Bug #33727
Unable to assign ansible roles to a host group via hammer/api with non-admin user
Status:
Closed
Priority:
Normal
Assignee:
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1999604
Description of problem:
It's not possible to assign ansible roles to a host group via hammer/api with a non-admin user.
How reproducible:
Always
Steps to Reproduce:
1. Create a role with the following permission set:
- hammer role filters --id 33
~~
----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
ID | RESOURCE TYPE | SEARCH | UNLIMITED? | OVERRIDE? | ROLE | PERMISSIONS
----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
335 | AnsibleRole | none | yes | no | api | view_ansible_roles
336 | Architecture | none | yes | no | api | view_architectures
337 | Operatingsystem | none | yes | no | api | view_operatingsystems
338 | Parameter | none | yes | no | api | view_params, create_params, edit_params, destroy_params
339 | Katello::ActivationKey | none | no | no | api | view_activation_keys
340 | Katello::ContentView | none | no | no | api | view_content_views
341 | Katello::KTEnvironment | none | no | no | api | view_lifecycle_environments
342 | Hostgroup | none | no | no | api | view_hostgroups, create_hostgroups, edit_hostgroups, destroy_hostgroups, play...
343 | Organization | none | no | no | api | view_organizations, assign_organizations
344 | Domain | none | no | no | api | view_domains
345 | Environment | none | no | no | api | view_environments
346 | Host | none | no | no | api | view_hosts, create_hosts, edit_hosts, destroy_hosts, play_roles_on_host
347 | Location | none | no | no | api | view_locations, assign_locations
348 | Subnet | none | no | no | api | view_subnets, create_subnets, edit_subnets, destroy_subnets
349 | SmartProxy | none | no | no | api | view_smart_proxies
----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
~~
2. Assign this role to a user.
3. Try to assign ansible roles to a HG with this user via WebUI --> SUCCESS
4. Try to assign ansible roles to a HG with this user via hammer --> FAIL:
- hammer -u api -p redhat hostgroup ansible-roles assign --id 1 --ansible-role-ids 3
~~
Could not assign roles to the hostgroup:
Access denied
Missing one of the required permissions: edit_hostgroups
~~
Associated revisions
History
#1
Updated by Dominik Matoulek over 1 year ago
Updated by - Triaged changed from No to Yes
- Assignee set to Dominik Matoulek
- Category set to Users, Roles and Permissions
- Subject changed from Unable to assign ansible roles to a host group via hammer/api with non-admin user to Unable to assign ansible roles to a host group via hammer/api with non-admin user
#2
Updated by The Foreman Bot over 1 year ago
Updated by - Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/8857 added
#3
Updated by The Foreman Bot over 1 year ago
- Fixed in Releases 3.1.0 added
#4
Updated by Dominik Matoulek over 1 year ago
- Status changed from Ready For Testing to Closed
Applied in changeset foreman|9d8e26bf226b087933d93c3db172c69c97cb9f5d.
#5
Updated by The Foreman Bot over 1 year ago
- Pull request https://github.com/theforeman/foreman/pull/8890 added
Fixes #33727 - Fixed gathering of allowed actions for permission
Plugins can define own permissions. They can also extend existing permissions with own actions. Or not? I figured out that the definition of existing permission in plugin causes creating another Permission with the same name as the core counterpart but with only plugin-specific actions. Then, when you try to do some action defined by that plugin you end up with the permission error.
It's happen becuase method `allowed_actions` method look for the permission by `permission` method and it's find only first occurence of that permission and that's the core one without action defined in plugin and that's never end good.