IPMI boot and power unaccessible to non-admin users
|Assigned To:||Daniel Lobato Garcia|
|Target version:||Team Daniel - iteration 3|
|Found in release:||Pull request:||https://github.com/theforeman/foreman/pull/3926|
|Velocity based estimate||-|
When any user tries to run IPMI boot or power, no matter what role is applied to them it fails.
The call always return a 404 not found, right after a filter chain halted as
:find_by_name rendered or redirectered.
The only workaround is to make every user who makes IPMI calls an admin. I see this as a hint that it has something to do with roles.
Fixes #6492 - ipmi_boot permission renamed to ipmi_boot_hosts
Authorizer expects permission names to follow a convention
'action'_'controller'. However this permission was not following it, and
this prevented the permission from being applied properly.
Before this fix, only admins could call ipmi_boot. I've also added a
small fix to the controller to check whether the BMC interface is
available before making the IPMI call - otherwise the error that Foreman
threw did not make much sense for the end user (NoMethodError on
#2 Updated by Kevin Mullin over 3 years ago
I believe I was the person who originally reported this issue on IRC.
Daniel helped me debug as much as we could, it definitely appears to revolve around Roles being set for a user.
This is actually a huge blocker for our usage of foreman, where we want to give developers access to a subset of our machines. We want to give them total control of the hardware, including the ability to set 'ipmi_boot?ipmi_device=pxe' the host.
Ironically, the user who has Roles set for it, can easily 'reboot' the box so the BMC portion of the roles works for that, just not for setting the 'ipmi_boot' device.
Please let me know if I can provide any more information for this bug, as its easily reproducible in our environment.
#6 Updated by Daniel Lobato Garcia about 1 year ago
I've submitted a fix via https://github.com/theforeman/foreman/pull/3926 - I believe it's only the ipmi_boot action that suffers from this problem. The power_hosts permission works fine when applied to users in my environment. Let me know if that's not your case (and which version of Foreman you use)