Project

General

Profile

Bug #14505

Foreman smart proxy puppetca certificates not shown

Added by Robert Heinzmann over 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Users, Roles and Permissions
Target version:
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

I have a user with the following permissions:

shell# hammer --output json user info --login XXXX
{
  "Id": XXXX,
  "Login": "XXXXX",
  "Name": "XXXXXXXXXXXXXXXX",
  "Email": "XXXXXXXXXXXXXXXXX",
  "Admin": false,
  "Authorized by": {
    "id": 1,
    "type": "AuthSourceInternal",
    "name": "Internal" 
  },
  "Locale": "XX",
  "Timezone": "XX",
  "Last login": "XXXXXXXXXXXXX",
  "Default organization": null,
  "Default location": null,
  "Roles": [
    {
      "name": "AccountAdministrator",
      "id": 9
    },
    {
      "name": "Anonymous",
      "id": 8
    }
  ],
  "User groups": [

  ],
  "Created at": "XXXX",
  "Updated at": "XXXX" 
}

shell# hammer --output json filter list --search "--role=AccountAdministrator" 

  {
    "Id": XXXX,
    "Resource type": "SmartProxy",
    "Search": "none",
    "Unlimited?": true,
    "Role": {
      "name": "AccountAdministrator",
      "id": XXXX
    },
    "Permissions": [
      "view_smart_proxies",
      "view_smart_proxies_autosign",
      "view_smart_proxies_puppetca",
      "edit_smart_proxies_puppetca",
      "destroy_smart_proxies_puppetca" 
    ]
  },

However on centos7 + foreman-1.11.0-1.el7.noarch I can not see the certificates (See Screeshot)

If I grant "Manager" permissions to the user, it still does not work.

Associated revisions

Revision a88d4a3e (diff)
Added by Tomer Brisker over 4 years ago

Fixes #14505 - Correct authorization of broken smart proxy actions

Because the controller is named "smart_proxies" but the puppetca and
autosign actions are implemented in seperate controllers,
authorized_via_my_scope fails to find the correct permission.
This also fixes the link to show proxy when viewing as non-admin user.

Revision 5d7fa5fd (diff)
Added by Tomer Brisker over 4 years ago

Fixes #14505 - Correct authorization of broken smart proxy actions

Because the controller is named "smart_proxies" but the puppetca and
autosign actions are implemented in seperate controllers,
authorized_via_my_scope fails to find the correct permission.
This also fixes the link to show proxy when viewing as non-admin user.

(cherry picked from commit a88d4a3e9790bf863634688b286ec6f9eed12907)

History

#1 Updated by Dominic Cleal over 4 years ago

  • Description updated (diff)
  • Category set to PuppetCA
  • Legacy Backlogs Release (now unused) set to 141

Authorisation related issue, as admin privileges work.

#2 Updated by Robert Heinzmann over 4 years ago

One note: If I set user "admin", everything works as expected.

#3 Updated by Tomer Brisker over 4 years ago

  • Category changed from PuppetCA to Users, Roles and Permissions
  • Status changed from New to Assigned
  • Assignee set to Tomer Brisker

A quick investigation leads me to believe many of the permissions for smart proxies are broken. Changing to authorization.

#4 Updated by The Foreman Bot over 4 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3397 added

#5 Updated by Tomer Brisker over 4 years ago

  • Bugzilla link set to 1324516

#6 Updated by Anonymous over 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#7 Updated by Robert Heinzmann over 4 years ago

I tested the patch on our installation, and now everything works ok. I can see the Tabs.

Also available in: Atom PDF