-
Feature Request
-
Resolution: Unresolved
-
Normal
-
None
-
2.4
-
False
-
-
False
Description
When using ansible.controller.export to export teams and users, ansible.controller.export fails when used lesser privileged users
Steps to Reproduce
1. Login as a SuperUser (e.g. 'admin') and create a new Organization via Organizations -> Add and give it a name, e.g. 'org-test', then hit save
2. Create a new user via Users -> Add. Give it a name, e.g. 'test_user', select 'Normal User' for the Usertype, set the password and set the Organization to the Organization created in step 1
3. Head to the created Users's Roles via Users -> Select the created User of step 2 -> Roles
4. Click on Add
5. Select as 'resource type' 'Organization', click next
6. Select the Organization created in step 1, click next
7. Select Admin and click on Save
8. Ensure "All Users Visible to Organization Admins" is set to "On" in Settings -> Miscellaneous System settings
9. Create a team via Teams -> Add, give it a name and add it to the SuperUsers Organization (usually, 'Default')
10. Login as the user created in step 2 and verify that you can see both all teams and all users (including the SuperUser, e.g. 'admin')
11. Run the following playbook as Organization Admin (the user created in step 2. - 'test_user'), but not as SuperUser
—
- hosts: 'localhost'
gather_facts: false
vars:
controller_host: 'host.example.com'
controller_username: 'test_user'
controller_password: 'mypass'
validate_certs: false
tasks:
- name: 'Export'
ansible.controller.export:
controller_host: '{{ controller_host }}'
controller_username: '{{ controller_username }}'
controller_password: '{{ controller_password }}'
validate_certs: '{{ validate_certs }}'
users: 'all'
teams: 'all'
register: 'teams'
- name: 'Debug'
ansible.builtin.debug:
var: teams
Actual Behavior
The Ansible module ansible.controller.export fails with the following error:
fatal: [localhost]: FAILED! => {
"changed": false,
"module_stderr": "Insufficient privileges on /api/v2/users/1/credentials/, inferring POST fields from description.\nForeign key 'organization' export failed for object /api/v2/teams/2/.\nForeign key 'organization' export failed for object /api/v2/teams/1/.\n",
"module_stdout": "\n{\"changed\": false, \"assets\": {\"users\": [{\"username\": \"admin\", \"first_name\": \"\", \"last_name\": \"\", \"email\": \"admin@example.com\", \"is_superuser\": true, \"is_system_auditor\": false, \"related\": {\"roles\": [{\"name\": \"Admin\", \"type\": \"role\", \"content_object\": {\"organization\": null, \"name\": \"jt-test\", \"type\": \"job_template\"}}, \{\"name\": \"System Administrator\", \"type\": \"role\"}]}, \"natural_key\": {\"username\": \"admin\", \"type\": \"user\"}}, {\"username\": \"test_user\", \"first_name\": \"\", \"last_name\": \"\", \"email\": \"\", \"is_superuser\": false, \"is_system_auditor\": false, \"related\": {\"roles\": [{\"name\": \"Execute\", \"type\": \"role\", \"content_object\": {\"organization\": null, \"name\": \"jt-test\", \"type\": \"job_template\"}}, \{\"name\": \"Member\", \"type\": \"role\", \"content_object\": {\"name\": \"org-test\", \"type\": \"organization\"}}, \{\"name\": \"Admin\", \"type\": \"role\", \"content_object\": {\"name\": \"org-test\", \"type\": \"organization\"}}]}, \"natural_key\": {\"username\": \"test_user\", \"type\": \"user\"}}], \"teams\": []}, \"invocation\": {\"module_args\": {\"controller_host\": \"https://lab-aap2-controller1.core.rh.scheib.me\", \"controller_username\": \"test_user\", \"controller_password\": \"VALUE_SPECIFIED_IN_NO_LOG_PARAMETER\", \"validate_certs\": false, \"teams\": [\"all\"], \"users\": [\"all\"], \"all\": false, \"controller_oauthtoken\": null, \"controller_config_file\": null, \"organizations\": null, \"credential_types\": null, \"credentials\": null, \"notification_templates\": null, \"projects\": null, \"inventory\": null, \"inventory_sources\": null, \"job_templates\": null, \"workflow_job_templates\": null, \"execution_environments\": null, \"applications\": null, \"schedules\": null}}}\n\n{\"failed\": true, \"msg\": \"This endpoint raised an error: /api/v2/organizations/1/\\n\", \"exception\": \" File \\\"/tmp/ansible_ansible.controller.export_payload_z236y5ci/ansible_ansible.controller.export_payload.zip/ansible_collections/ansible/controller/plugins/modules/export.py\\\", line 185, in main
{\"controller_host\": \"https://lab-aap2-controller1.core.rh.scheib.me\", \"controller_username\": \"test_user\", \"controller_password\": \"VALUE_SPECIFIED_IN_NO_LOG_PARAMETER\", \"validate_certs\": false, \"teams\": [\"all\"], \"users\": [\"all\"], \"all\": false, \"controller_oauthtoken\": null, \"controller_config_file\": null, \"organizations\": null, \"credential_types\": null, \"credentials\": null, \"notification_templates\": null, \"projects\": null, \"inventory\": null, \"inventory_sources\": null, \"job_templates\": null, \"workflow_job_templates\": null, \"execution_environments\": null, \"applications\": null, \"schedules\": null}
n File \\\"/tmp/ansible_ansible.controller.export_payload_z236y5ci/ansible_ansible.controller.export_payload.zip/ansible_collections/ansible/controller/plugins/module_utils/controller_api.py\\\", line 296, in exit_json
n super().exit_json(**kwargs)
n File \\\"/tmp/ansible_ansible.controller.export_payload_z236y5ci/ansible_ansible.controller.export_payload.zip/ansible/module_utils/basic.py\\\", line 1522, in exit_json
n sys.exit(0)\\n\", \"invocation\": {\"module_args\":}}\n",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
When running the same playbook with SuperUser credentials, everything works as expected.
Expected Behavior
The export module should be able to work with lesser privileged users and be able to only export what is accesible by the user.