Bug #5664

Users permissions on hosts are not working properly with organizations

Added by Dotan Paz about 4 years ago. Updated 6 days ago.

Status:Closed
Priority:Urgent
Assignee:Marek Hulán
Category:Authorization
Target version:1.5.1
Difficulty: Team Backlog:
Triaged: Fixed in Releases:
Bugzilla link:1107702 Found in Releases:1.5.0
Pull request:

Description

Hi ,
After an upgrade from 1.4.1 to 1.5 , users are unable to perform their old tasks (build ,run puppet , edit hosts etc) .
After taking a closer look at the user permissions , I've noticed that old user roles were renamed to "Anonymous_<username>_<oldrole> " .
I really have to sort it out quickly since users can't work .
I tried removing the new roles and adding back the old ones but it didn't fix everything ,now those "manually edited" users appear in red under:
organizations --> QE-Test->users
and cannot be associated with the org (qe-test).

Thanks !


Related issues

Related to Foreman - Bug #5879: undefined local variable or method `scoped_search_definit... Closed 05/22/2014
Related to Foreman - Bug #5541: Filter of resource type Organization can result in error ... Closed 05/01/2014
Blocks Foreman - Tracker #4552: New permissions/authorization system issues New 03/05/2014

Associated revisions

Revision 82b4749e
Added by Marek Hulán about 4 years ago

Fixes #5664 - Host filters can use taxonomies

Also disables taxonomy filters on resources that do not support them.

Revision 9ed89b70
Added by Marek Hulán about 4 years ago

Fixes #5664 - Host filters can use taxonomies

Also disables taxonomy filters on resources that do not support them.

(cherry picked from commit 82b4749eeddabc542ebf1eaec6fdf2d76d2fdd75)

History

#1 Updated by Dominic Cleal about 4 years ago

  • Tracker changed from Feature to Bug
  • Target version set to 1.8.3

Were any permissions assigned to the new roles? What permissions were assigned to users in 1.4?

#2 Updated by Dominic Cleal about 4 years ago

  • Category changed from Authentication to Authorization

#3 Updated by Marek Hulán about 4 years ago

  • Status changed from New to Assigned
  • Assignee set to Marek Hulán

#4 Updated by Marek Hulán about 4 years ago

The migration assigned all filters to user's organizations, however Host filters do not support organizations (they do not include Taxonomix) and hosts can be assigned only to one organization. The code that searches filters raised an exception which is ignored silently and the result of searching was an empty set.

To remove host filter taxonomy associations you can run these two commands in rails console. The second one should print true. Don't forget to backup your database before running it. This will remove any organization assignment of host filters. It may not be your desired setup so be careful.

filters = Filter.all.select { |filter| filter.resource_type == 'Host'&& !filter.taxonomy_search.nil?  }
filters.map { |filter| filter.update_attribute :taxonomy_search, nil }

I'll work on fixing taxonomy filters for hosts and disallowing it for resources that do not support them. Also I'll try to find the silent exception swallowing and remove it.

#5 Updated by Dominic Cleal about 4 years ago

  • Legacy Backlogs Release (now unused) set to 16

#6 Updated by Dominic Cleal about 4 years ago

  • Blocks Tracker #4552: New permissions/authorization system issues added

#7 Updated by Marek Hulán about 4 years ago

  • Subject changed from Users permissions in 1.5 are not working properly to Users permissions on hosts are not working properly with organizations
  • Status changed from Assigned to Ready For Testing

Migration works correctly. I fixed the scopes on Host object, since it does not include Taxonomix (because host belongs to one taxonomy) we have to define scope manually.

PR is here https://github.com/theforeman/foreman/pull/1438

#8 Updated by Marek Hulán about 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#9 Updated by Dominic Cleal about 4 years ago

  • Related to Bug #5879: undefined local variable or method `scoped_search_definition' setting when setting permission filters added

#10 Updated by Dominic Cleal about 4 years ago

  • Related to Bug #5541: Filter of resource type Organization can result in error condition when trying to access organization resources added

#11 Updated by Bryan Kearney about 4 years ago

  • Bugzilla link set to https://bugzilla.redhat.com/show_bug.cgi?id=1107702

Also available in: Atom PDF