Organization admin role doesn't have permission to edit host's Puppet classes

User assigned with “Organization admin” role doesn’t have permission to edit Puppet classes associated with specific host.

Logged in as user with “Organization admin” role, navigate to Hosts > [example_host] > Edit > Puppet ENC. Adding new or removing existing Puppet classes isn’t possible. The following message appears when hovering over classes: “Not authorized to edit classes”

Adding and removing config groups works fine.

Expected outcome:
The user shouldn’t receive the “Not authorized to edit classes” message and it should be able to add/remove Puppet classes.

Foreman and Proxy versions:

Foreman and Proxy plugin versions:

Plugin Version
foreman_memcache 0.1.1
foreman_puppet 2.0.0
foreman_templates 9.1.0
foreman_vault 1.1.0
puppetdb_foreman 5.0.0

Distribution and version:
CentOS Linux release 7.9.2009 (Core)

Other relevant data:
“Organization admin” role is by default assigned with “Hostclass → edit_classes” filter, which should allow adding/removing of Puppet classes.

Did this work before? Do other roles work, e.g
Manager? If so, we could simply add the missing permission. But this could also be related to organizations. I suppose your user is assigned to some org, is the role assigned to it too?

I just recently configured a user with “Organization admin” role, so I cannot answer the question if it worked before.

I can tell you that the user is associated with specific organization and location (the same organization and location in which the host is “located”).

Manager role doesn’t work either.

If manager role does not work either, it’s unlikely that just some permission would be missing, but still I’d double check the role has edit_classes permission for the resource type ForemanPuppet::HostClass. If that’s the case, seems like a bug and should be reported at Issues · theforeman/foreman_puppet · GitHub. There seems to be one related _classes seems to check host_editing only · Issue #242 · theforeman/foreman_puppet · GitHub

I doublechecked and I can confirm that the role indeed has edit_classes filter enabled (with ticked “unlimited” checkbox if it makes any difference) for HostClass resource type.

I’ll open GitHub issue.

1 Like