Description of problem: Version-Release number of selected component (if applicable): Katello Version: 1.2.1-1.git.122.8b1c3a7.el6_3 How reproducible: always Steps to Reproduce: 1. Create a user foo, assign him the administrator role 2. log in as foo 3. delete the user "admin". Actual results: 403 Forbidden (RestClient::Forbidden) {"error":{"details":"You are trying to delete your own account","message":"Access denied"}} Click here for more details. Expected results: admin user deleted. Additional info:
I am not able to reproduce this. Worked fine for me. Are you able to reproduce Jeff?
Works in the following setup: * candlepin-0.7.19-3.el6cf.noarch * candlepin-selinux-0.7.19-3.el6cf.noarch * candlepin-tomcat6-0.7.19-3.el6cf.noarch * elasticsearch-0.18.4-11.el6.noarch * katello-1.1.12.2-5.el6cf.noarch * katello-all-1.1.12.2-5.el6cf.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.1.8-1.el6cf.noarch * katello-cli-1.1.8-14.el6cf.noarch * katello-cli-common-1.1.8-14.el6cf.noarch * katello-common-1.1.12.2-5.el6cf.noarch * katello-configure-1.1.9-13.el6cf.noarch * katello-glue-candlepin-1.1.12.2-5.el6cf.noarch * katello-glue-pulp-1.1.12.2-5.el6cf.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-1.1.1-5.el6cf.noarch * pulp-1.1.15-1.el6cf.noarch * pulp-common-1.1.15-1.el6cf.noarch * pulp-selinux-server-1.1.15-1.el6cf.noarch
There is a problem while deleting the admin user: [ERROR 2013-02-23 02:43:32 b6fac538cd52dc9dedb639780e373fe5 #11746] 422 Unproces sable Entity (RestClient::UnprocessableEntity) /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/abstract_response.r b:48:in `return!' /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:220:in ` process_result' /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:169:in ` transmit' /usr/lib/ruby/1.8/net/http.rb:543:in `start' /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:166:in ` transmit' /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:60:in `e xecute' /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:31:in `e xecute' /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/resource.rb:80:in ` delete' /usr/lib/ruby/gems/1.8/gems/foreman_api-0.1.1/lib/foreman_api/base.rb:35:in `sen d' /usr/lib/ruby/gems/1.8/gems/foreman_api-0.1.1/lib/foreman_api/base.rb:35:in `cal l' /usr/lib/ruby/gems/1.8/gems/foreman_api-0.1.1/lib/foreman_api/resources/user.rb: 74:in `destroy' /usr/share/katello/lib/resources/abstract_model.rb:342:in `delete!' Due to Foreman restiction: Started DELETE "/foreman/api/users/1" for 127.0.0.1 at Sat Feb 23 02:43:32 -0500 2013 Processing by Api::V1::UsersController#destroy as JSON Parameters: {"id"=>"1"} Unable to delete internal admin account Rendered api/v1/errors/unprocessable_entity.json.rabl (1.8ms) Completed 422 Unprocessable Entity in 243ms (Views: 2.7ms | ActiveRecord: 18.4ms ) So two bugs here (instead of none:): * one can't delete admin user (but should be able to do this IMO) * after the operation fails, there is an inconsistency in data among systems.
Priority raised due to possibility of data loss/corruption as referenced by ivan in comment #5
Tested on revision: foreman-1.1.10011-1.noarch katello-1.4.2-14.el6sat.noarch User "admin" was removed from Sat6 but error from Foreman is shown: "Failed to perform additional action KatelloForemanEngine::Actions::UserDestroy: 403 Forbidden"
User create also shows the same Foreman error, but user is being created successfully.
So for MDP1 we can't support deleting the admin user. I think this is acceptable, although ugly. Proposing we punt to MDP2
This bug is closely related to this one (already postponed for MDP2): https://bugzilla.redhat.com/show_bug.cgi?id=967583 The roles distribution between Katello and Foreman needs to be designed and implemented properly (personally, I would like to see signo being to one to say what roles the user can take). Trying to quick-fixing this for MDP1 would IMO cause more harm than use (and would be probably thrown away anyway). The workaround for MDP1 is to set the admin flag for the new user in Foreman manually, before removing the original admin user.
Correction: the suggested workaround doesn't work, as Foreman doesn't allow to remove the admin user.
getting rid of 6.0.0 version since that doesn't exist
The limitation from https://bugzilla.redhat.com/show_bug.cgi?id=868910#c13 still holds. Upstream foreman doesn't allow to delete admin user. Due to design spikes around enginification there was a little done in terms of users integration between Foreman and Katello as the work will should go away with the enginification stuff. So fixing this bug is quite a waste as it will go away with the enginification effort. @ohad: could we loose the constrain on deleting an admin user, or there is something that would break after that? (provided new admin user is created?)
moving to MDP3 where we are tackling user integration with more effort
Ivan, I'd suggest moving to the Katello concept of a hidden admin user as we also need it for some anonymous actions (like incoming Puppet reports or rake tasks). Then we can have the user create their own admin user on top instead of them sharing the internal account.
+1
*** Bug 1022397 has been marked as a duplicate of this bug. ***
Upstream bug to dcleal
*** Bug 985978 has been marked as a duplicate of this bug. ***
Moving to POST since upstream bug http://projects.theforeman.org/issues/3272 has been closed
https://github.com/Katello/katello/pull/4368 katello's DB seed failed after the above fixed was merged into master.
Verified: * apr-util-ldap-1.3.9-3.el6_0.1.x86_64 * candlepin-0.9.19-1.el6_5.noarch * candlepin-scl-1-5.el6_4.noarch * candlepin-scl-quartz-2.1.5-5.el6_4.noarch * candlepin-scl-rhino-1.7R3-1.el6_4.noarch * candlepin-scl-runtime-1-5.el6_4.noarch * candlepin-selinux-0.9.19-1.el6_5.noarch * candlepin-tomcat6-0.9.19-1.el6_5.noarch * elasticsearch-0.90.10-4.el6sat.noarch * foreman-1.6.0.32-1.el6sat.noarch * foreman-compute-1.6.0.32-1.el6sat.noarch * foreman-gce-1.6.0.32-1.el6sat.noarch * foreman-libvirt-1.6.0.32-1.el6sat.noarch * foreman-ovirt-1.6.0.32-1.el6sat.noarch * foreman-postgresql-1.6.0.32-1.el6sat.noarch * foreman-proxy-1.6.0.22-1.el6sat.noarch * foreman-selinux-1.6.0.3-1.el6sat.noarch * foreman-vmware-1.6.0.32-1.el6sat.noarch * katello-1.5.0-27.el6sat.noarch * katello-ca-1.0-1.noarch * katello-certs-tools-1.5.6-1.el6sat.noarch * katello-installer-0.0.56-1.el6sat.noarch * openldap-2.4.23-32.el6_4.1.x86_64 * pulp-katello-0.3-3.el6sat.noarch * pulp-nodes-common-2.4.0-0.23.beta.el6sat.noarch * pulp-nodes-parent-2.4.0-0.23.beta.el6sat.noarch * pulp-puppet-plugins-2.4.0-0.23.beta.el6sat.noarch * pulp-puppet-tools-2.4.0-0.23.beta.el6sat.noarch * pulp-rpm-plugins-2.4.0-0.23.beta.el6sat.noarch * pulp-selinux-2.4.0-0.23.beta.el6sat.noarch * pulp-server-2.4.0-0.23.beta.el6sat.noarch * python-ldap-2.3.10-1.el6.x86_64 * ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch * ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch * rubygem-hammer_cli-0.1.1-10.el6sat.noarch * rubygem-hammer_cli_foreman-0.1.1-13.el6sat.noarch * rubygem-hammer_cli_foreman_tasks-0.0.3-3.el6sat.noarch * rubygem-hammer_cli_katello-0.0.4-9.el6sat.noarch
This was delivered with Satellite 6.0 which was released on 10 September 2014.