Unable to create OS with nonadmin user

Mamut3D · June 12, 2018, 3:06pm

Problem:
I am unable to create Operating System resource with nonadmin user in nondefault organization with ‘Organization admin’ role (cloned and assigned to the same org).
When i try to create OS with name ‘test’ and major version 55 and dont choose Family, I am able to create Operating system.
When I try to create the same OS with family selected (Redhat) i get the following error:
Unable to save You don't have permission create_operatingsystems with attributes that you have specified or you don't have access to specified organizations

Hammer CLI gives me the same error.

When admin user creates the OS, I am able to update the Operating system without issue.

Expected outcome:
Operating system is created.

Foreman and Proxy versions:
1.17.1, 1.17.1
Foreman and Proxy plugin versions:
discovery 11.0.0
Other relevant data:
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]

hammer -c foreman.yml os create --name test --major 9 --family Redhat
Could not create the operating system:
  You don't have permission create_operatingsystems with attributes that you have specified or you don't have access to specified organizations

Marek_Hulan · June 12, 2018, 3:33pm

Is that user assigned to the given organization? Note that not only the role needs to be assigned to it but also the user. Could you also doublecheck the role has filter with this permission? Is it limited by any search query?

Mamut3D · June 14, 2018, 11:52am

What you mean by search querry?
This should answer the rest:

### hammer under admin

# hammer user info --login myuser
Id:                    5
Login:                 myuser
Name:                  xxxxxxxxxxxxxxxx
Email:                 xxxxxxxxxxxxxxxx
Admin:                 no
Last login:            2018/06/14 11:35:28
Authorized by:         Cloud
Effective admin:       no
Locale:                default
Timezone:              
Description:           
Default organization:  
Default location:      
Roles:                 
    Cloud adm role
User groups:           

Inherited User groups: 

Organizations:         
    Cloud
Created at:            2018/06/13 14:13:30
Updated at:            2018/06/14 11:40:37

# hammer role info --id 13                                                                                                                                          
Id:            13                                                                                                                                                              
Name:          Cloud adm role                                                                                                                                                  
Builtin:       no                                                                                                                                                              
Description:   Role granting all permissions except for managing organizations. It can be used to delegate administration of specific organization to a user. In order to create
 such role, clone this role and assign desired organizations                                                                                                                   
Organizations:                                                                                                                                                                 
    Cloud

# hammer role filters --id 13                                                                                                                                       
----|----------------------|--------|------------|-----------|----------------|---------------------------------------------------------------------------------               
ID  | RESOURCE TYPE        | SEARCH | UNLIMITED? | OVERRIDE? | ROLE           | PERMISSIONS                                                                                    
----|----------------------|--------|------------|-----------|----------------|---------------------------------------------------------------------------------               
295 | Architecture         | none   | yes        | no        | Cloud adm role | view_architectures, create_architectures, edit_architectures, destroy_archite...               
296 | Audit                | none   | yes        | no        | Cloud adm role | view_audit_logs
297 | AuthSourceLdap       | none   | no         | no        | Cloud adm role | view_authenticators, create_authenticators, edit_authenticators, destroy_auth...
298 | Bookmark             | none   | yes        | no        | Cloud adm role | view_bookmarks, create_bookmarks, edit_bookmarks, destroy_bookmarks
299 | ComputeProfile       | none   | yes        | no        | Cloud adm role | view_compute_profiles, create_compute_profiles, edit_compute_profiles, destro...
300 | ComputeResource      | none   | no         | no        | Cloud adm role | view_compute_resources, create_compute_resources, edit_compute_resources, des...
301 | ConfigGroup          | none   | yes        | no        | Cloud adm role | view_config_groups, create_config_groups, edit_config_groups, destroy_config_...
302 | (Miscellaneous)      | none   | yes        | no        | Cloud adm role | access_dashboard, view_plugins, view_statistics, view_tasks
303 | Domain               | none   | no         | no        | Cloud adm role | view_domains, create_domains, edit_domains, destroy_domains
304 | Environment          | none   | no         | no        | Cloud adm role | view_environments, create_environments, edit_environments, destroy_environmen...
305 | ExternalUsergroup    | none   | yes        | no        | Cloud adm role | view_external_usergroups, create_external_usergroups, edit_external_usergroup...
306 | FactValue            | none   | yes        | no        | Cloud adm role | view_facts, upload_facts
307 | Filter               | none   | no         | no        | Cloud adm role | view_filters
308 | HostClass            | none   | yes        | no        | Cloud adm role | edit_classes
309 | Hostgroup            | none   | no         | no        | Cloud adm role | view_hostgroups, create_hostgroups, edit_hostgroups, destroy_hostgroups
310 | Host                 | none   | no         | no        | Cloud adm role | view_hosts, create_hosts, edit_hosts, destroy_hosts, build_hosts, power_hosts...
311 | HttpProxy            | none   | no         | no        | Cloud adm role | view_http_proxies, create_http_proxies, edit_http_proxies, destroy_http_proxies
312 | Image                | none   | yes        | no        | Cloud adm role | view_images, create_images, edit_images, destroy_images
313 | KeyPair              | none   | yes        | no        | Cloud adm role | view_keypairs, destroy_keypairs
314 | Location             | none   | yes        | no        | Cloud adm role | view_locations, create_locations, edit_locations, destroy_locations, assign_l...
315 | PuppetclassLookupKey | none   | yes        | no        | Cloud adm role | view_external_parameters, create_external_parameters, edit_external_parameter...
316 | MailNotification     | none   | yes        | no        | Cloud adm role | view_mail_notifications
317 | Medium               | none   | no         | no        | Cloud adm role | view_media, create_media, edit_media, destroy_media
318 | Model                | none   | yes        | no        | Cloud adm role | view_models, create_models, edit_models, destroy_models
319 | VariableLookupKey    | none   | yes        | no        | Cloud adm role | view_external_variables, create_external_variables, edit_external_variables, ...
320 | Operatingsystem      | none   | yes        | no        | Cloud adm role | view_operatingsystems, create_operatingsystems, edit_operatingsystems, destro...
321 | Organization         | none   | no         | no        | Cloud adm role | view_organizations, edit_organizations, assign_organizations
322 | Parameter            | none   | yes        | no        | Cloud adm role | view_params, create_params, edit_params, destroy_params
323 | PersonalAccessToken  | none   | yes        | no        | Cloud adm role | view_personal_access_tokens, create_personal_access_tokens, revoke_personal_a...
324 | Ptable               | none   | no         | no        | Cloud adm role | view_ptables, create_ptables, edit_ptables, destroy_ptables, lock_ptables
325 | ProvisioningTemplate | none   | no         | no        | Cloud adm role | view_provisioning_templates, create_provisioning_templates, edit_provisioning...
326 | Puppetclass          | none   | yes        | no        | Cloud adm role | view_puppetclasses, create_puppetclasses, edit_puppetclasses, destroy_puppetc...
327 | Realm                | none   | no         | no        | Cloud adm role | view_realms, create_realms, edit_realms, destroy_realms
328 | Role                 | none   | yes        | no        | Cloud adm role | view_roles
329 | SmartProxy           | none   | no         | no        | Cloud adm role | view_smart_proxies, create_smart_proxies, edit_smart_proxies, destroy_smart_p...
330 | SshKey               | none   | yes        | no        | Cloud adm role | view_ssh_keys, create_ssh_keys, destroy_ssh_keys
331 | Subnet               | none   | no         | no        | Cloud adm role | view_subnets, create_subnets, edit_subnets, destroy_subnets, import_subnets
332 | Trend                | none   | yes        | no        | Cloud adm role | view_trends, create_trends, edit_trends, destroy_trends, update_trends
333 | Usergroup            | none   | yes        | no        | Cloud adm role | view_usergroups, create_usergroups, edit_usergroups, destroy_usergroups
334 | User                 | none   | no         | no        | Cloud adm role | view_users, create_users, edit_users, destroy_user
335 | ConfigReport         | none   | yes        | no        | Cloud adm role | view_config_reports, destroy_config_reports, upload_config_reports
336 | DiscoveryRule        | none   | no         | no        | Cloud adm role | view_discovery_rules, create_discovery_rules, edit_discovery_rules, execute_d...
----|----------------------|--------|------------|-----------|----------------|---------------------------------------------------------------------------------

### hammer under user myuser
# hammer -c foreman.yml os list
---|--------|--------------|-------
ID | TITLE  | RELEASE NAME | FAMILY
---|--------|--------------|-------
1  | CentOS |              | Redhat
2  | Debian |              | Debian
---|--------|--------------|-------

# hammer -c foreman.yml os create --name Fedora --major 28
Could not create the operating system:
  You don't have permission create_operatingsystems with attributes that you have specified or you don't have access to specified organizations

# hammer -c foreman.yml os create --name Fedora --major 28 --family Redhat
Could not create the operating system:
  You don't have permission create_operatingsystems with attributes that you have specified or you don't have access to specified organizations

# hammer -c foreman.yml os create --name Fed --major 28 --family Redhat
Could not create the operating system:
  You don't have permission create_operatingsystems with attributes that you have specified or you don't have access to specified organizations

# hammer -c foreman.yml os create --name Fed --major 28
Operating system created.

# hammer -c foreman.yml os list
---|--------|--------------|-------
ID | TITLE  | RELEASE NAME | FAMILY
---|--------|--------------|-------
1  | CentOS |              | Redhat
2  | Debian |              | Debian
7  | Fed 28 |              |       
---|--------|--------------|-------