Summary¶

When logged in as a user with a role which has filters that limit access based on facts, the user is unable to retrieve fact_values. Suspected cause is a bug with SQL query rendering. Behavior and error reports are listed below.

References to $curl below are executed as curl -u linuxsysadmin:<password> -s https://<foreman-url>

Steps to reproduce¶

1. Centos 7 + Foreman 1.8.3.
2. Create role "Linux Sysadmin"
3. Create user "linuxsysadmin" and assign to role "Linux Sysadmin"
4. Assign these filters to the "Linux Sysadmin" role:
   - view_hosts, destroy_hosts: "facts.kernel ~ linux"
   - view_facts: unlimited
5. Run this: $curl/api/hosts
   - Result: Works as expected - output not shown.
6. Run this: $curl/api/v2/hosts
   - Result: Works as expected - output not shown.
7. Run this: $curl/api/fact_values
   - Result: Error: PGError: ERROR: missing FROM-clause entry for table \"fact_names_456810\"\n ...
   

   {
     "error": {
       "message": "PGError: ERROR:  missing FROM-clause entry for table \"fact_names_456810\"\n
   LINE 1: ...ames\".\"id\" = \"fact_values\".\"fact_name_id\" WHERE ((fact_names...\n
   ^\n: SELECT  \"fact_values\".\"id\" AS t0_r0, \"fact_values\".\"value\" AS t0_r1, \"fact_values\".\"fact_name_id\" AS t0_r2,
   \"fact_values\".\"host_id\" AS t0_r3, \"fact_values\".\"updated_at\" AS t0_r4, \"fact_values\".\"created_at\" AS t0_r5, 
   \"fact_names\".\"id\" AS t1_r0, \"fact_names\".\"name\" AS t1_r1, \"fact_names\".\"updated_at\" AS t1_r2, 
   \"fact_names\".\"created_at\" AS t1_r3, \"fact_names\".\"compose\" AS t1_r4, \"fact_names\".\"short_name\" AS t1_r5, 
   \"fact_names\".\"type\" AS t1_r6, \"fact_names\".\"ancestry\" AS t1_r7, \"hosts\".\"id\" AS t2_r0, \"hosts\".\"name\" AS t2_r1,
   \"hosts\".\"last_compile\" AS t2_r2, \"hosts\".\"last_freshcheck\" AS t2_r3, \"hosts\".\"last_report\" AS t2_r4, 
   \"hosts\".\"updated_at\" AS t2_r5, \"hosts\".\"source_file_id\" AS t2_r6, \"hosts\".\"created_at\" AS t2_r7, 
   \"hosts\".\"root_pass\" AS t2_r8, \"hosts\".\"serial\" AS t2_r9, \"hosts\".\"puppet_status\" AS t2_r10, 
   \"hosts\".\"architecture_id\" AS t2_r11, \"hosts\".\"operatingsystem_id\" AS t2_r12, \"hosts\".\"environment_id\" AS t2_r13, 
   \"hosts\".\"ptable_id\" AS t2_r14, \"hosts\".\"medium_id\" AS t2_r15, \"hosts\".\"build\" AS t2_r16, \"hosts\".\"comment\" AS t2_r17, 
   \"hosts\".\"disk\" AS t2_r18, \"hosts\".\"installed_at\" AS t2_r19, \"hosts\".\"model_id\" AS t2_r20, \"hosts\".\"hostgroup_id\" AS t2_r21, 
   \"hosts\".\"owner_id\" AS t2_r22, \"hosts\".\"owner_type\" AS t2_r23, \"hosts\".\"enabled\" AS t2_r24, \"hosts\".\"puppet_ca_proxy_id\" AS t2_r25, 
   \"hosts\".\"managed\" AS t2_r26, \"hosts\".\"use_image\" AS t2_r27, \"hosts\".\"image_file\" AS t2_r28, \"hosts\".\"uuid\" AS t2_r29, 
   \"hosts\".\"compute_resource_id\" AS t2_r30, \"hosts\".\"puppet_proxy_id\" AS t2_r31, \"hosts\".\"certname\" AS t2_r32, \"hosts\".\"image_id\" AS t2_r33, 
   \"hosts\".\"organization_id\" AS t2_r34, \"hosts\".\"location_id\" AS t2_r35, \"hosts\".\"type\" AS t2_r36, \"hosts\".\"otp\" AS t2_r37, 
   \"hosts\".\"realm_id\" AS t2_r38, \"hosts\".\"compute_profile_id\" AS t2_r39, \"hosts\".\"provision_method\" AS t2_r40, \"hosts\".\"grub_pass\" AS t2_r41 
   FROM \"fact_values\" INNER JOIN \"hosts\" ON \"hosts\".\"id\" = \"fact_values\".\"host_id\" 
   AND \"hosts\".\"type\" IN ('Host::Managed') 
   LEFT OUTER JOIN \"fact_names\" ON \"fact_names\".\"id\" = \"fact_values\".\"fact_name_id\" 
   WHERE ((fact_names_456810.\"name\" = 'kernel') 
   AND (\"fact_values_456810\".\"value\" ILIKE '%Linux%')) 
   AND (fact_names.name <> '_timestamp') 
   ORDER BY \"fact_values\".\"value\" ASC NULLS FIRST  LIMIT 20 OFFSET 0" 
     }
   }
   

8. Run this: $curl/api/v2/fact_values
   - Result: Empty result set, but no error.
   

   {
     "results": {},
     "sort": {
       "order": null,
       "by": null
     },
     "search": "",
     "per_page": 20,
     "page": 1,
     "subtotal": 0,
     "total": 0
   }