Bug #15229
open"Viewer" role has not been updated to contain "view_config_reports" in stead of "view_reports" even though deprecated
Description
With Foreman 1.11, the "view_reports" filter has been deprecated in favour of "view_config_reports", but the Role "Viewer" (and presumably others too) have not been updated to reflect that change, resulting in users loosing access to their puppet reports until the role gets changed manually.
Since this has been a hard deprecation with 1.11, I suspect that this filter should have been migrated as part of that release but has fallen through the cracks somewhere?
IMO this should be done automatically, since as far as the docs go "view_reports" does not do anything any more and there is no reason to keep that filter around.
Updated by Dominic Cleal over 8 years ago
- Category set to DB migrations
- Status changed from New to Need more information
The change included a database migration to rename the permissions from reports to config_reports, so it's possible your database isn't migrated. Please run foreman-rake db:migrate:status
and check 20150728122736 (change report permissions) is "up", and if not, run foreman-rake db:migrate
.
If it's already migrated then it's hard to say what happened without seeing the original migration logs.
Updated by Simon Mügge over 8 years ago
It is marked as "up" and I am sorry to say I did not save the migration logs - sorry, I don't think I can give more information here.
Updated by Dominic Cleal over 8 years ago
- Status changed from Need more information to New
No worries, I'll leave this open. We had a similar case in #14592, where the new config report permissions weren't available.
Do you have config reports listed as an available resource when creating a role filter? I wonder if it's not renamed, or if you have both reports and config reports.
My only other thought is if you're missing the new config reports permissions, then re-run the migration by running foreman-rake db:migrate:down VERSION=20150728122736
and then db:migrate:up. This would probably cause problems if you have both, so only use it if you just have the older reports permissions. (There was an
Updated by Simon Mügge over 8 years ago
I have both permission sets available, *_reports as well as *_config_reports - once I change the roles over to config_reports, they work, too.
I'll try rerunning the migration, and report back.
Updated by Simon Mügge over 8 years ago
Rather strange behaviour..?
did db:migrate:down VERSION=20150728122736 && db:migrate:up VERSION=20150728122736 - after that the *_reports stuff was still there, and the *_config_reports was a) still unused by the default roles and b) had no permisson items for config_reports available in the gui - the main "Config Reports" section was there though, just empty.
I then re-ran db:migrate, db:seed and restarted the service and the permisson items for config_reports where back, but reports was still there and the roles have not been migrated - same as my initial reported state.
I think I maybe did not do things in the right order/missed something initially?
Updated by Simon Mügge over 8 years ago
Further information:
- We have 2 setups exhibiting the same symptoms, both have been set up as a Foreman 1.10.(probably 3) and then upgraded to 11.0/11.1
- Both setups are also affected by the bug that cloned roles get created as unassignable/uneditable (can't find the bug in the tracker, sorry) until you fix a flag in the database
The db:migrate:down and :up I performed in comment #5 seems to have broken something else:
- when trying to edit an existing role, the error "ERF42-5434 [Foreman::Exception]: unknown permission view_taxonomies" gets raised
- when trying to create an entirely new role, the error "Oops, we're sorry but something went wrong some permissions were not found" gets raised.
Any help on the latter two would be greatly appreciated.
Updated by Dominic Cleal over 8 years ago
Simon Mügge wrote:
The db:migrate:down and :up I performed in comment #5 seems to have broken something else:
- when trying to edit an existing role, the error "ERF42-5434 [Foreman::Exception]: unknown permission view_taxonomies" gets raised
This is bug #14101 (https://github.com/theforeman/foreman/pull/3342#issuecomment-220622352).
Updated by Simon Mügge over 8 years ago
Dominic Cleal wrote:
Simon Mügge wrote:
The db:migrate:down and :up I performed in comment #5 seems to have broken something else:
- when trying to edit an existing role, the error "ERF42-5434 [Foreman::Exception]: unknown permission view_taxonomies" gets raisedThis is bug #14101 (https://github.com/theforeman/foreman/pull/3342#issuecomment-220622352).
Thanks!
Applying the patch does indeed fix the "view_taxonomies" thing when editing existing roles, but creating new Roles still doesn't work with "Oops, we're sorry but something went wrong some permissions were not found"