Proper filter setup for restricted remote execution?

Support
1

In our org we have a backend infra team and a frontend helpdesk team. The frontend team would like to be able to run remote execution jobs, however I’m trying (for several days unsuccessfully) to impose the following constraints:

  • They only have the ability to run jobs against desktop systems
  • They have to use their user credentials
    • They should not have the ability to use the global SSH user and foreman-proxy SSH private key

I’ve shared the latest role config below, but is this even possible? Unless I mark the Template Invocation resource as unlimited, job submissions fail with the reported error.

Foreman and Proxy versions: 3.9.1 (single node)

Foreman and Proxy plugin versions: Katello 4.11.0

Distribution and version: Rocky Linux 8.9

Other relevant data:

Error message:

PG::NotNullViolation: ERROR: null value in column "template_id" violates not-null constraint

Role filter config:

$ hammer --output base filter list --search role_id=30 --order resource --fields "resource type,search,unlimited?,permissions" --per-page "all"

Resource type: (Miscellaneous)
Search:        none
Unlimited?:    yes
Permissions:   access_dashboard, view_statuses, generate_ansible_inventory

Resource type: Architecture
Search:        none
Unlimited?:    yes
Permissions:   view_architectures

Resource type: Audit
Search:        none
Unlimited?:    yes
Permissions:   view_audit_logs

Resource type: Bookmark
Search:        none
Unlimited?:    yes
Permissions:   edit_bookmarks, create_bookmarks

Resource type: ComputeProfile
Search:        none
Unlimited?:    yes
Permissions:   view_compute_profiles, create_compute_profiles, destroy_compute_profiles, edit_compute_profiles

Resource type: ComputeResource
Search:        none
Unlimited?:    yes
Permissions:   destroy_vm_compute_resources, create_compute_resources_vms, destroy_compute_resources_vms, edit_compute_resources_vms, power_compute_resources_vms, power_vm_compute_resources, view_compute_resources, view_compute_resources_vms

Resource type: ConfigReport
Search:        none
Unlimited?:    yes
Permissions:   view_config_reports

Resource type: Domain
Search:        none
Unlimited?:    yes
Permissions:   view_domains

Resource type: FactValue
Search:        none
Unlimited?:    yes
Permissions:   view_facts

Resource type: ForemanTasks::RecurringLogic
Search:        none
Unlimited?:    yes
Permissions:   edit_recurring_logics, create_recurring_logics, view_recurring_logics

Resource type: ForemanTasks::Task
Search:        none
Unlimited?:    yes
Permissions:   view_foreman_tasks

Resource type: Host
Search:        hostgroup_fullname  ~  Desktops
Unlimited?:    no
Permissions:   create_hosts, view_hosts, power_hosts, edit_hosts, destroy_hosts, build_hosts

Resource type: Hostgroup
Search:        name  ~  Desktops  or  title  ~  Desktops
Unlimited?:    no
Permissions:   view_hostgroups

Resource type: Image
Search:        none
Unlimited?:    yes
Permissions:   view_images

Resource type: JobInvocation
Search:        none
Unlimited?:    yes
Permissions:   view_job_invocations, execute_jobs_on_infrastructure_hosts, create_job_invocations, cancel_job_invocations

Resource type: JobTemplate
Search:        none
Unlimited?:    yes
Permissions:   view_job_templates

Resource type: Katello::ActivationKey
Search:        none
Unlimited?:    yes
Permissions:   view_activation_keys

Resource type: Katello::ContentCredential
Search:        none
Unlimited?:    yes
Permissions:   view_content_credentials

Resource type: Katello::ContentView
Search:        none
Unlimited?:    yes
Permissions:   view_content_views

Resource type: Katello::HostCollection
Search:        none
Unlimited?:    yes
Permissions:   view_host_collections, create_host_collections, edit_host_collections

Resource type: Katello::KTEnvironment
Search:        none
Unlimited?:    yes
Permissions:   view_lifecycle_environments

Resource type: Katello::Product
Search:        none
Unlimited?:    yes
Permissions:   view_products

Resource type: Location
Search:        none
Unlimited?:    yes
Permissions:   view_locations

Resource type: LookupValue
Search:        none
Unlimited?:    yes
Permissions:   view_lookup_values

Resource type: Operatingsystem
Search:        name  ~  RockyLinux
Unlimited?:    no
Permissions:   view_operatingsystems

Resource type: Organization
Search:        none
Unlimited?:    yes
Permissions:   view_organizations

Resource type: Parameter
Search:        none
Unlimited?:    yes
Permissions:   edit_params, create_params, view_params

Resource type: ProvisioningTemplate
Search:        none
Unlimited?:    yes
Permissions:   deploy_provisioning_templates, view_provisioning_templates

Resource type: Ptable
Search:        none
Unlimited?:    yes
Permissions:   view_ptables

Resource type: ReportTemplate
Search:        none
Unlimited?:    yes
Permissions:   create_report_templates, view_report_templates, generate_report_templates, edit_report_templates

Resource type: SmartProxy
Search:        none
Unlimited?:    yes
Permissions:   view_smart_proxies

Resource type: Subnet
Search:        none
Unlimited?:    yes
Permissions:   view_subnets

Resource type: TemplateInvocation
Search:        host_group.name  ~  Desktops
Unlimited?:    no
Permissions:   create_template_invocations, view_template_invocations, filter_autocompletion_for_template_invocation

Desktops are in nested hostgroups depending on deployment, i.e.:

  • Desktops/<lifecycle>/Physical
  • Desktops/<lifecycle>/Virtual
2

You might be able to make it work with some of the options mentioned here in the docs, but at least the SSH User and Password option (which is probably what you would be looking for) seam to be rather new (at least I cannot find them on my dusted Foreman 3.2).

This should be rather easy. I have created a role in the past for a similar use-case that works quite well.
I use the following permissions:

# hammer --output base filter list --search role_id=24 --order resource --fields "resource type,search,unlimited?,permissions" --per-page "all"
Resource type: Host
Search:        < hosts to deploy on >
Unlimited?:    no
Permissions:   view_hosts

Resource type: JobInvocation
Search:        none
Unlimited?:    yes
Permissions:   view_job_invocations, create_job_invocations, execute_jobs_on_infrastructure_hosts

Resource type: JobTemplate
Search:        < Allowed templates >
Unlimited?:    no
Permissions:   view_job_templates

Resource type: SmartProxy
Search:        none
Unlimited?:    no
Permissions:   view_smart_proxies

Resource type: TemplateInvocation
Search:        < Same filter as for view Job templates >
Unlimited?:    no
Permissions:   create_template_invocations, view_template_invocations, filter_autocompletion_for_template_invocation

You can find some more info in the docs.