797412 – katello permission not working as expected

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 797412 - katello permission not working as expected

Summary: katello permission not working as expected

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Content Management
Sub Component:
Version:	6.0.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	Unspecified
Assignee:	Partha Aji
QA Contact:	Kedar Bidarkar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-25 17:22 UTC by Forrest Taylor
Modified:	2019-09-26 14:06 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Creating users with roles and permissions through the command line results in incorrect permissions. The command line used environment names as input parameters instead of identification. This fix adds a "search" route to the environment controllers and checks if the user has permissions to commit actions in that environment. Permissions now assign correctly for users created on the command line.
Clone Of:
Environment:
Last Closed:	2012-12-04 19:42:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:1543	0	normal	SHIPPED_LIVE	Important: CloudForms System Engine 1.1 update	2012-12-05 00:39:57 UTC

Description Forrest Taylor 2012-02-25 17:22:39 UTC

Using katello permission to assign user permission is not working as
expected.

First example:

Create a new role named Changeset_manager:
katello -u admin -p admin user_role create --name Changeset_manager

Create a new permission named Manage_changesets that allows manage, promote
and read changesets:
katello -u admin -p admin permission create --user_role Changeset_manager
--name Manage_changesets  --scope environments --verbs
manage_changesets,promote_changesets,read_changesets

Create an alice account:
katello -u admin -p admin user create --user alice --password alice --email

Assign alice the role of Changeset_manager:
katello -u admin -p admin user assign_role --username alice --role
Changeset_manager

Have alice create a changeset:
katello -u alice -p alice changeset create --org ACME_Corporation --name
cs3 --environment dev

This gives the following error:
    User alice is not allowed to access api/environments/index

alice is not allowed to create a changeset.  alice should have been able to create a changeset given the manage_changesets permission.



Second example:

Create a new role named Provider_manager:
katello -u admin -p admin user_role create --name Provider_manager

Create a new permission named Manage_providers that allows create, update
and read providers:
katello -u admin -p admin permission create --user_role Provider_manager
--name Manage_providers  --scope providers --verbs create,update,read

Assign alice the role of Provider_manager:
katello -u admin -p admin user assign_role --username alice --role
Provider_manager

Have alice create a provider:
katello -u alice -p alice provider create --org ACME_Corporation --name test

Now have alice delete the provider:
[root@system-engine0 ~]# katello -u alice -p alice provider delete --org ACME_Corporation --name test

The delete works, but it should not have, given that she does not have the delete permission (only create,update,read).


katello -u admin -p admin permission list --user_role Provider_manager
--------------------------------------------------------------------------------
                                Permission List

 Id   Name               Scope       Verbs                             Tags  
--------------------------------------------------------------------------------
 11   Manage_providers   providers   read create update

Comment 1 Lukas Zapletal 2012-02-28 15:11:56 UTC

Reproducing...

Comment 2 Lukas Zapletal 2012-03-02 10:13:56 UTC

Hello,

so the first example - it seems creating changeset management permission does not give organization read permission. If you give it, it works. This is a bug I guess.

The second example is not a bug. Once you have create permission, you automatically get a delete permission. This is how it is implemented in the whole Katello. I have to admit we should indicate this somehow or maybe UI could automatically assign also delete permission when create is added. But this is another story (feel free to file a low severity post V1 bug)

@Partha/Justin - I want to fix the first example but I would like to ask. The CLI needs to get list of environments first, so the rule for this is:

  index_rule = lambda{@organization.readable? ||
    @organization.any_systems_registerable?}

Obviously this is not working and what I need to add somewhere is this:

  def self.any_changesets_readable? org
    User.allowed_to?(CHANGE_SETS_READABLE, :environments, nil, org)
  end

The question (A) is where? KTEnvironment seems like a good candidate, but there is already very similar method there:


  def self.any_contents_readable? org, skip_library=false
    ids = org.environment_ids
    ids = ids - [org.library.id] if skip_library
    User.allowed_to?(CONTENTS_READABLE, :environments, ids, org, true)
  end

The only exception is it is checking for content and it does not provide "nil" for the tags, but list of existing environments ids. My second question (B) is why you do this in "any_*" method here. I was under impression that "any_*" methods looks for "any" tags - I mean for permissions that has "nil" set (no tags).

We hit this in the CLI because we are stateless and we sometime need to do additional queries (like fetch avaiable environments) before actual (main) request. By the way this is a generic bug - it was able to reproduce it for:

 - templates
 - activation keys

Command git grep get_environment in the cli shows also (need to do a check-up):

 - errata
 - product
 - repo

Last question (C) is what CONTENTS_READABLE represents? Providers? Packages? Which kind of content? Thanks.

Comment 3 Partha Aji 2012-03-05 16:28:59 UTC

So part of the solution for at least the second example is to rename the verbs to make em more descriptive and consistent with the UI.. My recommendation is to s/create/administer
s/manage_all/administer
s/update/modify

Hopefully that 'll make it clearer that :administer implies CRUD.
Other
A) Your question on putting the changesets  readable on self.any_contents_readable?. I m not sure thats a good idea. Roughly when did the UI perms review.. Go to UI promotions page. The stuff on the left pane where we show the tree of Products/Repos/Packages/Templates/Errata/Distros, thats based of Contents readable permission. The suff on the right Changesets is based of the changeset readable permission.  So things like read changesets or promote_changesets are specific to changesets. To technically be able to add things to a changeset you need both edit on changesets + contents_readable persmission on the environment.

(B)

  def self.any_contents_readable? org, skip_library=false
    ids = org.environment_ids
    ids = ids - [org.library.id] if skip_library
    User.allowed_to?(CONTENTS_READABLE, :environments, ids, org, true)
  end


why you do this in "any_*" method here. I was under impression that "any_*"
methods looks for "any" tags - I mean for permissions that has "nil" set (no
tags).

I presume we want it to check if this user can read any environment in specific org and even there we may want to skip org library. So idea is that last flag set to true will say "return true if the query passes for any of the tags I passed in". That being said if you have all tags set to true , which should/will automatically happen when you created a "global" permission, this should automatically pass since this check happens ahead of the 2nd query.


We needed to add that last flag of true User.allowed_to?(CONTENTS_READABLE, :environments, ids, org, true) for exactly cases like this. By default if you passed in a list of tags, the query will return true only if ALL the tags you passed in match . In our case we really don;t need to check for all tags.. We just need the answer for the question , "can the user access contents atleast one environment in this org?"




(C) is what CONTENTS_READABLE represents? Providers? Packages?
Which kind of content? 

look at A.

Comment 4 Lukas Zapletal 2012-03-06 17:12:50 UTC

Thanks for info, let me know if you hit any issues with our CLI when changing it.

Comment 6 Forrest Taylor 2012-03-21 19:15:02 UTC

In the first example, when I add read permissions for the organization:

# katello -u admin -p admin permission create --user_role Changeset_manager \
--name Read_orgs  --scope organizations --verbs read

I can create a changeset, but I cannot update it:

# katello -u alice -p alice changeset update --add_template test1 --org \
ACME_Corporation --name cs3 --environment dev
User alice is not allowed to access api/templates/index

This is fixed by adding system_templates read_all permissions:
katello -u admin -p admin permission create --user_role Changeset_manager --name SysTem_read  --scope system_templates --verbs read_all

Now, the changeset cannot be promoted:

# katello -u alice -p alice changeset promote --org ACME_Corporation --name cs3\
--environment dev
Promoting the changeset, please wait... User alice is not allowed to access api/tasks/show

It shows state: Promoting

Comment 7 Partha Aji 2012-05-16 15:38:20 UTC

So this should be fixed when these commits are applied..
d1cff2ad36bb0431cd5a3ba036dcf0e089d47898
b12aff39ca12d0c70538f3ac5a912a187f28005f
af2280b1ac97274aef71dd6fc90dbf3f5351d492
14f3126afc054088425c34852accf2d5dd9e7478
1079ea475636e7a17e798ca69e536a2669525027

look at https://github.com/Katello/katello/pull/116 for discussions

In short the condition for environment perms was some what relaxed to say, if you can do any of the sub operations of an environment you should be at the least able to read its name/id/prior information. This should fix the above issues.

Comment 9 Kedar Bidarkar 2012-09-24 09:23:54 UTC

The First example could pass only with the below permissions.
Permissions:
    modify providerts_admin products
    	for: providers
    	verbs: update
    	on: 



[root@dhcp201-200 ~]# katello -u alice -p alice changeset create --org redhat --name cs3 --environment Dev
Successfully created changeset [ cs3 ] for environment [ Dev ]
[root@dhcp201-200 ~]# katello -u alice -p alice changeset create --org redhat --name cs31 --environment Dev
Successfully created changeset [ cs31 ] for environment [ Dev ]
[root@dhcp201-200 ~]# katello -u alice -p alice changeset create --org redhat --name cs33 --environment Dev
Successfully created changeset [ cs33 ] for environment [ Dev ]


[root@dhcp201-200 ~]# katello -u alice -p alice changeset update --name "cs33" --add_product "rhel63" --org redhat --environment Dev
Successfully updated changeset [ cs33 ]

[root@dhcp201-200 ~]# katello -u alice -p alice changeset promote --name "cs33" --org redhat --environment Dev
Changeset [ cs33 ] applied  
              
[root@dhcp201-200 ~]# katello -u admin -p admin user list_roles --username alice
---------------------------------------------------------------------------------------------------------------------------------
                                                        User Role List

 Id   Name               
---------------------------------------------------------------------------------------------------------------------------------
 14   Changeset_manager  


[root@dhcp201-200 ~]# katello -u admin -p admin user_role info --name Changeset_manager --permission_details
---------------------------------------------------------------------------------------------------------------------------------
                                                     User Role Information
---------------------------------------------------------------------------------------------------------------------------------

Id:          14
Name:        Changeset_manager
Description: None
Permissions:
    modify providerts_admin products
    	for: providers
    	verbs: update
    	on: 
    read_sys_temp
    	for: system_templates
    	verbs: read_all
    	on: 
    Manage_changesets
    	for: environments
    	verbs: manage_changesets, promote_changesets, read_changesets
    	on: 
Ldap Groups: 

2) Also please confirm whether the promotion only after providing the above permissions and roles is correct? 


3) Can someone please summarize as to what was decided or what needs to be verified for second example. Or is even second example verification required?

Comment 10 Forrest Taylor 2012-09-24 15:27:06 UTC

For comment #9, I think it would be valuable to document the permissions required for several scenarios because it is not obvious nor intuitive.

The promotion now works given the permissions above.

Comment 11 Athene Chan 2012-10-24 05:33:56 UTC

If documentation of this is required for the User Guide, please create another bugzilla and assign it to documentation so it can be added to the list of required content.

Thank you,
Athene

Comment 13 errata-xmlrpc 2012-12-04 19:42:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1543.html

Note You need to log in before you can comment on or make changes to this bug.