Project

General

Profile

Bug #1875

user restricted to compute resource(s) can create baremetal hosts

Added by Joshua Hoblitt over 6 years ago. Updated almost 4 years ago.

Status:
New
Priority:
High
Category:
Compute resources
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Testing user permissions on foreman-1.0.1-1.el6.noarch

I setup a test account with a filter that only allows it view and provision VMs on on a single computer research (libvirt). That seems to work as far as actually spawning the VMs but I haven't tested beyond that. However, if I try to create a baremetal instance with this restricted user, it actually does create a host entry (after reporting an error message) which is then invisible to the restricted user as it's not the visible computer resource.

This is fairly scary as a user could create dhcp reservations, dns entries, etc. without knowing it.

[root@ctrl ~]# grep thiswillpuke /var/lib/dhcpd/dhcpd.leases
host thiswillpuke.tuc.noao.edu {
        supersede host-name = "thiswillpuke.tuc.noao.edu";

[root@ctrl ~]# ls -la /tftpboot/pxelinux.cfg/01-00-11-22-33-44-55 
-rw-rw-rw- 1 foreman-proxy foreman-proxy 206 Sep 27 11:19 /tftpboot/pxelinux.cfg/01-00-11-22-33-44-55

Also, deleting these created hosts is subject to Bug #1529 since they (presumably) are never provisioned.

foreman_hosts_as_admin.png View foreman_hosts_as_admin.png 63.5 KB Joshua Hoblitt, 09/27/2012 02:33 PM
foreman_hosts_post_error.png View foreman_hosts_post_error.png 56.9 KB Joshua Hoblitt, 09/27/2012 02:33 PM
foreman_new_host.png View foreman_new_host.png 61.9 KB Joshua Hoblitt, 09/27/2012 02:33 PM
foreman_new_host_error.png View foreman_new_host_error.png 59 KB Joshua Hoblitt, 09/27/2012 02:33 PM
Foreman hosts as admin Foreman hosts post error Foreman new host Foreman new host error

Related issues

Related to Foreman - Feature #6810: Treat bare-metal provisioning the same way as other compute-resourcesNew2014-07-29
Related to Foreman - Feature #4477: Improve permissions on resources in host creation/editing formClosed2014-02-27

History

#1 Updated by Benjamin Papillon almost 6 years ago

I tested against 1.1, the problem is still here. I'll retest when 1.2 is out

#2 Updated by Greg Sutcliffe almost 6 years ago

  • Category set to Compute resources
  • Target version set to 1.3.0

Agreed, we need to essentially remove the Bare Metal entry from the Deploy On field in the New Host form - probably best to make Bare Metal a form of compute resource, which can then be enabled / disabled per-user.

Sadly, with RC3 about to go out the door, it's not going to get a lot of testing if we rush it now. This feels like it's a bit of a risky change to make so close to the 1.2 release, so I'm going to schedule it for 1.3

#3 Updated by Lukas Zapletal over 5 years ago

  • Description updated (diff)
  • Target version deleted (1.3.0)

We missed 1.3 as well :-(

#4 Updated by Dmitri Dolguikh over 4 years ago

  • Status changed from New to Assigned
  • Assignee set to Dmitri Dolguikh

#5 Updated by Dmitri Dolguikh over 4 years ago

  • Status changed from Assigned to Ready For Testing

#6 Updated by Dominic Cleal over 4 years ago

  • Target version set to 1.8.0

#7 Updated by Dominic Cleal over 4 years ago

  • Related to Feature #6810: Treat bare-metal provisioning the same way as other compute-resources added

#8 Updated by Dmitri Dolguikh over 4 years ago

  • Target version changed from 1.8.0 to 1.7.5

#9 Updated by The Foreman Bot over 4 years ago

  • Pull request https://github.com/theforeman/foreman/pull/1570 added

#10 Updated by Dmitri Dolguikh over 4 years ago

  • Related to Feature #4477: Improve permissions on resources in host creation/editing form added

#11 Updated by Dmitri Dolguikh over 4 years ago

  • Status changed from Ready For Testing to New
  • Pull request added
  • Pull request deleted (https://github.com/theforeman/foreman/pull/1570)

#12 Updated by Dmitri Dolguikh over 4 years ago

  • Target version changed from 1.7.5 to 1.7.4

#13 Updated by Ohad Levy over 4 years ago

  • Target version deleted (1.7.4)

Also available in: Atom PDF