Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2101986 - Getting "NoPermission: Permission to perform this operation was denied." when edit host or compute profile
Summary: Getting "NoPermission: Permission to perform this operation was denied." when...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Compute Resources - VMWare
Version: 6.10.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: 6.12.0
Assignee: satellite6-bugs
QA Contact: Lukáš Hellebrandt
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-29 02:50 UTC by Hao Chang Yu
Modified: 2022-11-16 13:34 UTC (History)
4 users (show)

Fixed In Version: tfm-rubygem-fog-vsphere-3.5.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2112351 (view as bug list)
Environment:
Last Closed: 2022-11-16 13:34:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Hotfix RPM for Satellite 6.11.1 on RHEL7 (75.34 KB, application/x-rpm)
2022-07-27 20:20 UTC, wclark 		no flags Details
Hotfix RPM for Satellite 6.11.1 on RHEL8 (78.82 KB, application/x-rpm)
2022-07-27 20:21 UTC, wclark 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 35125 0 Normal New Getting "NoPermission: Permission to perform this operation was denied." when edit host or compute profile 2022-06-29 03:17:11 UTC
Github fog fog-vsphere pull 277 0 None open Fixes #35125 - Avoid unneeded "get_raw_datacenter" call 2022-06-29 03:33:58 UTC
Red Hat Issue Tracker SAT-13538 0 None None None 2022-10-21 15:39:57 UTC
Red Hat Product Errata RHSA-2022:8506 0 None None None 2022-11-16 13:34:24 UTC

Description Hao Chang Yu 2022-06-29 02:50:12 UTC 
Description of problem:

Getting the below error when trying to edit a VMware host or edit a VMware compute profile.
-----------------
"Oops, we're sorry but something went wrong NoPermission: Permission to perform this operation was denied."
-----------------


Traceback in /var/log/foreman/production.log
-----------------
2022-06-29T12:06:21 [W|app|317ea02a] NoPermission: Permission to perform this operation was denied.
2022-06-29T12:06:21 [I|app|317ea02a] Backtrace for 'NoPermission: Permission to perform this operation was denied.' error (ActionView::Template::Error): NoPermission: Permission to perform this operation was denied.
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/connection.rb:63:in `parse_response'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/connection.rb:92:in `call'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/basic_types.rb:213:in `_call'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/basic_types.rb:76:in `block (2 levels) in init'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:10:in `find'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:97:in `block in traverse'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:96:in `each'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:96:in `inject'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:96:in `traverse'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/ServiceInstance.rb:11:in `find_datacenter'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/requests/compute/get_datacenter.rb:19:in `get_raw_datacenter'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/requests/compute/get_datacenter.rb:14:in `find_raw_datacenter'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/requests/compute/list_networks.rb:11:in `list_networks'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/models/compute/networks.rb:10:in `all'
 317ea02a | /usr/share/foreman/app/models/compute_resources/foreman/model/vmware.rb:152:in `block in networks'
 317ea02a | /usr/share/foreman/app/services/compute_resource_cache.rb:68:in `instance_eval'
 317ea02a | /usr/share/foreman/app/services/compute_resource_cache.rb:68:in `get_uncached_value'
 317ea02a | /usr/share/foreman/app/services/compute_resource_cache.rb:22:in `cache'
 317ea02a | /usr/share/foreman/app/models/compute_resources/foreman/model/vmware.rb:151:in `networks'
 317ea02a | /usr/share/foreman/app/helpers/compute_resources_vms_helper.rb:78:in `vsphere_networks'
 317ea02a | /usr/share/foreman/app/views/compute_resources_vms/form/vmware/_network.html.erb:6:in `_b4393ee8b85d1c4bce3b12c61c7ac846'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/actionview-6.0.3.7/lib/action_view/base.rb:274:in `_run'
 317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/actionview-6.0.3.7/lib/action_view/template.rb:185:in `block in render'
<snip>
-----------------


Steps to Reproduce:

In VCenter:
1. Create a user with "No access" role to the root folder.
2. Create a datacenter with path structure "my_department/my_datacenter".
3. Assign "Administrator" role to the user in "my_department" folder and check "Propagate to children".

In Satellite:
1. Create a compute resource and select "my_department/my_datacenter" datacenter.
2. Go to Compute profiles page -> select any size -> select the vmware compute resource.


Actual results:
Oops, we're sorry but something went wrong NoPermission: Permission to perform this operation was denied.

Expected results:
No error


Additional info:
- User has no read permission on root folder so "rbvmomi" failed to traverse from the root folder to find the datacenter.
- but this traversing action can actually be avoided because the module has already retrieved all the datacenters.




The "get_raw_datacenter" call can we avoided if we also match the raw_datacenters by path.
----------------------------
# "/opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/requests/compute/get_datacenter.rb"

        def find_raw_datacenter(name)
          raw_datacenters.find { |d| d.name == name } || get_raw_datacenter(name)
        end
------------------------------


The below methods set datacenter as path cauing the above method can't match anything then call "get_raw_datacenter"
------------------------------
# /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/models/compute/datacenter.rb

        def clusters(filters = {})
          service.clusters({ datacenter: path.join('/') }.merge(filters))
        end

        def networks(filters = {})
          service.networks({ datacenter: path.join('/') }.merge(filters))
        end

        def datastores(filters = {})
          service.datastores({ datacenter: path.join('/') }.merge(filters))
        end

        def storage_pods(filters = {})
          service.storage_pods({ datacenter: path.join('/') }.merge(filters))
        end

        def vm_folders(filters = {})
          service.folders({ datacenter: name, type: :vm }.merge(filters))  <=== this is using name
        end
------------------------------
Comment 4 wclark 2022-07-27 20:20:04 UTC 
Created attachment 1899803 [details]
Hotfix RPM for Satellite 6.11.1 on RHEL7

INSTALL INSTRUCTIONS:

1. Take a complete backup or snapshot of Satellite 6.11.1 server

2. Download the hotfix RPM for Satellite 6.11.1 on RHEL7 attached to this BZ and copy it to Satellite server

3. # yum install ./tfm-rubygem-fog-vsphere-3.5.2-1.el7sat.noarch.rpm --disableplugin=foreman-protector

4. # satellite-maintain service restart

NOTE: This hotfix additionally contains the fix for https://bugzilla.redhat.com/show_bug.cgi?id=2072696
Comment 5 wclark 2022-07-27 20:21:13 UTC 
Created attachment 1899804 [details]
Hotfix RPM for Satellite 6.11.1 on RHEL8

INSTALL INSTRUCTIONS:

1. Take a complete backup or snapshot of Satellite 6.11.1 server

2. Download the hotfix RPM for Satellite 6.11.1 on RHEL8 attached to this BZ and copy it to Satellite server

3. # dnf install ./rubygem-fog-vsphere-3.5.2-1.el8sat.noarch.rpm --disableplugin=foreman-protector

4. # satellite-maintain service restart

NOTE: This hotfix additionally contains the fix for https://bugzilla.redhat.com/show_bug.cgi?id=2072696
Comment 6 Lukáš Hellebrandt 2022-10-04 14:16:18 UTC 
Verified with Sat 6.12 snap 13.0.

for version in 6 7; do

In vSphere${version}:
1) Menu -> Administration -> SSO -> Add user
2) Storages -> Create new folder
3) Move (drag) an existing storage to the folder
4) Select root, go to permissions tab, add the new user with No access role
5) Select folder, go to permissions tab, add the new user with Administrator role checking Propagate to children

In Satellite (with manifest):
1) Infrastructure -> Compute Resources -> Create, using vSphere${version} and the newly created user credentials
2) <CR> -> Images -> Create
3) <CR> -> Compute Resources -> any
4) Infrastructure -> Compute Resources -> any
5) Edit cluster, storage pod
6) All Hosts -> Create

done

=> No traceback, no WebUI errors, CR added, CP edited, host created, corresponding VM created
Comment 10 errata-xmlrpc 2022-11-16 13:34:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.12 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8506
Note You need to log in before you can comment on or make changes to this bug.