I faced strange issue with hostgroups, puppetclasses and user permissions.
There is puppetclass with three hostgroups: A, B and C.
User can view and edit only B and C hostgroups.
User makes some changes in puppetclass parameters and saves them.
After that puppetclass have only two hostgroups: B and C.
User’s role restricts user to view only B and C groups, but allows unlimited editing of puppetclasses.
I want to know how is it normal behavior or some weird bug? Any workaround for this situation? I have only two ideas for the moment: give a administration rights to all users or let all users view and edit all hostgroups. Does anyone has better ideas?
Foreman and Proxy versions:
Foreman 3.2.1, Puppet 6
Found out that this issue seems like to be happen only if user chose a specific organization/location in filters on top of the page.
After that list of puppetclasses hostgroups contains only that hostgroup which contains selected organization or location. So when puppetclass saved, it lost all other hostgroups.
Can anyone else confirm that? Should I open an issue on Foreman bugtracker? Does anyone have any similar issues with that organizatioin/location filters?
So, I made a further investigate and was able to reproduce this bug.
It can be reproduced with any new users even without filters from my last comment.
Role grants restricted permissions to hostgroups (can edit and view only hostgroup with specific organization) and unlimited rights to edit puppetclasses.
Steps to reproduce:
- Assign puppetclass to some different hostgroups.
- Login as user who is allowed to edit puppetclasses, but can edit only some of hostgroups from step 1.
- Open a puppetclass from step 1, make any changes and press “submit”.
- Now log in as admin and see that puppetclass assigned only to that hostgroups that user from step 2 can edit. All other hostgroups are gone.
If user edits a puppetclass and doesn’t have rights to all groups which assigned to this puppetclass, then when saving the puppetclass, groups that are inaccessible to the user will be removed from the class.
Can anyone else confirm the same behavior?
This happen even for admin user. When these filters from picture above are set to some specific location and organization and you press “submit” at edit puppetclass form, all hostgroups are dissapeared except for those, which visible with organization/location filters.
I can confirm this happens for us, too.
Don’t know if this has been fixed in a recent release, since we are still on 3.2.
We have some shared hostgroups between certain organizations and when a user edits certain elements while being in the organization that has limited access to, some information is lost.
This is probably some weird glitch with how scoping and the UI code work together.
Sadly, I have no real solution to this, but it even happens with admin permissions if you set the organization to one that does not contain all your hostgroups.
Thanks for the answer. I have a plan to check this issue in newer versions of Foreman. Will update this thread later after tests.