller: "katello/api/v2/hosts_bulk_actions", action: "applicable_errata" }).map(&:name) => [:view_hosts] That error could be due to one of a few possibilities: 1. The host with ID 3 is not in the organization with ID 1 2. The host with ID 3 does not exist 3. The user has a role with the view_hosts permission, but that role is filtered to exclude the host with ID 3 - see https://access.redhat.com/documentation/en-us/red_hat_satellite/6.12/html/administering_red_hat_satellite/managing_users_and_roles_admin#Granular_Permission_Filtering_admin Sebastien - Can you please check and confirm if any of these is the case?
Just seeing this bit, apologies: 2021-12-01T08:43:36 [D|per|c961b70e] checking permission edit_hosts for class Host::Managed 2021-12-01T08:43:36 [D|per|c961b70e] organization_ids: [] 2021-12-01T08:43:36 [D|per|c961b70e] location_ids: [] 2021-12-01T08:43:36 [D|per|c961b70e] 2021-12-01T08:43:36 [D|per|c961b70e] no filters found for given permission We will have to investigate why it's checking edit_hosts and not view_hosts. That doesn't seem correct.
Hello Jeremy, I just noticed that you have removed the needinfo on myself, but I'll answer anyway :-) My own test environment was very simple, just one org and a couple of hosts. I didn't do anything convoluted. I still have my Satellite, I can provide additional details if it's needed. Thanks for investigating this ! Seb.
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team. Thank you.
Thank you for your interest in Red Hat Satellite. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this feel free to contact your Red Hat Account Team. Thank you.