Organisation Admin role cannot create new Operating System

synaptik · November 2, 2018, 2:52am

Problem:
User has the Organisation Admin role and cannot create a new Operating System.
Attempting to create a new Operating System results in the following error:

**Unable to save**

· You don't have permission create_operatingsystems with attributes that you have specified or you don't have access to specified locations or organisations

Expected outcome:
Organisation Admins can create Operating Systems within the context of their Organisation.

Foreman and Proxy versions:
Foreman 1.16.0
Foreman-Proxy 1.16.0
Katello 3.5.2

Foreman and Proxy plugin versions:
bastion Bastion 6.1.5
foreman-tasks 0.10.9
foreman_azure 1.3.1
foreman_default_hostgroup 4.0.1
foreman_discovery 10.0.0
foreman_docker 3.2.1
foreman_hooks 0.3.14
foreman_memcache 0.0.6
foreman_remote_execution 1.3.3
foreman_setup 5.0.0
foreman_templates 5.0.1
katello 3.5.2
puppetdb_foreman 3.0.2

Other relevant data:
User is a member of and group assigned an Organization Admin role.
The Organisation Admin role is cloned from the default Organization Admin role and associated with specific Locations and a specific Organization.
The user is associated with the same specific Locations and Organization as the cloned Role.

User and Role info

#  hammer user info --login my.user
Id:                    8le
Login:                 my.user
Name:                  My User
Email:                 my.user@site.au
Admin:                 no
Last login:            2018/11/02 01:50:22
Authorized by:         OUR-LDAP
Effective admin:       no
Locale:                en
Timezone:              Perth
Description:
Default organization:
Default location:
Roles:
Default role
User groups:
 1) Usergroup: Right-Adm-Foreman.ENS.Linux.Org.Admins
Roles:
    ens_linux-org-admin

Inherited User groups:

Locations:
central_office
dr
Organizations:
Enterprise Servers Linux
Created at:            2018/11/02 01:45:14
Updated at:            2018/11/02 01:45:40

# hammer role info --id 19
Id:            19
Name:          ens_linux-org-admin
Builtin:       no
Description:
Locations:
    central_office
    dr
Organizations:
    Enterprise Servers Linux

# hammer role filters --id 19
----|------------------------------|--------|------------|-----------|---------------------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE                | SEARCH | UNLIMITED? | OVERRIDE? | ROLE                | PERMISSIONS
----|------------------------------|--------|------------|-----------|---------------------|---------------------------------------------------------------------------------
240 | Architecture                 | none   | yes        | no        | ens_linux-org-admin | view_architectures, create_architectures, edit_architectures, destroy_archite...
241 | Audit                        | none   | yes        | no        | ens_linux-org-admin | view_audit_logs
242 | AuthSourceLdap               | none   | no         | no        | ens_linux-org-admin | view_authenticators, create_authenticators, edit_authenticators, destroy_auth...
243 | Bookmark                     | none   | yes        | no        | ens_linux-org-admin | view_bookmarks, create_bookmarks, edit_bookmarks, destroy_bookmarks
244 | ComputeProfile               | none   | yes        | no        | ens_linux-org-admin | view_compute_profiles, create_compute_profiles, edit_compute_profiles, destro...
245 | ComputeResource              | none   | no         | no        | ens_linux-org-admin | view_compute_resources, create_compute_resources, edit_compute_resources, des...
246 | ConfigGroup                  | none   | yes        | no        | ens_linux-org-admin | view_config_groups, create_config_groups, edit_config_groups, destroy_config_...
247 | (Miscellaneous)              | none   | yes        | no        | ens_linux-org-admin | access_dashboard, view_plugins, view_statistics, view_tasks, my_organizations
248 | Domain                       | none   | no         | no        | ens_linux-org-admin | view_domains, create_domains, edit_domains, destroy_domains
249 | Environment                  | none   | no         | no        | ens_linux-org-admin | view_environments, create_environments, edit_environments, destroy_environmen...
250 | ExternalUsergroup            | none   | yes        | no        | ens_linux-org-admin | view_external_usergroups, create_external_usergroups, edit_external_usergroup...
251 | FactValue                    | none   | yes        | no        | ens_linux-org-admin | view_facts, upload_facts
252 | Filter                       | none   | no         | no        | ens_linux-org-admin | view_filters, create_filters, edit_filters, destroy_filters
253 | HostClass                    | none   | yes        | no        | ens_linux-org-admin | edit_classes
254 | Hostgroup                    | none   | no         | no        | ens_linux-org-admin | view_hostgroups, create_hostgroups, edit_hostgroups, destroy_hostgroups
255 | Host                         | none   | no         | no        | ens_linux-org-admin | view_hosts, create_hosts, edit_hosts, destroy_hosts, build_hosts, power_hosts...
256 | Image                        | none   | yes        | no        | ens_linux-org-admin | view_images, create_images, edit_images, destroy_images
257 | KeyPair                      | none   | yes        | no        | ens_linux-org-admin | view_keypairs, destroy_keypairs
258 | Location                     | none   | yes        | no        | ens_linux-org-admin | view_locations, create_locations, edit_locations, destroy_locations, assign_l...
259 | PuppetclassLookupKey         | none   | yes        | no        | ens_linux-org-admin | view_external_parameters, create_external_parameters, edit_external_parameter...
260 | MailNotification             | none   | yes        | no        | ens_linux-org-admin | view_mail_notifications
261 | Medium                       | none   | no         | no        | ens_linux-org-admin | view_media, create_media, edit_media, destroy_media
262 | Model                        | none   | yes        | no        | ens_linux-org-admin | view_models, create_models, edit_models, destroy_models
263 | Operatingsystem              | none   | yes        | no        | ens_linux-org-admin | view_operatingsystems, create_operatingsystems, edit_operatingsystems, destro...
264 | VariableLookupKey            | none   | yes        | no        | ens_linux-org-admin | view_external_variables, create_external_variables, edit_external_variables, ...
265 | Parameter                    | none   | yes        | no        | ens_linux-org-admin | view_params, create_params, edit_params, destroy_params
266 | Ptable                       | none   | no         | no        | ens_linux-org-admin | view_ptables, create_ptables, edit_ptables, destroy_ptables, lock_ptables
267 | ProvisioningTemplate         | none   | no         | no        | ens_linux-org-admin | view_provisioning_templates, create_provisioning_templates, edit_provisioning...
268 | Puppetclass                  | none   | yes        | no        | ens_linux-org-admin | view_puppetclasses, create_puppetclasses, edit_puppetclasses, destroy_puppetc...
269 | Realm                        | none   | no         | no        | ens_linux-org-admin | view_realms, create_realms, edit_realms, destroy_realms
270 | Role                         | none   | yes        | no        | ens_linux-org-admin | view_roles, create_roles, edit_roles, destroy_roles
271 | SmartProxy                   | none   | no         | no        | ens_linux-org-admin | view_smart_proxies, create_smart_proxies, edit_smart_proxies, destroy_smart_p...
272 | SshKey                       | none   | yes        | no        | ens_linux-org-admin | view_ssh_keys, create_ssh_keys, destroy_ssh_keys
273 | Subnet                       | none   | no         | no        | ens_linux-org-admin | view_subnets, create_subnets, edit_subnets, destroy_subnets, import_subnets
274 | Trend                        | none   | yes        | no        | ens_linux-org-admin | view_trends, create_trends, edit_trends, destroy_trends, update_trends
275 | Usergroup                    | none   | yes        | no        | ens_linux-org-admin | view_usergroups, create_usergroups, edit_usergroups, destroy_usergroups
276 | User                         | none   | no         | no        | ens_linux-org-admin | view_users, create_users, edit_users, destroy_users
277 | ConfigReport                 | none   | yes        | no        | ens_linux-org-admin | view_config_reports, destroy_config_reports, upload_config_reports
278 | ForemanTasks::Task           | none   | yes        | no        | ens_linux-org-admin | view_foreman_tasks, edit_foreman_tasks
279 | Container                    | none   | no         | no        | ens_linux-org-admin | view_containers, commit_containers, create_containers, destroy_containers
280 | JobTemplate                  | none   | no         | no        | ens_linux-org-admin | view_job_templates, create_job_templates, edit_job_templates, destroy_job_tem...
281 | Template                     | none   | yes        | no        | ens_linux-org-admin | import_templates, export_templates
282 | ForemanTasks::RecurringLogic | none   | yes        | no        | ens_linux-org-admin | create_recurring_logics, view_recurring_logics, edit_recurring_logics
283 | DockerRegistry               | none   | no         | no        | ens_linux-org-admin | view_registries, create_registries, destroy_registries
284 | DiscoveryRule                | none   | no         | no        | ens_linux-org-admin | view_discovery_rules, create_discovery_rules, edit_discovery_rules, execute_d...
285 | RemoteExecutionFeature       | none   | yes        | no        | ens_linux-org-admin | edit_remote_execution_features
286 | Docker/ImageSearch           | none   | yes        | no        | ens_linux-org-admin | search_repository_image_search
287 | Katello::ActivationKey       | none   | no         | no        | ens_linux-org-admin | view_activation_keys, create_activation_keys, edit_activation_keys, destroy_a...
288 | JobInvocation                | none   | yes        | no        | ens_linux-org-admin | create_job_invocations, view_job_invocations
289 | Katello::ContentView         | none   | no         | no        | ens_linux-org-admin | view_content_views, create_content_views, edit_content_views, destroy_content...
290 | Katello::GpgKey              | none   | no         | no        | ens_linux-org-admin | view_gpg_keys, create_gpg_keys, edit_gpg_keys, destroy_gpg_keys
291 | TemplateInvocation           | none   | yes        | no        | ens_linux-org-admin | execute_template_invocation, filter_autocompletion_for_template_invocation
292 | Katello::HostCollection      | none   | no         | no        | ens_linux-org-admin | view_host_collections, create_host_collections, edit_host_collections, destro...
293 | Katello::KTEnvironment       | none   | no         | no        | ens_linux-org-admin | view_lifecycle_environments, create_lifecycle_environments, edit_lifecycle_en...
294 | Katello::Product             | none   | no         | no        | ens_linux-org-admin | view_products, create_products, edit_products, destroy_products, sync_product...
295 | Katello::Subscription        | none   | yes        | no        | ens_linux-org-admin | view_subscriptions, attach_subscriptions, unattach_subscriptions, import_mani...
296 | Katello::SyncPlan            | none   | no         | no        | ens_linux-org-admin | view_sync_plans, create_sync_plans, edit_sync_plans, destroy_sync_plans
----|------------------------------|--------|------------|-----------|---------------------|---------------------------------------------------------------------------------

logs

synaptik · November 2, 2018, 3:16am

Logs of the operating system creation attempt

2018-11-01 14:12:46 b3ac56f5 [app] [I] Started POST "/operatingsystems" for 10.25.64.131 at 2018-11-01 14:12:46 +0800
2018-11-01 14:12:46 b3ac56f5 [app] [I] Processing by OperatingsystemsController#create as */*
2018-11-01 14:12:46 b3ac56f5 [app] [I]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"9O9A9EoeN9iP0vPoKJjYdEGtYm0U7lWKS9U1HQbwmHZJGkgYoAiz28TTrzz1mln7n0FXa50+UwiERveFJh/piA==", "operatingsystem"=>{"name"=>"RedHat", "major"=>"7", "minor"=>"6", "description"=>"", "family"=>"Redhat", "release_name"=>"", "password_hash"=>"[FILTERED]", "architecture_ids"=>["", "1"], "ptable_ids"=>["", "113"], "medium_ids"=>["", "16"]}, "_ie_support"=>""}
2018-11-01 14:12:46 b3ac56f5 [app] [I] Current user: my.user (regular user)
2018-11-01 14:12:46 b3ac56f5 [app] [D] Setting current user thread-local variable to my.user
2018-11-01 14:12:46 b3ac56f5 [app] [D] Setting current organization thread-local variable to Enterprise Servers Linux
2018-11-01 14:12:46 b3ac56f5 [app] [D] Setting current location thread-local variable to none
2018-11-01 14:12:46 b3ac56f5 [app] [D] Unpermitted parameters: utf8, authenticity_token, _ie_support, locale
2018-11-01 14:12:46 b3ac56f5 [app] [D] Cache write: katello_default_PXELinux
2018-11-01 14:12:46 b3ac56f5 [app] [D] Cache write: katello_default_PXEGrub
2018-11-01 14:12:46 b3ac56f5 [app] [D] Cache write: katello_default_PXEGrub2
2018-11-01 14:12:46 b3ac56f5 [app] [D] Cache write: katello_default_iPXE
2018-11-01 14:12:46 b3ac56f5 [app] [D] Cache write: katello_default_provision
2018-11-01 14:12:46 b3ac56f5 [app] [D] Cache write: katello_default_finish
2018-11-01 14:12:46 b3ac56f5 [app] [D] Cache write: katello_default_script
2018-11-01 14:12:46 b3ac56f5 [app] [D] Cache write: katello_default_user_data
2018-11-01 14:12:46 b3ac56f5 [app] [D] Cache write: katello_default_ZTP
2018-11-01 14:12:46 b3ac56f5 [app] [D] Cache write: katello_default_POAP
2018-11-01 14:12:46 b3ac56f5 [app] [D] Cache write: katello_default_kexec
2018-11-01 14:12:46 b3ac56f5 [app] [D] Cache write: katello_default_ptable
2018-11-01 14:12:46 b3ac56f5 [app] [I] Failed to save: You don't have permission create_operatingsystems with attributes that you have specified or you don't have access to specified locations or organisations
2018-11-01 14:12:46 b3ac56f5 [app] [I]   Rendered operatingsystems/_template_defaults.html.erb (0.4ms)
2018-11-01 14:12:46 b3ac56f5 [app] [I]   Rendered common_parameters/_parameter.html.erb (5.0ms)
2018-11-01 14:12:46 b3ac56f5 [app] [I]   Rendered common_parameters/_parameters.html.erb (11.9ms)
2018-11-01 14:12:46 b3ac56f5 [app] [I]   Rendered operatingsystems/_form.html.erb (119.0ms)
2018-11-01 14:12:46 b3ac56f5 [app] [I]   Rendered operatingsystems/new.html.erb (119.5ms)
2018-11-01 14:12:46 b3ac56f5 [app] [I] Completed 200 OK in 527ms (Views: 98.8ms | ActiveRecord: 95.8ms)

Marek_Hulan · November 6, 2018, 11:41am

Is the user assigned to org/loc he tries to create the resource in? Is the role cloned and the same orgs/locs assigned to it? Foreman 1.16 is quite old version, is there a chance to upgrade to supported version?

synaptik · November 6, 2018, 3:33pm

Hi Marek, cheers for chiming in.

Yes, the user and role are associated with the same organisation and locations. The user is attempting to create an Operating System associated with the same Organisation and Locations.

I have seen this issue with two separate users and organisations now.

Yes, I cloned the role from the default Organisation Admin role and associated it with the same Organisation and Locations as the user.

I patched to 1.16.2 last night as I read that a similar issue had been resolved there but the issue persists. Before I can upgrade to Katello 3.6 then 3.8 (Foreman 1.17 and 1.19) I will need to rebuild our test env. At the moment we have Katello 3.5/Foreman 1.16 in Prod and I am running early life support with the Operations teams and finalising the Puppet code. Upgrading is very much on my list but there is only one of me

Marek_Hulan · November 9, 2018, 1:58pm

I looked at this on more recent version and it seems to work for me just fine. So, please try to upgrade first, there won’t be any fixing release for 1.16-1.18 most likely.

synaptik · November 12, 2018, 1:59am

Fair enough, thanks for taking a look at it Marek.