Import puppetclass permissions no longer work

asolomon · May 30, 2022, 9:36am

Problem:
Hello, after we upgrade to 3.2 our Foreman it seems that the script we were previously using to import automatically all puppetclasses via POST API request is not working with the previous permissions from Foreman 2.5

I know that Puppet was extracted from core and there were some changes but looking into the permissions the user might require it seems that my user is having the appropiate rights.

Expected outcome:
Successfull import

Foreman and Proxy versions:
3.2
Foreman and Proxy plugin versions:

Distribution and version:
CentOS 7
Other relevant data:
API request response

{
  "error": {"message":"Access denied","details":"Missing one of the required permissions: ","missing_permissions":[ ]}
}

My permissions defined:

If I give Administrator role the script runs successfully but this is not the right way, any idea on what extra permissions user might require since the response does not specify any

nadjaheitmann · May 30, 2022, 9:52am

Can you please post the exact command you sent via API?

asolomon · May 30, 2022, 10:00am

API request comes from a ruby functions:

def import_classes()
    uri = URI("https://"+SERVER_NAME+"/api/smart_proxies/"+get_smart_proxy()+"/import_puppetclasses")
    req = Net::HTTP::Post.new(uri)
    req.basic_auth USER, PASSWORD
    req['Content-Type'] = "application/json"

    response = Net::HTTP.start(uri.hostname, uri.port, :use_ssl => true) do |http|
        http.request(req)
    end
    response.body

end

I call POST on https://Foreman_FQDN/api/smart_proxies/:id/import_puppetclasses as in API v2 docs

nadjaheitmann · May 30, 2022, 10:39am

This probably got lost during the transfer to the plugin.

github.com

theforeman/foreman_puppet/blob/e85c8bffd26e2da370518a18e12d4226606ab4e3/lib/foreman_puppet/register.rb#L147

    
      
            permission :create_puppetclasses, { 'foreman_puppet/puppetclasses' => %i[new create],
                                                'foreman_puppet/api/v2/puppetclasses' => [:create] },
              resource_type: 'ForemanPuppet::Puppetclass'
            permission :edit_puppetclasses,   { 'foreman_puppet/puppetclasses' => %i[edit update override],
                                                'foreman_puppet/api/v2/puppetclasses' => [:update],
                                                'foreman_puppet/api/v2/smart_class_parameters' => %i[create update destroy] },
              resource_type: 'ForemanPuppet::Puppetclass'
            permission :destroy_puppetclasses, { 'foreman_puppet/puppetclasses' => [:destroy],
                                                 'foreman_puppet/api/v2/puppetclasses' => [:destroy] },
              resource_type: 'ForemanPuppet::Puppetclass'
            permission :import_puppetclasses, { 'foreman_puppet/puppetclasses' => %i[import_environments obsolete_and_new],
                                                'foreman_puppet/api/v2/environments' => [:import_puppetclasses] },
              resource_type: 'ForemanPuppet::Puppetclass'
            permission :edit_classes, { :host_editing => [:edit_classes],
                                        'foreman_puppet/api/v2/host_classes' => %i[index create destroy] },
              resource_type: 'ForemanPuppet::HostClass'
          end
          
          
add_all_permissions_to_default_roles
          add_permissions_to_default_roles(
            'Site manager' => %w[view_puppetclasses import_puppetclasses view_environments import_environments

If you want to try to fix it, you could try and patch the plugin by adding this line after line 147 in the above file:
'api/v2/smart_proxies' => [:import_puppetclasses],

nadjaheitmann · May 30, 2022, 11:44am

@asolomon If you try it, let me know if it works

asolomon · May 30, 2022, 11:46am

Trying now, it seems to work at first, but let me double check and I’ll be back with an answer shortly.
LE. Worked, thank you @nadjaheitmann