Project

General

Profile

Actions

Bug #11201

open

No permission to access /api/hosts/:id/parameters with view_hosts

Added by Rainer G over 9 years ago. Updated over 9 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
API
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

I've run foreman-debug and uploaded the file: /tmp/foreman-debug-fBc8y.tar.xz

OS: debian
RELEASE: 7.8
FOREMAN: 1.8.2
RUBY: ruby 1.9.3p194 (2012-04-20 revision 35410) [x86_64-linux]
PUPPET: 3.8.1

I have the following problem with permissions:
A user may view all facts of a host in the webinterface he is also able to get the information for the host via a curl call.

curl -k -u USER -H "Accept: version=2,application/json" https://foreman.rack.zone/api/hosts/798

But when the user runs
hammer host info --name <servername>
he recieves 'Forbidden - server refused to process the request'

Here is the output of the hammer call with -d

I've deleted some details.
Its also strange the clients actually has the information but returns a forbidden.

THANKS!

hammer -d -u USER -s foreman --name vs125
[ INFO 2015-07-23 17:46:12 Init] Initialization of Hammer CLI (0.2.0) has started...
[DEBUG 2015-07-23 17:46:12 Init] Running at ruby 2.1.5-p273
[ INFO 2015-07-23 17:46:12 Init] Configuration from the file /etc/hammer/cli_config.yml has been loaded
[ INFO 2015-07-23 17:46:12 Init] Configuration from the file /etc/hammer/cli.modules.d/foreman.yml has been loaded
[ INFO 2015-07-23 17:46:12 Init] Configuration from the file /home/aoehler/.hammer/cli.modules.d/foreman.yml has been loaded
[ WARN 2015-07-23 17:46:13 Modules] Veraltete Konfiguration von Modulen entdeckt. Prüfen Sie den Abschnitt zum Thema Konfiguration im Benutzerhandbuch
[DEBUG 2015-07-23 17:46:13 Connection] Registered: foreman
[DEBUG 2015-07-23 17:46:13 API] Global headers: {
        :content_type => "application/json",
              :accept => "application/json;version=2",
    "Accept-Language" => "de" 
}
[ INFO 2015-07-23 17:46:13 Modules] Extension module hammer_cli_foreman (0.2.0) loaded
[ INFO 2015-07-23 17:46:13 Modules] Extension module hammer_cli_foreman (0.2.0) loaded
[DEBUG 2015-07-23 17:46:13 Init] Using locale 'de'
[DEBUG 2015-07-23 17:46:13 Init] 'mo' files for locale domain 'hammer-cli' loaded from '/usr/share/locale'
[DEBUG 2015-07-23 17:46:13 Init] 'mo' files for locale domain 'hammer-cli-foreman' loaded from '/usr/share/locale'
[ INFO 2015-07-23 17:46:13 HammerCLI::MainCommand] Called with options: {"option_debug"=>true, "option_username"=>"USER", "option_server"=>"foreman"}
[ INFO 2015-07-23 17:46:13 HammerCLIForeman::Host] Called with options: {}
[ INFO 2015-07-23 17:46:13 HammerCLIForeman::Host::InfoCommand] Called with options: {"option_name"=>"vs125"}
[ INFO 2015-07-23 17:46:13 API] GET /api/hosts
[DEBUG 2015-07-23 17:46:13 API] Params: {
    :search => "name = \"vs125\"" 
}
[DEBUG 2015-07-23 17:46:13 API] Headers: {
    :params => {
        :search => "name = \"vs125\"" 
    }
}
[Foreman]-Passwort für user: 
[DEBUG 2015-07-23 17:46:20 API] Response: {
       "total" => 31,
    "subtotal" => 1,
        "page" => 1,
    "per_page" => 20,
      "search" => "name = \"vs125\"",
        "sort" => {
           "by" => nil,
        "order" => nil
    },
     "results" => [
        [0] {
                               "ip" => "10.1.160.60",
                   "environment_id" => 2,
                 "environment_name" => "development",
                      "last_report" => nil,
                              "mac" => "52:54:00:d2:6d:21",
                         "realm_id" => nil,
                       "realm_name" => nil,
                           "sp_mac" => nil,
                            "sp_ip" => nil,
                          "sp_name" => nil,
                        "domain_id" => 9,
                      "domain_name" => "unstable",
                  "architecture_id" => 1,
                "architecture_name" => "x86_64",
               "operatingsystem_id" => 5,
             "operatingsystem_name" => "Debian Wheezy (INSTALL!)",
                        "subnet_id" => 10,
                      "subnet_name" => "Subnet",
                     "sp_subnet_id" => nil,
                        "ptable_id" => 9,
                      "ptable_name" => "Preseed custom LVM all_root",
                        "medium_id" => 7,
                      "medium_name" => "BY Debian Mirror",
                            "build" => false,
                          "comment" => "",
                             "disk" => "",
                     "installed_at" => "2015-07-23T09:01:29Z",
                         "model_id" => nil,
                       "model_name" => nil,
                     "hostgroup_id" => 16,
                   "hostgroup_name" => "Team Product",
                         "owner_id" => 5,
                       "owner_type" => "Usergroup",
                          "enabled" => true,
               "puppet_ca_proxy_id" => nil,
                          "managed" => true,
                        "use_image" => nil,
                       "image_file" => "",
                             "uuid" => "5d0cdc37-ec9b-e4c3-0c16-f0b6aa2aa1ec",
              "compute_resource_id" => 51,
            "compute_resource_name" => "cr-3-73",
               "compute_profile_id" => 2,
             "compute_profile_name" => "S",
                     "capabilities" => [
                [0] "build",
                [1] "image" 
            ],
                 "provision_method" => "build",
                  "puppet_proxy_id" => nil,
                         "certname" => "vs125",
                         "image_id" => nil,
                       "image_name" => nil,
                       "created_at" => "2015-07-23T08:48:46Z",
                       "updated_at" => "2015-07-23T14:50:21Z",
                     "last_compile" => nil,
                  "last_freshcheck" => nil,
                           "serial" => nil,
                   "source_file_id" => nil,
                    "puppet_status" => 0,
                  "organization_id" => 25,
                "organization_name" => "Developer",
                      "location_id" => 18,
                    "location_name" => "UNSTABLE",
                             "name" => "vs125",
                               "id" => 22125
        }
    ]
}
[DEBUG 2015-07-23 17:46:20 API] Response headers: {
                   :date => "Thu, 23 Jul 2015 15:46:17 GMT",
                 :server => "Apache/2.2.22 (Debian)",
           :x_powered_by => "Phusion Passenger (mod_rails/mod_rack) 3.0.13",
        :foreman_version => "1.8.2",
    :foreman_api_version => "2",
        :apipie_checksum => "e3bfd0c4952c158d0555df77379f5010",
        :x_ua_compatible => "IE=Edge,chrome=1",
                   :etag => "\"b71e23a8376524b48769d23b545e3c93\"",
          :cache_control => "must-revalidate, private, max-age=0",
           :x_request_id => "d845316b408235c1b2e8739f3f30f11a",
              :x_runtime => "3.169905",
           :x_rack_cache => "miss",
             :set_cookie => [
        [0] "request_method=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT" 
    ],
                 :status => "200",
         :content_length => "1741",
             :connection => "close",
           :content_type => "application/json; charset=utf-8" 
}
[ INFO 2015-07-23 17:46:20 API] GET /api/hosts/22125
[DEBUG 2015-07-23 17:46:20 API] Params: {}
[DEBUG 2015-07-23 17:46:20 API] Headers: {
    :params => {}
}
[DEBUG 2015-07-23 17:46:23 API] Response: {
                       "ip" => "10.1.160.60",
           "environment_id" => 2,
         "environment_name" => "development",
              "last_report" => nil,
                      "mac" => "52:54:00:d2:6d:21",
                 "realm_id" => nil,
               "realm_name" => nil,
                   "sp_mac" => nil,
                    "sp_ip" => nil,
                  "sp_name" => nil,
                "domain_id" => 9,
              "domain_name" => "unstable",
          "architecture_id" => 1,
        "architecture_name" => "x86_64",
       "operatingsystem_id" => 5,
     "operatingsystem_name" => "Debian Wheezy (INSTALL!)",
                "subnet_id" => 10,
              "subnet_name" => "DC",
             "sp_subnet_id" => nil,
                "ptable_id" => 9,
              "ptable_name" => "Preseed custom LVM all_root",
                "medium_id" => 7,
              "medium_name" => "BY Debian Mirror",
                    "build" => false,
                  "comment" => "",
                     "disk" => "",
             "installed_at" => "2015-07-23T09:01:29Z",
                 "model_id" => nil,
               "model_name" => nil,
             "hostgroup_id" => 16,
           "hostgroup_name" => "Product",
                 "owner_id" => 5,
               "owner_type" => "Usergroup",
                  "enabled" => true,
       "puppet_ca_proxy_id" => nil,
                  "managed" => true,
                "use_image" => nil,
               "image_file" => "",
                     "uuid" => "5d0cdc37-ec9b-e4c3-0c16-f0b6aa2aa1ec",
      "compute_resource_id" => 51,
    "compute_resource_name" => "unstable73",
       "compute_profile_id" => 2,
     "compute_profile_name" => "S",
             "capabilities" => [
        [0] "build",
        [1] "image" 
    ],
         "provision_method" => "build",
          "puppet_proxy_id" => nil,
                 "certname" => "vs125",
                 "image_id" => nil,
               "image_name" => nil,
               "created_at" => "2015-07-23T08:48:46Z",
               "updated_at" => "2015-07-23T14:50:21Z",
             "last_compile" => nil,
          "last_freshcheck" => nil,
                   "serial" => nil,
           "source_file_id" => nil,
            "puppet_status" => 0,
          "organization_id" => 25,
        "organization_name" => "Developer",
              "location_id" => 18,
            "location_name" => "ALL/DC/IPC3/UNSTABLE",
                     "name" => "vs125",
                       "id" => 22125,
               "parameters" => [],
               "interfaces" => [
        [0] {
                    "id" => 43685,
                  "name" => "vs125",
                    "ip" => "10.1.160.60",
                   "mac" => "52:54:00:d2:6d:21",
            "identifier" => "",
               "primary" => true,
             "provision" => true,
                  "type" => "interface" 
        },
        [1] {
                    "id" => 43686,
                  "name" => "",
                    "ip" => nil,
                   "mac" => "52:54:00:85:36:82",
            "identifier" => "",
               "primary" => false,
             "provision" => false,
                  "type" => "interface" 
        }
    ],
            "puppetclasses" => [],
            "config_groups" => [],
        "all_puppetclasses" => []
}
[DEBUG 2015-07-23 17:46:23 API] Response headers: {
                   :date => "Thu, 23 Jul 2015 15:46:20 GMT",
                 :server => "Apache/2.2.22 (Debian)",
           :x_powered_by => "Phusion Passenger (mod_rails/mod_rack) 3.0.13",
        :foreman_version => "1.8.2",
    :foreman_api_version => "2",
        :apipie_checksum => "e3bfd0c4952c158d0555df77379f5010",
        :x_ua_compatible => "IE=Edge,chrome=1",
                   :etag => "\"1fd03aa7ae5d66544cf80820d3275b69\"",
          :cache_control => "must-revalidate, private, max-age=0",
           :x_request_id => "f175345ed869d89e4afac0862a11c787",
              :x_runtime => "2.788702",
           :x_rack_cache => "miss",
             :set_cookie => [
        [0] "request_method=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT" 
    ],
                 :status => "200",
         :content_length => "1935",
             :connection => "close",
           :content_type => "application/json; charset=utf-8" 
}
[ INFO 2015-07-23 17:46:23 API] GET /api/hosts/22125/parameters
[DEBUG 2015-07-23 17:46:23 API] Params: {}
[DEBUG 2015-07-23 17:46:23 API] Headers: {
    :params => {}
}
[DEBUG 2015-07-23 17:46:25 API] 403 Forbidden
{
    "error" => {
        "message" => "Zugang verweigert",
        "details" => nil
    }
}
[ERROR 2015-07-23 17:46:25 Exception] Abgelehnt - Server verweigert die Verarbeitung der Anfrage
Abgelehnt - Server verweigert die Verarbeitung der Anfrage
[ERROR 2015-07-23 17:46:25 Exception] 

RestClient::Forbidden (403 Forbidden):
    /usr/lib/ruby/vendor_ruby/restclient/abstract_response.rb:74:in `return!'
    /usr/lib/ruby/vendor_ruby/restclient/request.rb:230:in `process_result'
    /usr/lib/ruby/vendor_ruby/restclient/request.rb:178:in `block in transmit'
    /usr/lib/ruby/2.1.0/net/http.rb:853:in `start'
    /usr/lib/ruby/vendor_ruby/restclient/request.rb:172:in `transmit'
    /usr/lib/ruby/vendor_ruby/restclient/request.rb:64:in `execute'
    /usr/lib/ruby/vendor_ruby/restclient/request.rb:33:in `execute'
    /usr/lib/ruby/vendor_ruby/restclient/resource.rb:51:in `get'
    /usr/lib/ruby/vendor_ruby/apipie_bindings/api.rb:280:in `call_client'
    /usr/lib/ruby/vendor_ruby/apipie_bindings/api.rb:211:in `http_call'
    /usr/lib/ruby/vendor_ruby/apipie_bindings/api.rb:161:in `call'
    /usr/lib/ruby/vendor_ruby/apipie_bindings/resource.rb:14:in `call'
    /usr/lib/ruby/vendor_ruby/hammer_cli_foreman/host.rb:194:in `get_parameters'
    /usr/lib/ruby/vendor_ruby/hammer_cli_foreman/host.rb:188:in `extend_data'
    /usr/lib/ruby/vendor_ruby/hammer_cli_foreman/commands.rb:376:in `send_request'
    /usr/lib/ruby/vendor_ruby/hammer_cli/apipie/command.rb:34:in `execute'
    /usr/lib/ruby/vendor_ruby/clamp/command.rb:68:in `run'
    /usr/lib/ruby/vendor_ruby/hammer_cli/abstract.rb:23:in `run'
    /usr/lib/ruby/vendor_ruby/clamp/subcommand/execution.rb:11:in `execute'
    /usr/lib/ruby/vendor_ruby/clamp/command.rb:68:in `run'
    /usr/lib/ruby/vendor_ruby/hammer_cli/abstract.rb:23:in `run'
    /usr/lib/ruby/vendor_ruby/clamp/subcommand/execution.rb:11:in `execute'
    /usr/lib/ruby/vendor_ruby/clamp/command.rb:68:in `run'
    /usr/lib/ruby/vendor_ruby/hammer_cli/abstract.rb:23:in `run'
    /usr/lib/ruby/vendor_ruby/clamp/command.rb:126:in `run'
    /usr/bin/hammer:108:in `<main>'

Related issues 1 (0 open1 closed)

Copied to Hammer CLI - Bug #11205: Request to /api/hosts/:id/parameters on host info is unnecessaryDuplicate07/23/2015Actions
Actions #1

Updated by Dominic Cleal over 9 years ago

  • Description updated (diff)
Actions #2

Updated by Dominic Cleal over 9 years ago

  • Subject changed from hammer permissions not working as expected to No permission to access /api/hosts/:id/parameters with view_hosts

As a poor workaround for the bug, if you grant some sort of view_domains permission to your user, I think this may give them sufficient access for this host parameters API.

Separately I'm going to copy this bug to Hammer, as I don't think it needs to make this particular request.

Actions #3

Updated by Dominic Cleal over 9 years ago

  • Copied to Bug #11205: Request to /api/hosts/:id/parameters on host info is unnecessary added
Actions #4

Updated by Rainer G over 9 years ago

thanks, adding the view permissions fixed the problem. This leaves me with some questions, maybe you can shed some light into this.

1. Where from the debugs did you see that domain views where missing?
2. This behavior seems inconsistent, the user with these missing domain view privileges is able to create a host for the domain but is not able to view this host afterwards? Or am I getting something wrong here?

thanks again for looking into this so fast!

Actions #5

Updated by Dominic Cleal over 9 years ago

Rainer G wrote:

thanks, adding the view permissions fixed the problem. This leaves me with some questions, maybe you can shed some light into this.

1. Where from the debugs did you see that domain views where missing?

I checked app/services/foreman/access_permissions.rb for any permission that would allow access to api/v2/parameters, which is where it needs adding I think for view_hosts.

2. This behavior seems inconsistent, the user with these missing domain view privileges is able to create a host for the domain but is not able to view this host afterwards? Or am I getting something wrong here?

They'd still need create_hosts permission to do that, it only affects parameters.

Actions

Also available in: Atom PDF