Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-32710

subscription-manager environments --set raises Forbidden error until the user is Admin

XMLWordPrintable

    • None
    • None
    • None
    • Automated

      Description of problem:
      Trying to change Host's LCE/CV environment, `subscription-manager environments --set` command is used. The command requires authorization (until SAT-29869 is implemented).

      However, the authorized user must be Admin. No non-admin user can authorize the request.
       

      How reproducible:
      100%
       

      Is this issue a regression from an earlier version:
      probably not
       

      Steps to Reproduce:

      1. Create a Satellite user and assign to it all roles. Dont set it as an Administrator

      2. Have a Content Host registered to the Satellite.

      3. Change the Host's environment from command line (even to the current env):

      ```
      subscription-manager environments --set LCE/my_cv --username new_user --password its_password
      ```

      4. Try the same but for admin user.

      Actual behavior:
      3. fails, until one sets the user as Admin.

      The error is followed in production.log by:

      2025-04-15T19:50:58 [I|app|70246f26] Started PUT "/rhsm/consumers/f818fb3b-93c6-4f91-92df-4403121a4ac0" for 10.37.195.138 at 2025-04-15 19:50:58 +0200
2025-04-15T19:50:58 [I|app|70246f26] Processing by Katello::Api::Rhsm::CandlepinProxiesController#facts as JSON
2025-04-15T19:50:58 [I|app|70246f26]   Parameters: {"environments"=>[{"id"=>"509b13fc871c7b0472e7adafe1c5b2e0"}], "id"=>"f818fb3b-93c6-4f91-92df-4403121a4ac0"}
..
2025-04-15T19:50:59 [E|kat|70246f26] Katello::HttpErrors::Forbidden: Access denied
 70246f26 | /usr/share/gems/gems/katello-4.14.0.6/app/controllers/katello/api/rhsm/candlepin_proxies_controller.rb:304:in `deny_access'
 70246f26 | /usr/share/foreman/app/controllers/api/base_controller.rb:213:in `authorize'
 70246f26 | /usr/share/gems/gems/katello-4.14.0.6/app/controllers/katello/api/rhsm/candlepin_proxies_controller.rb:469:in `authorize_client_or_user'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:427:in `block in make_lambda'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:179:in `block (2 levels) in halting_and_conditional'
 70246f26 | /usr/share/gems/gems/actionpack-6.1.7.8/lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:180:in `block in halting_and_conditional'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:512:in `block in invoke_before'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:512:in `each'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:512:in `invoke_before'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:115:in `block in run_callbacks'
 70246f26 | /usr/share/gems/gems/katello-4.14.0.6/app/controllers/katello/api/rhsm/candlepin_proxies_controller.rb:37:in `repackage_message'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 70246f26 | /usr/share/foreman/app/controllers/concerns/foreman/controller/timezone.rb:10:in `set_timezone'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 70246f26 | /usr/share/foreman/app/models/concerns/foreman/thread_session.rb:32:in `clear_thread'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 70246f26 | /usr/share/foreman/app/controllers/concerns/foreman/controller/topbar_sweeper.rb:12:in `set_topbar_sweeper_controller'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 70246f26 | /usr/share/gems/gems/audited-5.7.0/lib/audited/sweeper.rb:16:in `around'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 70246f26 | /usr/share/gems/gems/audited-5.7.0/lib/audited/sweeper.rb:16:in `around'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 70246f26 | /usr/share/gems/gems/activesupport-6.1.7.8/lib/active_support/callbacks.rb:137:in `run_callbacks'
 70246f26 | /usr/share/gems/gems/actionpack-6.1.7.8/lib/abstract_controller/callbacks.rb:41:in `process_action'
 70246f26 | /usr/share/gems/gems/actionpack-6.1.7.8/lib/action_controller/metal/rescue.rb:22:in `process_action'
 70246f26 | /usr/share/gems/gems/actionpack-6.1.7.8/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
..

      Expected behavior:
      3. to also work. Some role should grant the relevant permission.

      Business Impact / Additional info:
      In `/usr/share/foreman/app/models/user.rb` :

        def allowed_to?(action)
    return false if disabled?
    return true if admin?
    if action.is_a?(Hash) || action.is_a?(ActionController::Parameters)
      action = Foreman::AccessControl.normalize_path_hash(action)
      return true if editing_self?(action)
    end
    cached_roles.detect { |role| role.allowed_to?(action) }.present?
  end

      fails for `path_to_authenticate=

      {"controller"=>"katello/api/rhsm/candlepin_proxies", "action"=>"facts", "id"=>"<host-uuid>"}

      `

      imho there is no role that allows `facts` action..?

              rhn-engineering-lfu Lucy Fu
              rhn-support-pmoravec Pavel Moravec
              Ladislav Vasina Ladislav Vasina
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: