Bug 868910 - Another administrator can no longer remove the original "admin" account
Another administrator can no longer remove the original "admin" account
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles (Show other bugs)
Unspecified Unspecified
unspecified Severity medium (vote)
: Unspecified
: --
Assigned To: Dominic Cleal
Og Maciel
: Regression, Reopened, TestBlocker, Triaged
: 985978 1022397 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2012-10-22 08:45 EDT by Jeff Weiss
Modified: 2016-04-22 11:48 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-09-11 08:26:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 3272 None None None 2016-04-22 11:48 EDT

  None (edit)
Description Jeff Weiss 2012-10-22 08:45:05 EDT
Description of problem:

Version-Release number of selected component (if applicable):
Katello Version: 1.2.1-1.git.122.8b1c3a7.el6_3

How reproducible:

Steps to Reproduce:
1. Create a user foo, assign him the administrator role
2. log in as foo
3. delete the user "admin".
Actual results:
    403 Forbidden (RestClient::Forbidden)
    {"error":{"details":"You are trying to delete your own account","message":"Access denied"}}
    Click here for more details.

Expected results:
admin user deleted.

Additional info:
Comment 3 Justin Sherrill 2012-12-18 14:00:44 EST
I am not able to reproduce this.  Worked fine for me.  Are you able to reproduce Jeff?
Comment 4 Og Maciel 2013-02-15 12:20:47 EST
Works in the following setup:
* candlepin-0.7.19-3.el6cf.noarch
* candlepin-selinux-0.7.19-3.el6cf.noarch
* candlepin-tomcat6-0.7.19-3.el6cf.noarch
* elasticsearch-0.18.4-11.el6.noarch
* katello-
* katello-all-
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.8-1.el6cf.noarch
* katello-cli-1.1.8-14.el6cf.noarch
* katello-cli-common-1.1.8-14.el6cf.noarch
* katello-common-
* katello-configure-1.1.9-13.el6cf.noarch
* katello-glue-candlepin-
* katello-glue-pulp-
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-qpid-client-key-pair-1.0-1.noarch
* katello-selinux-1.1.1-5.el6cf.noarch
* pulp-1.1.15-1.el6cf.noarch
* pulp-common-1.1.15-1.el6cf.noarch
* pulp-selinux-server-1.1.15-1.el6cf.noarch
Comment 5 Ivan Necas 2013-02-25 11:04:51 EST
There is a problem while deleting the admin user:

    [ERROR 2013-02-23 02:43:32 b6fac538cd52dc9dedb639780e373fe5 #11746] 422 Unproces
    sable Entity (RestClient::UnprocessableEntity)
    b:48:in `return!'
    /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:220:in `
    /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:169:in `
    /usr/lib/ruby/1.8/net/http.rb:543:in `start'
    /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:166:in `
    /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:60:in `e
    /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/request.rb:31:in `e
    /usr/lib/ruby/gems/1.8/gems/rest-client-1.6.1/lib/restclient/resource.rb:80:in `
    /usr/lib/ruby/gems/1.8/gems/foreman_api-0.1.1/lib/foreman_api/base.rb:35:in `sen
    /usr/lib/ruby/gems/1.8/gems/foreman_api-0.1.1/lib/foreman_api/base.rb:35:in `cal
    74:in `destroy'
    /usr/share/katello/lib/resources/abstract_model.rb:342:in `delete!'

Due to Foreman restiction:

Started DELETE "/foreman/api/users/1" for at Sat Feb 23 02:43:32 -0500
  Processing by Api::V1::UsersController#destroy as JSON
  Parameters: {"id"=>"1"}
Unable to delete internal admin account
Rendered api/v1/errors/unprocessable_entity.json.rabl (1.8ms)
Completed 422 Unprocessable Entity in 243ms (Views: 2.7ms | ActiveRecord: 18.4ms

So two bugs here (instead of none:):

* one can't delete admin user (but should be able to do this IMO)
* after the operation fails, there is an inconsistency in data among systems.
Comment 7 Corey Welton 2013-06-14 10:55:41 EDT
Priority raised due to possibility of data loss/corruption as referenced by ivan in comment #5
Comment 9 Hayk Hovsepyan 2013-06-18 10:00:07 EDT
Tested on revision:

User "admin" was removed from Sat6 but error from Foreman is shown:
"Failed to perform additional action KatelloForemanEngine::Actions::UserDestroy: 403 Forbidden"
Comment 10 Hayk Hovsepyan 2013-06-18 10:03:06 EDT
User create also shows the same Foreman error, but user is being created successfully.
Comment 11 Mike McCune 2013-06-19 00:20:08 EDT
So for MDP1 we can't support deleting the admin user.  I think this is acceptable, although ugly.

Proposing we punt to MDP2
Comment 12 Ivan Necas 2013-06-19 08:09:56 EDT
This bug is closely related to this one (already postponed for MDP2):


The roles distribution between Katello and Foreman needs to be designed and implemented properly (personally, I would like to see signo being to one to say what roles the user can take). Trying to quick-fixing this for MDP1 would IMO cause more harm than use (and would be probably thrown away anyway).

The workaround for MDP1 is to set the admin flag for the new user in Foreman manually, before removing the original admin user.
Comment 13 Ivan Necas 2013-06-19 08:18:09 EDT
Correction: the suggested workaround doesn't work, as Foreman doesn't allow to remove the admin user.
Comment 14 Mike McCune 2013-08-16 14:18:59 EDT
getting rid of 6.0.0 version since that doesn't exist
Comment 15 Ivan Necas 2013-10-15 09:57:27 EDT
The limitation from https://bugzilla.redhat.com/show_bug.cgi?id=868910#c13 still holds. Upstream foreman doesn't allow to delete admin user.

Due to design spikes around enginification there was a little done in terms of users integration between Foreman and Katello as the work will should go away with the enginification stuff. So fixing this bug is quite a waste as it will go away with the enginification effort.

@ohad: could we loose the constrain on deleting an admin user, or there is something that would break after that? (provided new admin user is created?)
Comment 16 Mike McCune 2013-10-15 11:34:34 EDT
moving to MDP3 where we are tackling user integration with more effort
Comment 17 Dominic Cleal 2013-10-15 13:48:26 EDT
Ivan, I'd suggest moving to the Katello concept of a hidden admin user as we also need it for some anonymous actions (like incoming Puppet reports or rake tasks).  Then we can have the user create their own admin user on top instead of them sharing the internal account.
Comment 18 Ohad Levy 2013-10-16 04:07:16 EDT
Comment 21 Dominic Cleal 2013-10-23 04:39:18 EDT
*** Bug 1022397 has been marked as a duplicate of this bug. ***
Comment 23 Bryan Kearney 2014-04-24 16:38:59 EDT
Upstream bug to dcleal@redhat.com
Comment 25 Dominic Cleal 2014-05-20 07:38:36 EDT
*** Bug 985978 has been marked as a duplicate of this bug. ***
Comment 28 Bryan Kearney 2014-06-30 10:01:16 EDT
Moving to POST since upstream bug http://projects.theforeman.org/issues/3272 has been closed
Comment 29 Adam Price 2014-06-30 12:53:24 EDT

katello's DB seed failed after the above fixed was merged into master.
Comment 31 Og Maciel 2014-07-29 11:19:47 EDT

* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.9.19-1.el6_5.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.9.19-1.el6_5.noarch
* candlepin-tomcat6-0.9.19-1.el6_5.noarch
* elasticsearch-0.90.10-4.el6sat.noarch
* foreman-
* foreman-compute-
* foreman-gce-
* foreman-libvirt-
* foreman-ovirt-
* foreman-postgresql-
* foreman-proxy-
* foreman-selinux-
* foreman-vmware-
* katello-1.5.0-27.el6sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.6-1.el6sat.noarch
* katello-installer-0.0.56-1.el6sat.noarch
* openldap-2.4.23-32.el6_4.1.x86_64
* pulp-katello-0.3-3.el6sat.noarch
* pulp-nodes-common-2.4.0-0.23.beta.el6sat.noarch
* pulp-nodes-parent-2.4.0-0.23.beta.el6sat.noarch
* pulp-puppet-plugins-2.4.0-0.23.beta.el6sat.noarch
* pulp-puppet-tools-2.4.0-0.23.beta.el6sat.noarch
* pulp-rpm-plugins-2.4.0-0.23.beta.el6sat.noarch
* pulp-selinux-2.4.0-0.23.beta.el6sat.noarch
* pulp-server-2.4.0-0.23.beta.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch
* rubygem-hammer_cli-0.1.1-10.el6sat.noarch
* rubygem-hammer_cli_foreman-0.1.1-13.el6sat.noarch
* rubygem-hammer_cli_foreman_tasks-0.0.3-3.el6sat.noarch
* rubygem-hammer_cli_katello-0.0.4-9.el6sat.noarch
Comment 33 Bryan Kearney 2014-09-11 08:26:02 EDT
This was delivered with Satellite 6.0 which was released on 10 September 2014.

Note You need to log in before you can comment on or make changes to this bug.