Api calls as non-admin user

bin-doph · July 4, 2025, 3:04pm

Problem:
Hi,

some API calls as non-admin users take extremely long to execute for me on multiple instances, for example

listing about 2000 hosts
/api/hosts?per_page=all
admin: 90 seconds
non admin: 300 seconds

importing 100 puppet classes, even with no changes
/api/environments/1/smart_proxies/1/import_puppetclasses
admin: 1,5 seconds
non admin: 14 minutes

Example log output for importing puppet classes via api,

user without admin flag:
2025-07-04T14:29:09 [I|app|51abb135] Started POST “/api/environments/1/smart_proxies/1/import_puppetclasses” for 1.2.3.4 at 2025-07-04 14:29:09 +0200
2025-07-04T14:29:09 [I|app|51abb135] Processing by Api::V2::SmartProxiesController#import_puppetclasses as JSON
2025-07-04T14:29:09 [I|app|51abb135] Parameters: {“apiv”=>“v2”, “environment_id”=>“1”, “id”=>“1”, “smart_proxy”=>{}}
2025-07-04T14:29:09 [I|aud|51abb135] PersonalAccessToken (3) update event on last_used_at 2025-07-04 12:28:44 UTC, 2025-07-04 12:29:09 UTC
2025-07-04T14:29:09 [I|app|51abb135] Authorized user ciuser(Service Account )
2025-07-04T14:43:08 [I|app|51abb135] Completed 200 OK in 839159ms (Views: 0.5ms | ActiveRecord: 832273.0ms | Allocations: 2809826)

same user with admin flag:
2025-07-04T14:58:27 [I|app|1c6a71f6] Started POST “/api/environments/1/smart_proxies/1/import_puppetclasses” for 1.2.3.4 at 2025-07-04 14:58:27 +0200
2025-07-04T14:58:27 [I|app|1c6a71f6] Processing by Api::V2::SmartProxiesController#import_puppetclasses as JSON
2025-07-04T14:58:27 [I|app|1c6a71f6] Parameters: {“apiv”=>“v2”, “environment_id”=>“1”, “id”=>“1”, “smart_proxy”=>{}}
2025-07-04T14:58:27 [I|aud|1c6a71f6] PersonalAccessToken (3) update event on last_used_at 2025-07-04 12:58:26 UTC, 2025-07-04 12:58:27 UTC
2025-07-04T14:58:28 [I|app|1c6a71f6] Authorized user ciuser(Service Account )
2025-07-04T14:58:29 [I|app|1c6a71f6] Completed 200 OK in 1538ms (Views: 0.2ms | ActiveRecord: 408.2ms | Allocations: 404953)

Since the non-admin api call returns successful (and the results are correct), I believe my permission are ok, but the spike in duration is a mystery to me.

Expected outcome:

I guess a small increase in duration is acceptable, but for my automation processes the runtime is way to high for non-admin users. I assume for admins checks are skipped

Foreman and Proxy versions:
foreman-3.14.0

Foreman and Proxy plugin versions:
foreman-tasks 10.0.2
foreman_puppet 8.1.1
foreman_remote_execution 15.0.2
foreman_scc_manager 4.0.0
foreman_webhooks 4.0.1
katello 4.16.1

Distribution and version:
RHEL 9.6