Foreman REST API doesn't enforce user rules?

Support
1

Hi all,
I have created a non-admin user in Foreman and assign it to org/location
with basic rules.
Strange but, when login to REST API with that user, i am able to view all
Hosts regardless Org/location and also run power operations on those hosts.

BTW, login with that user via WebUI shows only the relevant hosts which is
good.

Shouldn't REST API login enforce the same rules for each User just like
WebUI does?

Details:
Foreman 1.7.2
API v2

Thanks

2

Yes, it should be. This message was passed along to
foreman-security@googlegroups.com as it's probably considered a security
issue, and we'll address it with a patch as soon as possible.

The bug has also been reported by Andy Taylor in redmine:
http://projects.theforeman.org/issues/9947

He notes a way you can use the org/location within a filter to restrict
access to the org/loc as well.

··· On 29/03/15 13:56, Avi Tal wrote: > Hi all, > I have created a non-admin user in Foreman and assign it to org/location > with basic rules. > Strange but, when login to REST API with that user, i am able to view > all Hosts regardless Org/location and also run power operations on those > hosts. > > BTW, login with that user via WebUI shows only the relevant hosts which > is good. > > Shouldn't REST API login enforce the same rules for each User just like > WebUI does?


Dominic Cleal
Red Hat Engineering

3

10x,
Indeed I'll be waiting for that patch.

··· On Tuesday, March 31, 2015 at 11:34:13 AM UTC+3, Dominic Cleal wrote: > > On 29/03/15 13:56, Avi Tal wrote: > > Hi all, > > I have created a non-admin user in Foreman and assign it to org/location > > with basic rules. > > Strange but, when login to REST API with that user, i am able to view > > all Hosts regardless Org/location and also run power operations on those > > hosts. > > > > BTW, login with that user via WebUI shows only the relevant hosts which > > is good. > > > > Shouldn't REST API login enforce the same rules for each User just like > > WebUI does? > > Yes, it should be. This message was passed along to > foreman-...@googlegroups.com as it's probably considered a > security > issue, and we'll address it with a patch as soon as possible. > > The bug has also been reported by Andy Taylor in redmine: > http://projects.theforeman.org/issues/9947 > > He notes a way you can use the org/location within a filter to restrict > access to the org/loc as well. > > -- > Dominic Cleal > Red Hat Engineering >