Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 773593

Summary: User having permissions to create & read provider, can also delete provider
Product: Red Hat Satellite Reporter: Sachin Ghai <sghai>
Component: APIAssignee: Lukas Zapletal <lzap>
Status: CLOSED NOTABUG QA Contact: Jitendra Yejare <jyejare>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0.0CC: jsherril
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-20 13:20:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 747354    

Description Sachin Ghai 2012-01-12 11:11:34 UTC 
Description of problem:

I've created few org's and users. And defined some roles are permissions.

I created a role Manager who can manage all org's but don't have perform delete permissions.

katello> permission list --user_role manager
--------------------------------------------------------------------------------------------------------------------------
                                                     Permission List

 Id   Name                Scope             Verbs                                                                                                                                          Tags  
--------------------------------------------------------------------------------------------------------------------------
 24   provider_perm       providers         create read                                                                                                                                          
 23   user_perm           users             create update read                                                                                                                                   
 22   env_perm            environments      read_contents read_changesets read_systems register_systems promote_changesets manage_changesets update_systems                                      
 21   organization_perm   organizations     read_systems read register_systems gpg sync update update_systems                                                                                    
 19   filter_perm         filters           read create update                                                                                                                                   
 17   org_perm            activation_keys   read_all      


See here provider_perm have create and read permission.


katello> user list_roles --username Manager
--------------------------------------------------------------------------------------------------------------------------
                                                      User Role List

 Id   Name     
--------------------------------------------------------------------------------------------------------------------------
 9    manager  
katello> 



However manager user can also delete provider:

[root@dhcp201-187 ~]# katello -u Manager -p redhat shell
katello> provider create --name test_provider2 --org ami_org 
Successfully created provider [ test_provider2 ]
katello> provider delete --name test_provider2 --org ami_org
Deleted provider [ test_provider2 ]
katello> 


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Listed above

Actual results:
User who has only to create/read provider, can also delete the provider

Expected results:
User should get a permission denied message

Additional info:
Comment 1 Sachin Ghai 2012-01-12 11:12:27 UTC 
reproducible in 

[root@dhcp201-187 ~]# rpm -qa | grep katello
katello-glue-candlepin-0.1.174-2.el6.noarch
katello-httpd-ssl-key-pair-1.0-1.noarch
katello-certs-tools-1.0.1-2.el6.noarch
katello-common-0.1.174-2.el6.noarch
katello-cli-0.1.34-2.el6.noarch
katello-glue-pulp-0.1.174-2.el6.noarch
katello-trusted-ssl-cert-1.0-1.noarch
katello-cli-common-0.1.34-2.el6.noarch
katello-configure-0.1.52-2.el6.noarch
katello-glue-foreman-0.1.174-2.el6.noarch
katello-all-0.1.174-2.el6.noarch
katello-0.1.174-2.el6.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
[root@dhcp201-187 ~]#
Comment 2 Lukas Zapletal 2012-01-12 13:31:58 UTC 
@Sachin - Please note the CLI permissions are not yet implemented. I am working on it this sprint. Will fix this, but please postpone permission testing for the CLI until this is done.
Comment 3 Lukas Zapletal 2012-01-19 17:13:51 UTC 
@Sachin - Can you please describe me what permission did not you give it? Or ping me pls. I am not following, thanks!
Comment 4 Sachin Ghai 2012-01-20 08:24:04 UTC 
Sorry for not stating clearly. 

Available verbs for 'providers' are :create, delete, update and read".
However the permissions that I didn't give are "delete, update" for providers.

Still I was able to delete the providers.
Comment 5 Sachin Ghai 2012-01-20 08:39:17 UTC 
I've defined all permissions by following cmds:

katello> permission create --name env_perm --user_role manager --scope environments --verbs manage_changesets,update_systems,promote_changesets,read_changesets,read_contents,read_systems,register_systems
Successfully created permission [ env_perm ] for user role [ manager ]
katello> 

katello> permission create --name filter_perm --user_role manager --scope filters --verbs create,update,read
Successfully created permission [ filter_perm ] for user role [ manager ]
katello> 

katello> permission create --name provider_perm --user_role manager --scope providers --verbs create,read
Successfully created permission [ provider_perm ] for user role [ manager ]

katello> permission create --name organization_perm --user_role manager --scope organizations --verbs gpg,update,update_systems,read,read_systems,register_systems,sync
Successfully created permission [ organization_perm ] for user role [ manager ]
katello> 

katello> permission list --user_role manager
--------------------------------------------------------------------------------------------------------------------------
                                                     Permission List

 Id   Name                Scope             Verbs                                                                                                                                          Tags  
--------------------------------------------------------------------------------------------------------------------------
 21   organization_perm   organizations     read_systems read register_systems gpg sync update update_systems                                                                                    
 20   provider_perm       providers         read create update                                                                                                                                   
 19   filter_perm         filters           read create update                                                                                                                                   
 18   env_perm            environments      read_contents read_changesets read_systems register_systems promote_changesets manage_changesets update_systems                                      
 17   org_perm            activation_keys   read_all                                                                        

katello> user list_roles --username Manager
--------------------------------------------------------------------------------------------------------------------------
                                                      User Role List

 Id   Name     
--------------------------------------------------------------------------------------------------------------------------
 9    manager  
katello> 


katello> user assign_role --username Manager --role manager
User 'Manager' assigned to role 'manager'
katello> 

# katello -u Manager -p redhat shell
katello>

katello> provider create --name test_provider --org ami_org 
Successfully created provider [ test_provider ]

katello> provider delete --name test_provider --org ami_org
Deleted provider [ test_provider ]
Comment 6 Lukas Zapletal 2012-01-20 13:20:07 UTC 
The issue is if you already have create permission, you automatically get delete permission. This is what we test in this case:

  User.allowed_to?([:delete, :create], :providers, self.id, self.organization)

Justin implemented this. Justin is this because of some technical issues in the UI (like you need this permission to access deletion page or something)? Or it is just the approach we took? Please confirm here. Thanks.

I believe we implement this approach in many places.
Comment 7 Justin Sherrill 2012-01-20 14:01:46 UTC 
Hey Sachin, 

What lukas says is correct.  We decided to give create full CRUD operations for simplicity and manageability.  See jeff's bug here: https://bugzilla.redhat.com/show_bug.cgi?id=773761 where he's asking for a more pure create without delete.

However, for now in most cases Create gives you full CRUD.
Comment 8 Sachin Ghai 2012-01-23 06:20:20 UTC 
Thanks Lukaz, Justin  for sharing this info. For now I'll keep an eye on 773761 bz.