Cockpit Plugin permissions denied for non-adminstrator users


Cockpit Plugin subpages in Foreman user Interface is only accessible with Adminstrator rights.

Expected outcome:

Cockpit Icon should be accessible also with non Adminstrator users.

Foreman and Proxy versions:

OS: CentOS Linux release 7.5.1804 (Core)

Foreman and Proxy plugin versions:

Other relevant data:
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]

In the production log i get a Forbidden log entry if i would like to Access the Cockpit plugin with a non Adminstrator user:

2018-11-28T14:23:11 [I|app|6307d] Rendering common/403.html.erb
2018-11-28T14:23:11 [I|app|6307d] Rendered common/403.html.erb (3.8ms)
2018-11-28T14:23:11 [I|app|6307d] Filter chain halted as :authorize rendered or redirected
2018-11-28T14:23:11 [I|app|6307d] Completed 403 Forbidden in 83ms (Views: 5.5ms | ActiveRecord: 17.6ms)

I assgined all Roles to the user and don’t select the Admin Checkbox.

Hope that this is easily reproducible by other users from the commuinty.

This is the complete production.log:

2018-11-28T17:17:42 [I|app|] Started GET “/cockpit/hosts/6/networking” for xxxxxxx at 2018-11-28 17:17:42 +0100
2018-11-28T17:17:42 [I|app|27395] Processing by HostsController#networking as /
2018-11-28T17:17:42 [I|app|27395] Parameters: {“id”=>“6”}
2018-11-28T17:17:42 [I|app|27395] Current user set to kegadmin (regular)
2018-11-28T17:17:42 [I|app|27395] Rendering common/403.html.erb
2018-11-28T17:17:42 [I|app|27395] Rendered common/403.html.erb (1.3ms)
2018-11-28T17:17:42 [I|app|27395] Filter chain halted as :authorize rendered or redirected
2018-11-28T17:17:42 [I|app|27395] Completed 403 Forbidden in 129ms (Views: 3.3ms | ActiveRecord: 30.6ms)

And this it the production log if i Access the Cockpit plugin with the admin user:

2018-11-28T17:22:21 [I|app|91840] Current user set to admin (admin)
2018-11-28T17:22:21 [I|app|91840] Completed 200 OK in 15ms (Views: 0.3ms | ActiveRecord: 1.6ms)
2018-11-28T17:22:28 [I|app|] Started GET “/cockpit/hosts/6/Configuration” for at 2018-11-28 17:22:28 +0100
2018-11-28T17:22:28 [I|app|77470] Processing by HostsController#Configuration as /
2018-11-28T17:22:28 [I|app|77470] Parameters: {“id”=>“6”}
2018-11-28T17:22:28 [I|app|77470] Current user set to admin (admin)
2018-11-28T17:22:28 [I|app|77470] Rendered /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_cockpit-2.0.3/app/views/foreman_cockpit/hosts/_cockpit.html.erb (1.1ms)
2018-11-28T17:22:28 [I|app|77470] Completed 200 OK in 41ms (Views: 10.9ms | ActiveRecord: 5.7ms)

You can see that i get with a non admin user always a permission denied.


Hope someone can help me here.

Below you can see the user Details of the user with the no admin flag.

I attached all roles to this user but without the admin flag it is not possible to get Access to the Cockpit plugin. Only users with the admin flag have Access to it.

[root@xxxxxx]# hammer user info --login kegadmin
Id: 5
Login: kegadmin
Email: kegadmin@localhost
Admin: no
Last login: 2018/11/29 12:23:53
Authorized by: Internal
Effective admin: no
Locale: en_GB
Timezone: default
Default organization:
Default location:
Bookmarks manager
Edit hosts
Edit partition tables
Organization admin
Register hosts
Remote Execution Manager
Remote Execution User
Site manager
Tasks Manager
Tasks Reader
View hosts
User groups:

Inherited User groups:

Default Location
Default Organization
Created at: 2018/11/28 12:45:41
Updated at: 2018/11/29 12:21:11

[root@xxxxx services]#

You can enable debug log level and enable permission logger to see what permission is missing for your user. I see there should be view_cockpit_$x permissions where $x is one of system terminal journal services networking containers storage accounts. The plugin does not seem to extend built-in roles such as Viewer or Manager or define its own role. So you’d need to create the filter yourself. It should be easy to enhance the plugin if you’re interested in sending the PR. Let me know if you need a hand with it.


Thanks for this hint. I was able to fix this. It was necessary to define a rule with the filters for the Cockpit permissions. Then i assigned this customized rule to the user and then it was possible to Access the Cockpit plugin.