2027975 – API calls /api/v2/hosts/bulk/installable_errata and /api/v2/hosts/bulk/applicable_errata require edit_hosts role

Bug 2027975 - API calls /api/v2/hosts/bulk/installable_errata and /api/v2/hosts/bulk/applicable_errata require edit_hosts role

Summary: API calls /api/v2/hosts/bulk/installable_errata and /api/v2/hosts/bulk/applic...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Errata Management
Sub Component:
Version:	6.9.7
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Satellite QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-12-01 07:55 UTC by Sebastien Aime
Modified:	2024-01-09 20:33 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-01-09 20:33:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SAT-21650	0	None	None	None	2023-12-01 18:43:08 UTC

Description Sebastien Aime 2021-12-01 07:55:34 UTC

Description of problem:

The documentation [1] states that in order to use the API call /api/v2/hosts/bulk/installable_errata the role 'view_hosts' is required.

This API call returns a permission error.

After having enabled debug logs for permissions [2] on my test Satellite I can see the following:

$ cat /var/log/foreman/production.log

2021-12-01T08:43:35 [I|app|c961b70e] Started POST "/api/v2/hosts/bulk/installable_errata" for 127.0.0.1 at 2021-12-01 08:43:35 +0100
2021-12-01T08:43:35 [I|app|c961b70e] Processing by Katello::Api::V2::HostsBulkActionsController#installable_errata as */*
2021-12-01T08:43:35 [I|app|c961b70e]   Parameters: {"included"=>{"ids"=>[3]}, "organization_id"=>1, "api_version"=>"v2", "hosts_bulk_action"=>{"included"=>{"ids"=>[3]}, "organization_id"=>1}}
2021-12-01T08:43:36 [D|app|c961b70e] Authenticated user saime against INTERNAL authentication source
2021-12-01T08:43:36 [D|per|c961b70e] Current user set to foreman_admin (admin)
2021-12-01T08:43:36 [D|app|c961b70e] Post-login processing for saime
2021-12-01T08:43:36 [D|per|c961b70e] Current user set to foreman_admin (admin)
2021-12-01T08:43:36 [I|per|c961b70e] Current user set to saime (regular)
2021-12-01T08:43:36 [I|app|c961b70e] Authorized user saime(sebastien aime)
2021-12-01T08:43:36 [D|app|c961b70e] Post-login processing for saime
2021-12-01T08:43:36 [D|per|c961b70e] Current user set to foreman_admin (admin)
2021-12-01T08:43:36 [D|dyn|] Executor heartbeat
2021-12-01T08:43:36 [I|per|c961b70e] Current user set to saime (regular)
2021-12-01T08:43:36 [I|per|c961b70e] Current user set to saime (regular)
2021-12-01T08:43:36 [I|per|c961b70e] Current user set to saime (regular)
2021-12-01T08:43:36 [D|tax|c961b70e] Current location set to none
2021-12-01T08:43:36 [D|tax|c961b70e] Current organization set to ACME
2021-12-01T08:43:36 [D|tax|c961b70e] Current location set to none
2021-12-01T08:43:36 [D|tax|c961b70e] Current organization set to ACME
2021-12-01T08:43:36 [D|per|c961b70e] checking permission edit_hosts for class Host::Managed
2021-12-01T08:43:36 [D|per|c961b70e] organization_ids: []
2021-12-01T08:43:36 [D|per|c961b70e] location_ids: []
2021-12-01T08:43:36 [D|per|c961b70e] 
2021-12-01T08:43:36 [D|per|c961b70e] no filters found for given permission
2021-12-01T08:43:36 [E|app|c961b70e] *** ERROR: Action unauthorized to be performed on selected hosts. (403) ***
2021-12-01T08:43:36 [E|app|c961b70e] REQUEST URL: /api/v2/hosts/bulk/installable_errata
2021-12-01T08:43:36 [E|app|c961b70e] Katello::HttpErrors::Forbidden: Action unauthorized to be performed on selected hosts.

It seems that the system checks for the edit_hosts role, not the view_hosts one.

The same behaviour can be observed with the API call /api/v2/hosts/bulk/applicable_errata

--- references ---
[1] https://access.redhat.com/documentation/en-us/red_hat_satellite/6.9/html/api_guide/apipermsmatrix
[2] https://access.redhat.com/solutions/2252291

How reproducible:

I could reproduce it on a fully updated Satellite 6.9. The customer who has initially reported this issue has mentioned that this error has started to occur only after their Satellite has been upgraded to 6.9.

Steps to Reproduce:
1. Have a Satellite 6.9
2. Create a user with 'view_hosts' role
3. curl -k -u <USER>:<PASSWD> -X POST -d '{"included": {"ids": [3]}, "organization_id": 1}' -H 'Content-Type: application/json' https://<SAT_URL>/api/v2/hosts/bulk/installable_errata  | python -m json.tool

Change hosts and organization id according to your own environment.

Actual results:

{
    "displayMessage": "Action unauthorized to be performed on selected hosts.",
    "errors": [
        "Action unauthorized to be performed on selected hosts."
    ]
}

Expected results:

No error

Additional info:

While working with SBR it looked that the issue could also be reproduced with a 6.7 Satellite, but not 100%. The call worked for some hosts and it didn't for others.

Comment 5 Jeremy Lenz 2023-03-20 16:58:59 UTC

This should only require the :view_hosts permission. You can confirm this in foreman-rake console:

[24] pry(main)> ::Foreman::AccessControl::permissions_for_controller_action({ controller: "katello/api/v2/hosts_bulk_actions", action: "installable_errata" }).map(&:name)
=> [:view_hosts]
[25] pry(main)> ::Foreman::AccessControl::permissions_for_controller_action({ controller: "katello/api/v2/hosts_bulk_actions", action: "applicable_errata" }).map(&:name)
=> [:view_hosts]


That error could be due to one of a few possibilities:

1. The host with ID 3 is not in the organization with ID 1
2. The host with ID 3 does not exist
3. The user has a role with the view_hosts permission, but that role is filtered to exclude the host with ID 3 - see https://access.redhat.com/documentation/en-us/red_hat_satellite/6.12/html/administering_red_hat_satellite/managing_users_and_roles_admin#Granular_Permission_Filtering_admin

Sebastien - Can you please check and confirm if any of these is the case?

Comment 6 Jeremy Lenz 2023-03-20 17:11:14 UTC

Just seeing this bit, apologies:

2021-12-01T08:43:36 [D|per|c961b70e] checking permission edit_hosts for class Host::Managed
2021-12-01T08:43:36 [D|per|c961b70e] organization_ids: []
2021-12-01T08:43:36 [D|per|c961b70e] location_ids: []
2021-12-01T08:43:36 [D|per|c961b70e] 
2021-12-01T08:43:36 [D|per|c961b70e] no filters found for given permission

We will have to investigate why it's checking edit_hosts and not view_hosts. That doesn't seem correct.

Comment 7 Sebastien Aime 2023-03-21 06:13:55 UTC

Hello Jeremy,

I just noticed that you have removed the needinfo on myself, but I'll answer anyway :-)

My own test environment was very simple, just one org and a couple of hosts. I didn't do anything convoluted. I still have my Satellite, I can provide additional details if it's needed.

Thanks for investigating this !


Seb.

Comment 8 Brad Buckingham 2023-12-01 18:41:30 UTC

Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.

Comment 9 Brad Buckingham 2024-01-09 20:33:50 UTC

Thank you for your interest in Red Hat Satellite. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this feel free to contact your Red Hat Account Team. Thank you.

Note You need to log in before you can comment on or make changes to this bug.