Bug #6492

IPMI boot and power unaccessible to non-admin users

Added by Daniel Lobato Garcia almost 3 years ago. Updated 8 months ago.

Status:Closed
Priority:Normal
Assigned To:Daniel Lobato Garcia
Category:BMC
Target version:Team Daniel - iteration 3
Difficulty:medium Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/foreman/pull/3926
Story points-
Velocity based estimate-
Release1.14.0Release relationshipAuto

Description

When any user tries to run IPMI boot or power, no matter what role is applied to them it fails.

The call always return a 404 not found, right after a filter chain halted as
:find_by_name rendered or redirectered.

The only workaround is to make every user who makes IPMI calls an admin. I see this as a hint that it has something to do with roles.


Related issues

Related to Foreman - Bug #5994: Power and Console links are disabled for non-admin users Closed 05/30/2014

Associated revisions

Revision 4090ccb5
Added by Daniel Lobato Garcia 8 months ago

Fixes #6492 - ipmi_boot permission renamed to ipmi_boot_hosts

Authorizer expects permission names to follow a convention
'action'_'controller'. However this permission was not following it, and
this prevented the permission from being applied properly.

Before this fix, only admins could call ipmi_boot. I've also added a
small fix to the controller to check whether the BMC interface is
available before making the IPMI call - otherwise the error that Foreman
threw did not make much sense for the end user (NoMethodError on
bmc_proxy).

History

#1 Updated by Dominic Cleal almost 3 years ago

  • Related to Bug #5994: Power and Console links are disabled for non-admin users added

#2 Updated by Kevin Mullin almost 3 years ago

I believe I was the person who originally reported this issue on IRC.

Daniel helped me debug as much as we could, it definitely appears to revolve around Roles being set for a user.

This is actually a huge blocker for our usage of foreman, where we want to give developers access to a subset of our machines. We want to give them total control of the hardware, including the ability to set 'ipmi_boot?ipmi_device=pxe' the host.

Ironically, the user who has Roles set for it, can easily 'reboot' the box so the BMC portion of the roles works for that, just not for setting the 'ipmi_boot' device.

Please let me know if I can provide any more information for this bug, as its easily reproducible in our environment.

#3 Updated by Gael Queri about 1 year ago

Same issue with Foreman 1.9.0

#4 Updated by Joe Mader 8 months ago

This is a blocking problem for our shop as well - same use case as Kevin Mullin. We are using Foreman v1.10.

#5 Updated by The Foreman Bot 8 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3926 added

#6 Updated by Daniel Lobato Garcia 8 months ago

I've submitted a fix via https://github.com/theforeman/foreman/pull/3926 - I believe it's only the ipmi_boot action that suffers from this problem. The power_hosts permission works fine when applied to users in my environment. Let me know if that's not your case (and which version of Foreman you use)

#7 Updated by Daniel Lobato Garcia 8 months ago

  • Target version set to Team Daniel - iteration 3

#8 Updated by Anonymous 8 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#9 Updated by Dominic Cleal 8 months ago

  • Release set to 1.14.0

Also available in: Atom PDF