I'm trying to create a role that will allow a user to create/edit
parameters on hosts (among other things like change the host's environment).
Currently, the role has the following filters:
Environment view_environments
>
Fact value view_facts
>
Host Group view_hostgroups
>
Host/managed view_hosts, edit_hosts
>
Parameter create_params, edit_params
>
This permission set currently does not allow me to create or edit Host
parameters. When I run a curl against the API, I get an error message
"Resource parameter not found by id ''". I've confirmed if I change the
user's permissions to Manager, everything works as expected, but I
obviously want to keep the permissions restricted.
Any ideas what the missing permission filter would be? I'd rather not go
permission by permission, because it's likely a combination of permissions
I'm missing.
Thanks
If you can provide the log from Foreman (production.log) during the
request with SQL debugging enabled, it may point to which resource
you're missing a permission for:
http://theforeman.org/manuals/1.9/index.html#7.2Debugging
···
On 02/12/15 23:16, Michael Griffin wrote:
>
> I'm trying to create a role that will allow a user to create/edit
> parameters on hosts (among other things like change the host's environment).
>
> Currently, the role has the following filters:
>
> Environment view_environments
>
> Fact value view_facts
>
> Host Group view_hostgroups
>
> Host/managed view_hosts, edit_hosts
>
> Parameter create_params, edit_params
>
>
> This permission set currently does not allow me to create or edit Host
> parameters. When I run a curl against the API, I get an error message
> "Resource parameter not found by id ''". I've confirmed if I change the
> user's permissions to Manager, everything works as expected, but I
> obviously want to keep the permissions restricted.
>
> Any ideas what the missing permission filter would be? I'd rather not go
> permission by permission, because it's likely a combination of
> permissions I'm missing.
–
Dominic Cleal
dominic@cleal.org
Thank you for the reply. I think I found the issue, which I think should be
a bug.
To create a nested parameter on a host, a user/role requires both
create_params and create_hosts.
To update a nested parameter, a user/role requires both *edit_params" and
edit_hosts.
To delete a nested parameter, a user/role requires both destroy_params
and destroy_hosts.
I think that the bug is that all these actions (create, update, destroy)
should not require both "params" and "hosts" permissions. There could be an
argument made that the edit_hosts permission should be required, which
would also be acceptable.
I can file a bug report if you also agree it should be a bug.
···
On Thursday, December 3, 2015 at 3:01:54 AM UTC-5, Dominic Cleal wrote:
>
> On 02/12/15 23:16, Michael Griffin wrote:
> >
> > I'm trying to create a role that will allow a user to create/edit
> > parameters on hosts (among other things like change the host's
> environment).
> >
> > Currently, the role has the following filters:
> >
> > Environment view_environments
> >
> > Fact value view_facts
> >
> > Host Group view_hostgroups
> >
> > Host/managed view_hosts, edit_hosts
> >
> > Parameter create_params, edit_params
> >
> >
> > This permission set currently does not allow me to create or edit Host
> > parameters. When I run a curl against the API, I get an error message
> > "Resource parameter not found by id ''". I've confirmed if I change the
> > user's permissions to Manager, everything works as expected, but I
> > obviously want to keep the permissions restricted.
> >
> > Any ideas what the missing permission filter would be? I'd rather not go
> > permission by permission, because it's likely a combination of
> > permissions I'm missing.
>
> If you can provide the log from Foreman (production.log) during the
> request with SQL debugging enabled, it may point to which resource
> you're missing a permission for:
>
> http://theforeman.org/manuals/1.9/index.html#7.2Debugging
>
> --
> Dominic Cleal
> dom...@cleal.org
>
Yes, that definitely isn't correct. I'd agree that edit_hosts should
probably be required to match the UI behaviour (where you'd need edit to
open the form for the resource).
I'd suggest giving it a try with Foreman 1.10 though, as I think that
Bug #8343: API resource_scope ignores options - Foreman might have fixed the issue.
Cheers,
···
--
Dominic Cleal
dominic@cleal.org
On 04/12/15 21:12, Michael Griffin wrote:
Thank you for the reply. I think I found the issue, which I think should
be a bug.
To create a nested parameter on a host, a user/role requires both
create_params and create_hosts.
To update a nested parameter, a user/role requires both *edit_params"
and edit_hosts.
To delete a nested parameter, a user/role requires both destroy_params
and destroy_hosts.
I think that the bug is that all these actions (create, update, destroy)
should not require both “params” and “hosts” permissions. There could be
an argument made that the edit_hosts permission should be required,
which would also be acceptable.
I can file a bug report if you also agree it should be a bug.
On Thursday, December 3, 2015 at 3:01:54 AM UTC-5, Dominic Cleal wrote:
On 02/12/15 23:16, Michael Griffin wrote:
>
> I'm trying to create a role that will allow a user to create/edit
> parameters on hosts (among other things like change the host's
environment).
>
> Currently, the role has the following filters:
>
> Environment view_environments
>
> Fact value view_facts
>
> Host Group view_hostgroups
>
> Host/managed view_hosts, edit_hosts
>
> Parameter create_params, edit_params
>
>
> This permission set currently does not allow me to create or edit
Host
> parameters. When I run a curl against the API, I get an error message
> "Resource parameter not found by id ''". I've confirmed if I
change the
> user's permissions to Manager, everything works as expected, but I
> obviously want to keep the permissions restricted.
>
> Any ideas what the missing permission filter would be? I'd rather
not go
> permission by permission, because it's likely a combination of
> permissions I'm missing.
If you can provide the log from Foreman (production.log) during the
request with SQL debugging enabled, it may point to which resource
you're missing a permission for:
http://theforeman.org/manuals/1.9/index.html#7.2Debugging
<http://theforeman.org/manuals/1.9/index.html#7.2Debugging>
--
Dominic Cleal
dom...@cleal.org <javascript:>
–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com
mailto:foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com
mailto:foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
Thanks. We're currently on 1.8.2, but plan to move to 1.10 once it's GA.
I'll make note to test this once we upgrade.
···
On Monday, December 7, 2015 at 4:21:56 AM UTC-5, Dominic Cleal wrote:
>
> Yes, that definitely isn't correct. I'd agree that edit_hosts should
> probably be required to match the UI behaviour (where you'd need edit to
> open the form for the resource).
>
> I'd suggest giving it a try with Foreman 1.10 though, as I think that
> http://projects.theforeman.org/issues/8343 might have fixed the issue.
>
> Cheers,
>
> --
> Dominic Cleal
> dom...@cleal.org
>
> On 04/12/15 21:12, Michael Griffin wrote:
> > Thank you for the reply. I think I found the issue, which I think should
> > be a bug.
> >
> > To create a nested parameter on a host, a user/role requires both
> > *create_params* and *create_hosts*.
> > To update a nested parameter, a user/role requires both *edit_params"
> > and *edit_hosts*.
> > To delete a nested parameter, a user/role requires both *destroy_params*
> > and *destroy_hosts*.
> >
> > I think that the bug is that all these actions (create, update, destroy)
> > should not require both "params" and "hosts" permissions. There could be
> > an argument made that the *edit_hosts* permission should be required,
> > which would also be acceptable.
> >
> > I can file a bug report if you also agree it should be a bug.
> >
> > On Thursday, December 3, 2015 at 3:01:54 AM UTC-5, Dominic Cleal wrote:
> >
> > On 02/12/15 23:16, Michael Griffin wrote:
> > >
> > > I'm trying to create a role that will allow a user to create/edit
> > > parameters on hosts (among other things like change the host's
> > environment).
> > >
> > > Currently, the role has the following filters:
> > >
> > > Environment view_environments
> > >
> > > Fact value view_facts
> > >
> > > Host Group view_hostgroups
> > >
> > > Host/managed view_hosts, edit_hosts
> > >
> > > Parameter create_params, edit_params
> > >
> > >
> > > This permission set currently does not allow me to create or edit
> > Host
> > > parameters. When I run a curl against the API, I get an error
> message
> > > "Resource parameter not found by id ''". I've confirmed if I
> > change the
> > > user's permissions to Manager, everything works as expected, but I
> > > obviously want to keep the permissions restricted.
> > >
> > > Any ideas what the missing permission filter would be? I'd rather
> > not go
> > > permission by permission, because it's likely a combination of
> > > permissions I'm missing.
> >
> > If you can provide the log from Foreman (production.log) during the
> > request with SQL debugging enabled, it may point to which resource
> > you're missing a permission for:
> >
> > http://theforeman.org/manuals/1.9/index.html#7.2Debugging
> >
> >
> > --
> > Dominic Cleal
> > dom...@cleal.org
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "Foreman users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to foreman-user...@googlegroups.com
> > <mailto:foreman-users+unsubscribe@googlegroups.com >.
> > To post to this group, send email to forema...@googlegroups.com
>
> > <mailto:forema...@googlegroups.com >.
> > Visit this group at http://groups.google.com/group/foreman-users.
> > For more options, visit https://groups.google.com/d/optout.
>
>
