Project

General

Profile

Actions
Copy link

Bug #5672

closed

Host group filter bypassed due to unlimited view_hosts filter on anonymous role

Added by Mike McRill almost 10 years ago. Updated about 8 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
1.5.0
Red Hat JIRA:

Description

Since updating to 1.5.0-1, my host filters aren't working. For example, I have a group within my organization that needs access to only certain hosts and shouldn't be able to view any hosts. Their role currently gives the most of the host/managed permissions but filtered to a specific hostgroup. For whatever reason, they can see all of the hosts still (specifically the YAML button works for all hosts). They can only edit/manage hosts in the hostgroup though.

Related issues 2 (1 open1 closed)

Related to Foreman - Bug #6361: menu item "Hosts --> All hosts" is visible to normal user from anonymous role by defaultClosedDaniel Lobato Garcia06/24/2014Actions
Blocks Foreman - Tracker #4552: New permissions/authorization system issuesNew

Actions
Actions
Copy link
 #1

Updated by Dominic Cleal almost 10 years ago

  • Status changed from New to Feedback

They might be picking up the additional permission from the "Anonymous" role (poorly named), which is applied to all users in addition to any other roles you've created. This role contains view_hosts with an unlimited filter by default.

Try removing the view_hosts permission from Anonymous, then ensure users get it via a more specialised role.

Actions
Copy link
 #2

Updated by Dominic Cleal almost 10 years ago

  • Blocks Tracker #4552: New permissions/authorization system issues added
Actions
Copy link
 #3

Updated by Mike McRill almost 10 years ago

Removing view hosts from the default anonymous role fixed it. Curiously enough, no one has that role assigned--only the one I created via group membership.

Actions
Copy link
 #4

Updated by Dominic Cleal almost 10 years ago

  • Subject changed from Host filters not working to Host group filter bypassed due to unlimited view_hosts filter on anonymous role
  • Status changed from Feedback to New

Yes, it's not visible from the web UI as it's a built-in role, but it's applied automatically to every user. It seems we missed this nuanced interaction between roles in the migration, apologies.

Actions
Copy link
 #5

Updated by Dominic Cleal almost 10 years ago

  • Related to Bug #6361: menu item "Hosts --> All hosts" is visible to normal user from anonymous role by default added
Actions
Copy link
 #6

Updated by Dominic Cleal about 8 years ago

  • Status changed from New to Rejected

I think this issue was only present in the upgrade to 1.5.0. New installations since do not have view_hosts in the anonymous role. Since the release is over five versions old now, I'm closing this as the upgrade is not going to get fixed now.

Actions
Copy link

Also available in: Atom PDF