Bug #1875
open
user restricted to compute resource(s) can create baremetal hosts
Description
Testing user permissions on foreman-1.0.1-1.el6.noarch
I setup a test account with a filter that only allows it view and provision VMs on on a single computer research (libvirt). That seems to work as far as actually spawning the VMs but I haven't tested beyond that. However, if I try to create a baremetal instance with this restricted user, it actually does create a host entry (after reporting an error message) which is then invisible to the restricted user as it's not the visible computer resource.
This is fairly scary as a user could create dhcp reservations, dns entries, etc. without knowing it.
[root@ctrl ~]# grep thiswillpuke /var/lib/dhcpd/dhcpd.leases
host thiswillpuke.tuc.noao.edu {
supersede host-name = "thiswillpuke.tuc.noao.edu";
[root@ctrl ~]# ls -la /tftpboot/pxelinux.cfg/01-00-11-22-33-44-55
-rw-rw-rw- 1 foreman-proxy foreman-proxy 206 Sep 27 11:19 /tftpboot/pxelinux.cfg/01-00-11-22-33-44-55
Also, deleting these created hosts is subject to Bug #1529 since they (presumably) are never provisioned.
Files
Updated by Benjamin Papillon over 11 years ago
I tested against 1.1, the problem is still here. I'll retest when 1.2 is out
Updated by Greg Sutcliffe over 11 years ago
- Category set to Compute resources
- Target version set to 1.3.0
Agreed, we need to essentially remove the Bare Metal entry from the Deploy On field in the New Host form - probably best to make Bare Metal a form of compute resource, which can then be enabled / disabled per-user.
Sadly, with RC3 about to go out the door, it's not going to get a lot of testing if we rush it now. This feels like it's a bit of a risky change to make so close to the 1.2 release, so I'm going to schedule it for 1.3
Updated by Lukas Zapletal over 11 years ago
- Description updated (diff)
- Target version deleted (
1.3.0)
We missed 1.3 as well :-(
Updated by Anonymous over 10 years ago
- Status changed from New to Assigned
- Assignee set to Anonymous
Updated by Anonymous over 10 years ago
- Status changed from Assigned to Ready For Testing
Updated by Dominic Cleal over 10 years ago
- Related to Feature #6810: Treat bare-metal provisioning the same way as other compute-resources added
Updated by Anonymous over 10 years ago
- Target version changed from 1.8.0 to 1.7.5
Updated by The Foreman Bot over 10 years ago
- Pull request https://github.com/theforeman/foreman/pull/1570 added
Updated by Anonymous over 10 years ago
- Related to Feature #4477: Improve permissions on resources in host creation/editing form added
Updated by Anonymous over 10 years ago
- Status changed from Ready For Testing to New
- Pull request added
- Pull request deleted (
https://github.com/theforeman/foreman/pull/1570)
Updated by Anonymous over 10 years ago
- Target version changed from 1.7.5 to 1.7.4
Updated by