Project

General

Profile

Bug #34255

Provide support for "Privileged User" session when host console is being taken via cockpit from Satellite 6.7 UI

Added by Adam Ruzicka 4 months ago. Updated 4 months ago.

Status:
Ready For Testing
Priority:
Normal
Assignee:
Category:
-
Difficulty:
Triaged:
No
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1841534

Description of problem:

Satellite 6.7 currently supports connecting with the console of the Host from Satellite UI itself, via cockpit integration with the help of remote execution feature.

If the remote_execution_ssh_user is set to root or we are using a non-root user with password-less sudo configured, once we connect to the host console from Satellite it will by-default log in to the cockpit user as a privileged user.

But when the remote_execution_ssh_user is set to a non-root user requiring a password to perform sudo operations, the above scenario changes i.e. when we connect to the host console from Satellite it will fail to perform sudo at the backend and will log in to the cockpit UI as a normal user i.e. an "Unprivileged session"

Version-Release number of selected component (if applicable):
Satellite 6.7.0

How reproducible:
Always

Steps to Reproduce:
1. Register an RHEL 7\8 Client with RH Satellite 6.7.

2. Create a user named ansible on the client host and add it to the wheel group.

3. In satellite, make sure to configure the REX settings in this way.
SSH User: ansible
Effective User: root
Effective User Method: sudo
Sudo password: <password for ansible user to become root using sudo>

4. Share SSH-keys from Satellite to the "ansible@client host" so that Remote Jobs on the host can be executed.

5. Configure cockpit integration as per the following doc for both Satellite and the client host.
--> https://access.redhat.com/documentation/en-us/red_hat_satellite/6.7/html/managing_hosts/host_management_and_monitoring_using_red_hat_web_console

6. Go to Hosts --> All Hosts --> Click on the HOst --> Click on Web Console

7. Once in the cockpit UI of that host, Click on the "Subscriptions" tab.

Actual results:

In cockpit UI, we will be able to see the following message while accessing the "Subscriptions" tab
~~
The current user isn't allowed to access system subscription status.
Access denied
~
~

Reason: Unprivileged session as Satellite is not designed to pass the sudo password to the cockpit-bridge while performing the authentication.

Expected results:

From Satellite when we take the "Web Console" of a host using a non-root user, we should be able to get the session authenticated as "Privilege User" and should be able to see all the options and manage them.

Additional info:

History

#1 Updated by The Foreman Bot 4 months ago

  • Assignee set to Adam Ruzicka
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman_remote_execution/pull/680 added

Also available in: Atom PDF