757775 – RBAC: user with "Register System" permission cannot register with RHSM

Bug 757775 - RBAC: user with "Register System" permission cannot register with RHSM

Summary: RBAC: user with "Register System" permission cannot register with RHSM

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Infrastructure
Sub Component:
Version:	6.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Lukas Zapletal
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	katello-blockers 766906 768390
TreeView+	depends on / blocked

Reported:	2011-11-28 16:59 UTC by Jeff Weiss
Modified:	2019-09-26 13:24 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-04-27 00:32:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Jeff Weiss 2011-11-28 16:59:08 UTC

Description of problem:
If you grant a user the "register system" permission, and he only knows the *name* of the environment he wishes to register to, he cannot register.  The API to look up the ID of the environment is off-limits.

Version-Release number of selected component (if applicable):
katello-0.1.115-1.git.4.fc070ec.el6.x86_64

How reproducible:


Steps to Reproduce:
1. Create a role with perm Global/Organizations/Register System only, and assign a user to only this role
2. Try to register with RHSM (or at a lower level, try to look up the ID of the environment via the API)
3.
  
Actual results:
cannot register

Expected results:
register succeeds

Additional info:

[root@katello-test-rhel6-1 ca]# subscription-manager register --username user-perm-1322498127482 --password password --org ACME_Corporation --env Development
User user-perm-1322498127482 is not allowed to access api/environments/index

Started GET "/katello//api/organizations/ACME_Corporation/environments?name=Development" for 10.16.120.31 at Mon Nov 28 11:35:45 -0500 2011
  Processing by Api::EnvironmentsController#index as JSON
  Parameters: {"name"=>"Development", "organization_id"=>"ACME_Corporation"}
Errors::SecurityViolation: User user-perm-1322498127482 is not allowed to access api/environments/index
/usr/share/katello/lib/authorization_rules.rb:31:in `authorize'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:448:in `_run__856191886__process_action__199225275__callbacks'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:221:in `_conditional_callback_around_2122'
/usr/share/katello/lib/util/threadsession.rb:79:in `thread_locals'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:220:in `_conditional_callback_around_2122'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:441:in `_run__856191886__process_action__199225275__callbacks'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:410:in `send'

Comment 1 Lukas Zapletal 2012-01-20 12:53:57 UTC

[root@ofed ~]# subscription-manager register --username register_system --password register_system --org ACME_Corporation --env env
The system has been registered with id: 3b384ad5-1ff2-4aac-8fbd-663d006f353d 

[root@ofed ~]# rpm -q katello
katello-0.1.187-1.git.1.2d46557.el6.noarch

2d46557 757775 - allowing rhsm to register systems

Comment 3 Jeff Weiss 2012-02-09 21:34:11 UTC

Blocked, cannot test

Comment 4 Jeff Weiss 2012-02-09 21:34:52 UTC

Oops wrong bug, ignore last comment

Comment 5 Corey Welton 2012-02-22 19:08:52 UTC

QA Verified, now able to register a system via RHSM using an account which has only "Register System" permissions.

Note You need to log in before you can comment on or make changes to this bug.