Cockpit Plugin permissions denied for non-adminstrator users

Mike · November 28, 2018, 1:52pm



Problem:

Cockpit Plugin subpages in Foreman user Interface is only accessible with Adminstrator rights.

Expected outcome:

Cockpit Icon should be accessible also with non Adminstrator users.

Foreman and Proxy versions:
foreman-debug-1.18.2-1.el7.noarch
foreman-1.18.2-1.el7.noarch
foreman-release-1.18.2-1.el7.noarch
foreman-installer-1.18.2-1.el7.noarch
foreman-release-scl-7-1.el7.noarch
foreman-postgresql-1.18.2-1.el7.noarch
foreman-proxy-1.18.2-1.el7.noarch
tfm-rubygem-foreman_cockpit-2.0.3-3.fm1_18.el7.noarch
foreman-cli-1.18.2-1.el7.noarch
foreman-selinux-1.18.2-1.el7.noarch

OS: CentOS Linux release 7.5.1804 (Core)

Foreman and Proxy plugin versions:

Other relevant data:
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]

In the production log i get a Forbidden log entry if i would like to Access the Cockpit plugin with a non Adminstrator user:

2018-11-28T14:23:11 [I|app|6307d] Rendering common/403.html.erb
2018-11-28T14:23:11 [I|app|6307d] Rendered common/403.html.erb (3.8ms)
2018-11-28T14:23:11 [I|app|6307d] Filter chain halted as :authorize rendered or redirected
2018-11-28T14:23:11 [I|app|6307d] Completed 403 Forbidden in 83ms (Views: 5.5ms | ActiveRecord: 17.6ms)

I assgined all Roles to the user and don’t select the Admin Checkbox.

Hope that this is easily reproducible by other users from the commuinty.

Mike · November 28, 2018, 4:20pm

This is the complete production.log:

2018-11-28T17:17:42 [I|app|] Started GET “/cockpit/hosts/6/networking” for xxxxxxx at 2018-11-28 17:17:42 +0100
2018-11-28T17:17:42 [I|app|27395] Processing by HostsController#networking as /
2018-11-28T17:17:42 [I|app|27395] Parameters: {“id”=>“6”}
2018-11-28T17:17:42 [I|app|27395] Current user set to kegadmin (regular)
2018-11-28T17:17:42 [I|app|27395] Rendering common/403.html.erb
2018-11-28T17:17:42 [I|app|27395] Rendered common/403.html.erb (1.3ms)
2018-11-28T17:17:42 [I|app|27395] Filter chain halted as :authorize rendered or redirected
2018-11-28T17:17:42 [I|app|27395] Completed 403 Forbidden in 129ms (Views: 3.3ms | ActiveRecord: 30.6ms)

Mike · November 28, 2018, 4:24pm

And this it the production log if i Access the Cockpit plugin with the admin user:

2018-11-28T17:22:21 [I|app|91840] Current user set to admin (admin)
2018-11-28T17:22:21 [I|app|91840] Completed 200 OK in 15ms (Views: 0.3ms | ActiveRecord: 1.6ms)
2018-11-28T17:22:28 [I|app|] Started GET “/cockpit/hosts/6/Configuration” for 148.198.173.39 at 2018-11-28 17:22:28 +0100
2018-11-28T17:22:28 [I|app|77470] Processing by HostsController#Configuration as /
2018-11-28T17:22:28 [I|app|77470] Parameters: {“id”=>“6”}
2018-11-28T17:22:28 [I|app|77470] Current user set to admin (admin)
2018-11-28T17:22:28 [I|app|77470] Rendered /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_cockpit-2.0.3/app/views/foreman_cockpit/hosts/_cockpit.html.erb (1.1ms)
2018-11-28T17:22:28 [I|app|77470] Completed 200 OK in 41ms (Views: 10.9ms | ActiveRecord: 5.7ms)

You can see that i get with a non admin user always a permission denied.

Mike · November 29, 2018, 1:32pm

Hello,

Hope someone can help me here.

Below you can see the user Details of the user with the no admin flag.

I attached all roles to this user but without the admin flag it is not possible to get Access to the Cockpit plugin. Only users with the admin flag have Access to it.

[root@xxxxxx]# hammer user info --login kegadmin
Id: 5
Login: kegadmin
Name:
Email: kegadmin@localhost
Admin: no
Last login: 2018/11/29 12:23:53
Authorized by: Internal
Effective admin: no
Locale: en_GB
Timezone: default
Description:
Default organization:
Default location:
Roles:
Auditor
Bookmarks manager
Edit hosts
Edit partition tables
Manager
Organization admin
Register hosts
Remote Execution Manager
Remote Execution User
Site manager
Tasks Manager
Tasks Reader
Viewer
View hosts
User groups:

Inherited User groups:

Locations:
Default Location
railwaystations
Organizations:
Default Organization
railwaycompany
Created at: 2018/11/28 12:45:41
Updated at: 2018/11/29 12:21:11

[root@xxxxx services]#

Marek_Hulan · November 30, 2018, 4:43pm

You can enable debug log level and enable permission logger to see what permission is missing for your user. I see there should be view_cockpit_$x permissions where $x is one of system terminal journal services networking containers storage accounts. The plugin does not seem to extend built-in roles such as Viewer or Manager or define its own role. So you’d need to create the filter yourself. It should be easy to enhance the plugin if you’re interested in sending the PR. Let me know if you need a hand with it.

Mike · December 3, 2018, 10:17am

Hi,

Thanks for this hint. I was able to fix this. It was necessary to define a rule with the filters for the Cockpit permissions. Then i assigned this customized rule to the user and then it was possible to Access the Cockpit plugin.