Project

General

Profile

Bug #2645

non-admin users can not create a Smart Variable or Smart Class Parameter

Added by Jason Montleon about 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Authorization
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

There is no way to assign permissions to a user that will allow them to create or edit a Smart Class Parameter or Smart Variable.

They can navigate to More>Configuration>Puppet Classes, select a class, attempt to edit it, and can even click Submit, without receiving an error, but the create/edit fails to do anything.

This issue appears to exist for both 1.1 and 1.2

Dominic pointed me to http://projects.theforeman.org/issues/show/2386, which at least addresses part of the problem in 1.2, in that users can at least override existing parameters inherited by their host, but I'd still like to be able to allow users to create the parameters they need themselves.


Related issues

Related to Foreman - Bug #2386: No way to set create_lookupvalue and related permissionsClosed2013-04-10

Associated revisions

Revision ff2677e3 (diff)
Added by Joseph Magen about 6 years ago

fixes #2645 - non-admin users can now create smart variables

Revision f4b2185c (diff)
Added by Joseph Magen about 6 years ago

fixes #2645 - non-admin users can now create smart variables
(cherry picked from commit ff2677e3c6689388958f055c50ad075191510e87)

History

#1 Updated by Dominic Cleal about 6 years ago

  • Category set to Authorization
  • Target version set to 1.2.0

#2 Updated by Joseph Magen about 6 years ago

  • Status changed from New to Assigned
  • Assignee set to Joseph Magen

#3 Updated by Joseph Magen about 6 years ago

  • Status changed from Assigned to Ready For Testing

https://github.com/theforeman/foreman/pull/728

Jason, can you test if this PR works

#4 Updated by Jason Montleon about 6 years ago

I applied this and restarted httpd (using passenger) and as far as I can tell this made no difference in the behavior. It still just flips me back from the "Smart Variables" to the "Puppet Class" tab and refuses to save.

#5 Updated by Joseph Magen about 6 years ago

Jason,

You're right. Why change had no effect, since I previously overrode enforce_permissions in lookup_value.rb (the class for smart variables)

The non-admin has permission if the fqdn matches or the hostgroup matches.

when /^fqdn=(.*)/
  # check if current fqdn is in our allowed list
Host.my_hosts.where(:name => $1).exists?
when /^hostgroup=(.*)/ # check if current hostgroup is in our allowed list
Hostgroup.my_groups.where(:label => $1).exists?

Does the smart variable that you trying to create have a matcher on fqdn or hostgroup?

#6 Updated by Jason Montleon about 6 years ago

I just edited a host in my 1.2 test setup and added a parameter to make sure I had access to edit it and I do.

I then went to create a smart variable with a matcher rule for the fqdn of the same host. It did not save, as has been the case.

When I went to edit the Value of an already existing smart variable that matches fqdn=<host> it told me "You do not have permission to edit this lookupkey"

In the production 1.1 system we originally found this problem in the match rule was very specific, for a single host which was created by the user trying to create the smart variable.

Also, since there is a default value, which will apply to any host with the class, regardless of the match rule/value parameter how is the permission taken care of for this (my thought was that it would be possible to allow a user to edit smart variables/parameters globally or even on a per environment or puppet class level down the road...)

#7 Updated by Joseph Magen about 6 years ago

Jason,

I think it may be due to the setup in roles/permissions. Go to http://yourdomain/roles/report

Btw, Redmine is not sending me e-mail notifications even the setting is set. Can you email me at so I can respond quicker.

Creating Smart Variables or Smart Class Parameters adds a record to the lookup_keys table in the database.
Overriding values based on a matcher adds a record to the lookup_values table in the database

If you look at lib/foreman/access_permissions.rb, there is different roles for managing lookup_keys verses lookup_valuse

To create, update, or destroy a Smart Variable (lookup_key), you need the role of Edit Puppetclasses
To create, update, or destroy a Overridden Value (lookup_value), you need the role of Create/Edit/Destroy External Variables

map.permission :edit_puppetclasses,    {:puppetclasses => [:edit, :update],
:"api/v1/puppetclasses" => [:update],
:"api/v2/puppetclasses" => [:update],
:"lookup_keys" => [:create, :update, :destroy],
:"api/v1/lookup_keys" => [:create, :update, :destroy],
:"api/v2/lookup_keys" => [:create, :update, :destroy]
map.security_block :external_variables do |map|
map.permission :view_external_variables, {:lookup_keys => [:index, :show, :auto_complete_search],
:lookup_values => [:index]}
map.permission :create_external_variables, {:lookup_keys => [:new, :create],
:lookup_values => [:create]}
map.permission :edit_external_variables, {:lookup_keys => [:edit, :update],
:lookup_values => [:create, :update, :destroy]}
map.permission :destroy_external_variables, {:lookup_keys => [:destroy],
:lookup_values => [:destroy]}
end

#8 Updated by Jason Montleon about 6 years ago

I went one further over the weekend and applied every permission available in the role (used check all and verified everything was checked before submitting) and went back as the user and tried again. I am still unable to create a smart variable as the user.

Even before that I had the all of the puppet classes and external variables permissions applied, save for import puppet classes.

#9 Updated by Jason Montleon about 6 years ago

I should also add that I have Orgs and Locs enabled, in case that makes a difference...

#10 Updated by Jason Montleon about 6 years ago

The other interesting thing, is that I still cannot go in and add a matcher-value if I got into More>Configuration>Puppet Classes and try to edit a Smart Class Parameter or Smart Variable and add fqdb=<host>. But if I go and edit the same host and override the value on the host it works fine and even shows up as a Match on the parameter afterward.

#11 Updated by Joseph Magen about 6 years ago

Jason, what is the error? Can you attache or pastie a log file. I'm at a lost, since when I logged in as a non-admin, I can create/edit smart variables???

#12 Updated by Joseph Magen about 6 years ago

Hi Jason, I found the error together with Amos. Check it out.
https://github.com/theforeman/foreman/pull/728

#13 Updated by Jason Montleon about 6 years ago

I think I mentioned it over irc, but the pull in the previous comment appears to fix this.

#14 Updated by Joseph Magen about 6 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF