Project

General

Profile

Bug #33727

Unable to assign ansible roles to a host group via hammer/api with non-admin user

Added by Dominik Matoulek 10 months ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1999604

Description of problem:
It's not possible to assign ansible roles to a host group via hammer/api with a non-admin user.

How reproducible:
Always

Steps to Reproduce:
1. Create a role with the following permission set:

  1. hammer role filters --id 33
    ~~
    ----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
    ID | RESOURCE TYPE | SEARCH | UNLIMITED? | OVERRIDE? | ROLE | PERMISSIONS
    ----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
    335 | AnsibleRole | none | yes | no | api | view_ansible_roles
    336 | Architecture | none | yes | no | api | view_architectures
    337 | Operatingsystem | none | yes | no | api | view_operatingsystems
    338 | Parameter | none | yes | no | api | view_params, create_params, edit_params, destroy_params
    339 | Katello::ActivationKey | none | no | no | api | view_activation_keys
    340 | Katello::ContentView | none | no | no | api | view_content_views
    341 | Katello::KTEnvironment | none | no | no | api | view_lifecycle_environments
    342 | Hostgroup | none | no | no | api | view_hostgroups, create_hostgroups, edit_hostgroups, destroy_hostgroups, play...
    343 | Organization | none | no | no | api | view_organizations, assign_organizations
    344 | Domain | none | no | no | api | view_domains
    345 | Environment | none | no | no | api | view_environments
    346 | Host | none | no | no | api | view_hosts, create_hosts, edit_hosts, destroy_hosts, play_roles_on_host
    347 | Location | none | no | no | api | view_locations, assign_locations
    348 | Subnet | none | no | no | api | view_subnets, create_subnets, edit_subnets, destroy_subnets
    349 | SmartProxy | none | no | no | api | view_smart_proxies
    ----|------------------------|--------|------------|-----------|------|---------------------------------------------------------------------------------
    ~
    ~

2. Assign this role to a user.
3. Try to assign ansible roles to a HG with this user via WebUI --> SUCCESS
4. Try to assign ansible roles to a HG with this user via hammer --> FAIL:

  1. hammer -u api -p redhat hostgroup ansible-roles assign --id 1 --ansible-role-ids 3
    ~~
    Could not assign roles to the hostgroup:
    Access denied
    Missing one of the required permissions: edit_hostgroups
    ~
    ~

Associated revisions

Revision 9d8e26bf (diff)
Added by Dominik Matoulek 9 months ago

Fixes #33727 - Fixed gathering of allowed actions for permission

Plugins can define own permissions. They can also extend existing permissions with own actions. Or not? I figured out that the definition of existing permission in plugin causes creating another Permission with the same name as the core counterpart but with only plugin-specific actions. Then, when you try to do some action defined by that plugin you end up with the permission error.
It's happen becuase method `allowed_actions` method look for the permission by `permission` method and it's find only first occurence of that permission and that's the core one without action defined in plugin and that's never end good.

History

#1 Updated by Dominik Matoulek 10 months ago

  • Triaged changed from No to Yes
  • Assignee set to Dominik Matoulek
  • Category set to Users, Roles and Permissions
  • Subject changed from Unable to assign ansible roles to a host group via hammer/api with non-admin user to Unable to assign ansible roles to a host group via hammer/api with non-admin user

#2 Updated by The Foreman Bot 10 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/8857 added

#3 Updated by The Foreman Bot 9 months ago

  • Fixed in Releases 3.1.0 added

#4 Updated by Dominik Matoulek 9 months ago

  • Status changed from Ready For Testing to Closed

#5 Updated by The Foreman Bot 9 months ago

  • Pull request https://github.com/theforeman/foreman/pull/8890 added

Also available in: Atom PDF