Bug #35125
openGetting "NoPermission: Permission to perform this operation was denied." when edit host or compute profile
Description
Cloned from bugzilla "https://bugzilla.redhat.com/show_bug.cgi?id=2101986"
Description of problem:
Getting the below error when trying to edit a VMware host or edit a VMware compute profile.
-----------------
"Oops, we're sorry but something went wrong NoPermission: Permission to perform this operation was denied."
-----------------
Traceback in /var/log/foreman/production.log
-----------------
2022-06-29T12:06:21 [W|app|317ea02a] NoPermission: Permission to perform this operation was denied.
2022-06-29T12:06:21 [I|app|317ea02a] Backtrace for 'NoPermission: Permission to perform this operation was denied.' error (ActionView::Template::Error): NoPermission: Permission to perform this operation was denied.
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/connection.rb:63:in `parse_response'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/connection.rb:92:in `call'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/basic_types.rb:213:in `_call'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/basic_types.rb:76:in `block (2 levels) in init'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:10:in `find'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:97:in `block in traverse'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:96:in `each'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:96:in `inject'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/Folder.rb:96:in `traverse'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-2.2.0/lib/rbvmomi/vim/ServiceInstance.rb:11:in `find_datacenter'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/requests/compute/get_datacenter.rb:19:in `get_raw_datacenter'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/requests/compute/get_datacenter.rb:14:in `find_raw_datacenter'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/requests/compute/list_networks.rb:11:in `list_networks'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/models/compute/networks.rb:10:in `all'
317ea02a | /usr/share/foreman/app/models/compute_resources/foreman/model/vmware.rb:152:in `block in networks'
317ea02a | /usr/share/foreman/app/services/compute_resource_cache.rb:68:in `instance_eval'
317ea02a | /usr/share/foreman/app/services/compute_resource_cache.rb:68:in `get_uncached_value'
317ea02a | /usr/share/foreman/app/services/compute_resource_cache.rb:22:in `cache'
317ea02a | /usr/share/foreman/app/models/compute_resources/foreman/model/vmware.rb:151:in `networks'
317ea02a | /usr/share/foreman/app/helpers/compute_resources_vms_helper.rb:78:in `vsphere_networks'
317ea02a | /usr/share/foreman/app/views/compute_resources_vms/form/vmware/_network.html.erb:6:in `_b4393ee8b85d1c4bce3b12c61c7ac846'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/actionview-6.0.3.7/lib/action_view/base.rb:274:in `_run'
317ea02a | /opt/theforeman/tfm/root/usr/share/gems/gems/actionview-6.0.3.7/lib/action_view/template.rb:185:in `block in render'
<snip>
-----------------
Steps to Reproduce:
In VCenter:
1. Create a user with "No access" role to the root folder.
2. Create a datacenter with path structure "my_department/my_datacenter".
3. Assign "Administrator" role to the user in "my_department" folder and check "Propagate to children".
In Satellite:
1. Create a compute resource and select "my_department/my_datacenter" datacenter.
2. Go to Compute profiles page -> select any size -> select the vmware compute resource.
Actual results:
Oops, we're sorry but something went wrong NoPermission: Permission to perform this operation was denied.
Expected results:
No error
Additional info:
- User has no read permission on root folder so "rbvmomi" failed to traverse from the root folder to find the datacenter.
- but this traversing action can actually be avoided because the module has already retrieved all the datacenters.
----------------------------
- "/opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/requests/compute/get_datacenter.rb"
def find_raw_datacenter(name)
raw_datacenters.find { |d| d.name == name } || get_raw_datacenter(name)
end
------------------------------
The below methods set datacenter as path cauing the above method can't match anything then call "get_raw_datacenter" ------------------------------
- /opt/theforeman/tfm/root/usr/share/gems/gems/fog-vsphere-3.5.0/lib/fog/vsphere/models/compute/datacenter.rb
def clusters(filters = {})
service.clusters({ datacenter: path.join('/') }.merge(filters))
end
def networks(filters = {})
service.networks({ datacenter: path.join('/') }.merge(filters))
end
def datastores(filters = {})
service.datastores({ datacenter: path.join('/') }.merge(filters))
end
def storage_pods(filters = {})
service.storage_pods({ datacenter: path.join('/') }.merge(filters))
end
def vm_folders(filters = {})
service.folders({ datacenter: name, type: :vm }.merge(filters)) <=== this is using name
end
------------------------------
Updated by Hao Yu over 2 years ago
- Pull request https://github.com/fog/fog-vsphere/pull/277 added