Bug #5664

Users permissions on hosts are not working properly with organizations

Added by Dotan Paz over 3 years ago. Updated over 3 years ago.

Status:Closed
Priority:Urgent
Assigned To:Marek Hulán
Category:Authorization
Target version:Sprint 23
Difficulty: Bugzilla link:1107702
Found in release:1.5.0 Pull request:
Story points-
Velocity based estimate-
Release1.5.1Release relationshipAuto

Description

Hi ,
After an upgrade from 1.4.1 to 1.5 , users are unable to perform their old tasks (build ,run puppet , edit hosts etc) .
After taking a closer look at the user permissions , I've noticed that old user roles were renamed to "Anonymous_<username>_<oldrole> " .
I really have to sort it out quickly since users can't work .
I tried removing the new roles and adding back the old ones but it didn't fix everything ,now those "manually edited" users appear in red under:
organizations --> QE-Test->users
and cannot be associated with the org (qe-test).

Thanks !


Related issues

Related to Foreman - Bug #5879: undefined local variable or method `scoped_search_definit... Closed 05/22/2014
Related to Foreman - Bug #5541: Filter of resource type Organization can result in error ... Closed 05/01/2014
Blocks Foreman - Tracker #4552: New permissions/authorization system issues New 03/05/2014

Associated revisions

Revision 82b4749e
Added by Marek Hulán over 3 years ago

Fixes #5664 - Host filters can use taxonomies

Also disables taxonomy filters on resources that do not support them.

Revision 9ed89b70
Added by Marek Hulán over 3 years ago

Fixes #5664 - Host filters can use taxonomies

Also disables taxonomy filters on resources that do not support them.

(cherry picked from commit 82b4749eeddabc542ebf1eaec6fdf2d76d2fdd75)

History

#1 Updated by Dominic Cleal over 3 years ago

  • Tracker changed from Feature to Bug
  • Target version set to Sprint 23

Were any permissions assigned to the new roles? What permissions were assigned to users in 1.4?

#2 Updated by Dominic Cleal over 3 years ago

  • Category changed from Authentication to Authorization

#3 Updated by Marek Hulán over 3 years ago

  • Status changed from New to Assigned
  • Assigned To set to Marek Hulán

#4 Updated by Marek Hulán over 3 years ago

The migration assigned all filters to user's organizations, however Host filters do not support organizations (they do not include Taxonomix) and hosts can be assigned only to one organization. The code that searches filters raised an exception which is ignored silently and the result of searching was an empty set.

To remove host filter taxonomy associations you can run these two commands in rails console. The second one should print true. Don't forget to backup your database before running it. This will remove any organization assignment of host filters. It may not be your desired setup so be careful.

filters = Filter.all.select { |filter| filter.resource_type == 'Host'&& !filter.taxonomy_search.nil?  }
filters.map { |filter| filter.update_attribute :taxonomy_search, nil }

I'll work on fixing taxonomy filters for hosts and disallowing it for resources that do not support them. Also I'll try to find the silent exception swallowing and remove it.

#5 Updated by Dominic Cleal over 3 years ago

  • Release set to 1.5.1

#6 Updated by Dominic Cleal over 3 years ago

  • Blocks Tracker #4552: New permissions/authorization system issues added

#7 Updated by Marek Hulán over 3 years ago

  • Subject changed from Users permissions in 1.5 are not working properly to Users permissions on hosts are not working properly with organizations
  • Status changed from Assigned to Ready For Testing

Migration works correctly. I fixed the scopes on Host object, since it does not include Taxonomix (because host belongs to one taxonomy) we have to define scope manually.

PR is here https://github.com/theforeman/foreman/pull/1438

#8 Updated by Marek Hulán over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#9 Updated by Dominic Cleal over 3 years ago

  • Related to Bug #5879: undefined local variable or method `scoped_search_definition' setting when setting permission filters added

#10 Updated by Dominic Cleal over 3 years ago

  • Related to Bug #5541: Filter of resource type Organization can result in error condition when trying to access organization resources added

#11 Updated by Bryan Kearney over 3 years ago

  • Bugzilla link set to https://bugzilla.redhat.com/show_bug.cgi?id=1107702

Also available in: Atom PDF