Unable to install new hosts with regular user

Hello,

Has anyone else hit this issue? :slight_smile:

We did clean install today of Foreman 1.1 and it seems to have the same
problem that user is not able to install new vm (select domain, subnet
etc.) unless user is marked as admin. Could someone confirm if this is "how
it is supposed to work" or do I have some kind of misconfiguration
somewhere?

torstai, 7. helmikuuta 2013 18.53.18 UTC+2 Samuli Heinonen kirjoitti:

路路路 > > Hello all, > > I upgraded today from Foreman 1.0.2 to 1.1 and now I'm facing bit strange > issue. User without admin privileges isn't able to install new hosts with > Foreman. I have tried setting all roles and settings on but no luck there. > New host form opens as expected but when user tries to select "Deploy on", > "Environment", "Host group", "Domain" nothing happens and it shows > following messages in log file (this happens when user selects domain in > network tab): > > --- > > Started POST "/hosts/domain_selected" for x.x.x.x at Thu Feb 07 12:15:09 +0200 2013 > Processing by HostsController#domain_selected as > Parameters: {"domain_id"=>"11", "organization_id"=>"2"} > User Load (0.2ms) SELECT `users`.* FROM `users` WHERE `users`.`id` = 3 LIMIT 1 > Setting current user thread-local variable to user > Setting Load (0.2ms) SELECT `settings`.* FROM `settings` WHERE `settings`.`name` = 'authorize_login_delegation' ORDER BY LOWER(settings.name) LIMIT 1 > CACHE (0.0ms) SELECT `settings`.* FROM `settings` WHERE `settings`.`name` = 'authorize_login_delegation' ORDER BY LOWER(settings.name) LIMIT 1 > TaxableTaxonomy Load (0.3ms) SELECT DISTINCT `taxable_taxonomies`.taxonomy_id FROM `taxable_taxonomies` WHERE (`taxable_taxonomies`.taxable_id = 3 AND `taxable_taxonomies`.taxable_type = 'User') > SQL (0.2ms) SELECT COUNT(*) FROM `taxonomies` WHERE `taxonomies`.`type` = 'Organization' AND ( (taxonomies.id in (1,2))) > Organization Load (0.3ms) SELECT `taxonomies`.* FROM `taxonomies` WHERE `taxonomies`.`type` = 'Organization' AND ( (taxonomies.id in (1,2))) ORDER BY type, name LIMIT 1 > Setting current organization thread-local variable to organization > Role Load (0.2ms) SELECT `roles`.* FROM `roles` INNER JOIN `user_roles` ON `roles`.id = `user_roles`.role_id WHERE ((`user_roles`.user_id = 3)) > Rendered common/403.rhtml (0.8ms) > Completed 403 Forbidden in 46ms (Views: 4.1ms | ActiveRecord: 3.3ms) > > --- > > If I give user administrator privileges everything works as planned. Any > ideas what might be wrong? > > Cheers, > Samuli Heinonen > > > >

Hi Samuli,

Sorry for the delayed response, I've just tested this and can confirm
I'm seeing the same.

I believe this is due to a security fix we put into 1.1RC5, which was
preventing authorisation bypass in Foreman on certain types of HTTP
requests (XMLHttpRequests). I think the fix is now blocking many
interactive components in the UI for non-admin users.

We received this PR to fix the auto-completion functionality for
instance: https://github.com/theforeman/foreman/pull/401

Could I ask you to open a bug with the logs and other info?
http://projects.theforeman.org/projects/foreman/issues/new

Thanks,

路路路 -- Dominic Cleal Red Hat Engineering

On 11/02/13 17:19, Samuli Heinonen wrote:

Hello,

Has anyone else hit this issue? :slight_smile:

We did clean install today of Foreman 1.1 and it seems to have the same
problem that user is not able to install new vm (select domain, subnet
etc.) unless user is marked as admin. Could someone confirm if this is
"how it is supposed to work" or do I have some kind of misconfiguration
somewhere?

torstai, 7. helmikuuta 2013 18.53.18 UTC+2 Samuli Heinonen kirjoitti:

Hello all,

I upgraded today from Foreman 1.0.2 to 1.1 and now I'm facing bit
strange issue. User without admin privileges isn't able to install
new hosts with Foreman. I have tried setting all roles and settings
on but no luck there. New host form opens as expected but when user
tries to select "Deploy on", "Environment", "Host group", "Domain"
nothing happens and it shows following messages in log file (this
happens when user selects domain in network tab):

---

Started POST "/hosts/domain_selected" for x.x.x.x at Thu Feb 07 12:15:09 +0200 2013
  Processing by HostsController#domain_selected as
  Parameters: {"domain_id"=>"11", "organization_id"=>"2"}
  User Load (0.2ms)  SELECT `users`.* FROM `users` WHERE `users`.`id` = 3 LIMIT 1
Setting current user thread-local variable to user
  Setting Load (0.2ms)  SELECT `settings`.* FROM `settings` WHERE `settings`.`name` = 'authorize_login_delegation' ORDER BY LOWER(settings.name <http://settings.name>) LIMIT 1
  CACHE (0.0ms)  SELECT `settings`.* FROM `settings` WHERE `settings`.`name` = 'authorize_login_delegation' ORDER BY LOWER(settings.name <http://settings.name>) LIMIT 1
  TaxableTaxonomy Load (0.3ms)  SELECT DISTINCT `taxable_taxonomies`.taxonomy_id FROM `taxable_taxonomies` WHERE (`taxable_taxonomies`.taxable_id = 3 AND `taxable_taxonomies`.taxable_type = 'User')
  SQL (0.2ms)  SELECT COUNT(*) FROM `taxonomies` WHERE `taxonomies`.`type` = 'Organization' AND ( (taxonomies.id <http://taxonomies.id> in (1,2)))
  Organization Load (0.3ms)  SELECT `taxonomies`.* FROM `taxonomies` WHERE `taxonomies`.`type` = 'Organization' AND ( (taxonomies.id <http://taxonomies.id> in (1,2))) ORDER BY type, name LIMIT 1
Setting current organization thread-local variable to organization
  Role Load (0.2ms)  SELECT `roles`.* FROM `roles` INNER JOIN `user_roles` ON `roles`.id = `user_roles`.role_id WHERE ((`user_roles`.user_id = 3))
Rendered common/403.rhtml (0.8ms)
Completed 403 Forbidden in 46ms (Views: 4.1ms | ActiveRecord: 3.3ms)

---

If I give user administrator privileges everything works as planned.
Any ideas what might be wrong?

Cheers,
Samuli Heinonen


You received this message because you are subscribed to the Google
Groups 鈥淔oreman users鈥 group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Hello Dominic.

Thank you for your response. I have opened bug of this issue,
Bug #2198: Unable to install new hosts with regular users - Foreman. Please let me know if you
need more information or log files.

-samuli

路路路 On 12.02.2013 11:45, Dominic Cleal wrote: > Hi Samuli, > > Sorry for the delayed response, I've just tested this and can confirm > I'm seeing the same. > > I believe this is due to a security fix we put into 1.1RC5, which was > preventing authorisation bypass in Foreman on certain types of HTTP > requests (XMLHttpRequests). I think the fix is now blocking many > interactive components in the UI for non-admin users. > > We received this PR to fix the auto-completion functionality for > instance: https://github.com/theforeman/foreman/pull/401 > > Could I ask you to open a bug with the logs and other info? > http://projects.theforeman.org/projects/foreman/issues/new > > Thanks, > > -- > Dominic Cleal > Red Hat Engineering > > On 11/02/13 17:19, Samuli Heinonen wrote: >> Hello, >> >> Has anyone else hit this issue? :) >> >> We did clean install today of Foreman 1.1 and it seems to have the >> same >> problem that user is not able to install new vm (select domain, >> subnet >> etc.) unless user is marked as admin. Could someone confirm if this >> is >> "how it is supposed to work" or do I have some kind of >> misconfiguration >> somewhere? >> >> torstai, 7. helmikuuta 2013 18.53.18 UTC+2 Samuli Heinonen >> kirjoitti: >> >> Hello all, >> >> I upgraded today from Foreman 1.0.2 to 1.1 and now I'm facing >> bit >> strange issue. User without admin privileges isn't able to >> install >> new hosts with Foreman. I have tried setting all roles and >> settings >> on but no luck there. New host form opens as expected but when >> user >> tries to select "Deploy on", "Environment", "Host group", >> "Domain" >> nothing happens and it shows following messages in log file >> (this >> happens when user selects domain in network tab): >> >> --- >> >> Started POST "/hosts/domain_selected" for x.x.x.x at Thu Feb 07 >> 12:15:09 +0200 2013 >> Processing by HostsController#domain_selected as >> Parameters: {"domain_id"=>"11", "organization_id"=>"2"} >> User Load (0.2ms) SELECT `users`.* FROM `users` WHERE >> `users`.`id` = 3 LIMIT 1 >> Setting current user thread-local variable to user >> Setting Load (0.2ms) SELECT `settings`.* FROM `settings` >> WHERE `settings`.`name` = 'authorize_login_delegation' ORDER BY >> LOWER(settings.name ) LIMIT 1 >> CACHE (0.0ms) SELECT `settings`.* FROM `settings` WHERE >> `settings`.`name` = 'authorize_login_delegation' ORDER BY >> LOWER(settings.name ) LIMIT 1 >> TaxableTaxonomy Load (0.3ms) SELECT DISTINCT >> `taxable_taxonomies`.taxonomy_id FROM `taxable_taxonomies` WHERE >> (`taxable_taxonomies`.taxable_id = 3 AND >> `taxable_taxonomies`.taxable_type = 'User') >> SQL (0.2ms) SELECT COUNT(*) FROM `taxonomies` WHERE >> `taxonomies`.`type` = 'Organization' AND ( (taxonomies.id >> in (1,2))) >> Organization Load (0.3ms) SELECT `taxonomies`.* FROM >> `taxonomies` WHERE `taxonomies`.`type` = 'Organization' AND ( >> (taxonomies.id in (1,2))) ORDER BY type, name >> LIMIT 1 >> Setting current organization thread-local variable to >> organization >> Role Load (0.2ms) SELECT `roles`.* FROM `roles` INNER JOIN >> `user_roles` ON `roles`.id = `user_roles`.role_id WHERE >> ((`user_roles`.user_id = 3)) >> Rendered common/403.rhtml (0.8ms) >> Completed 403 Forbidden in 46ms (Views: 4.1ms | ActiveRecord: >> 3.3ms) >> >> --- >> >> If I give user administrator privileges everything works as >> planned. >> Any ideas what might be wrong? >> >> Cheers, >> Samuli Heinonen >> >> >> >> -- >> You received this message because you are subscribed to the Google >> Groups "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, >> send >> an email to foreman-users+unsubscribe@googlegroups.com. >> To post to this group, send email to foreman-users@googlegroups.com. >> Visit this group at >> http://groups.google.com/group/foreman-users?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >>

Hi Samuli,

Thanks, I'm working on it at the moment. We intend to release a fix for
1.1.

路路路 -- Dominic Cleal Red Hat Engineering

On 12/02/13 10:20, Samuli Heinonen wrote:

Hello Dominic.

Thank you for your response. I have opened bug of this issue,
Bug #2198: Unable to install new hosts with regular users - Foreman. Please let me know if you
need more information or log files.

-samuli

On 12.02.2013 11:45, Dominic Cleal wrote:

Hi Samuli,

Sorry for the delayed response, I鈥檝e just tested this and can confirm
I鈥檓 seeing the same.

I believe this is due to a security fix we put into 1.1RC5, which was
preventing authorisation bypass in Foreman on certain types of HTTP
requests (XMLHttpRequests). I think the fix is now blocking many
interactive components in the UI for non-admin users.

We received this PR to fix the auto-completion functionality for
instance: https://github.com/theforeman/foreman/pull/401

Could I ask you to open a bug with the logs and other info?
Foreman

Thanks,


Dominic Cleal
Red Hat Engineering

On 11/02/13 17:19, Samuli Heinonen wrote:

Hello,

Has anyone else hit this issue? :slight_smile:

We did clean install today of Foreman 1.1 and it seems to have the
same
problem that user is not able to install new vm (select domain,
subnet
etc.) unless user is marked as admin. Could someone confirm if this
is
"how it is supposed to work" or do I have some kind of
misconfiguration
somewhere?

torstai, 7. helmikuuta 2013 18.53.18 UTC+2 Samuli Heinonen
kirjoitti:

Hello all,

I upgraded today from Foreman 1.0.2 to 1.1 and now I'm facing 

bit
strange issue. User without admin privileges isn鈥檛 able to
install
new hosts with Foreman. I have tried setting all roles and
settings
on but no luck there. New host form opens as expected but when
user
tries to select 鈥淒eploy on鈥, 鈥淓nvironment鈥, 鈥淗ost group鈥,
"Domain"
nothing happens and it shows following messages in log file
(this
happens when user selects domain in network tab):

---

Started POST "/hosts/domain_selected" for x.x.x.x at Thu Feb 07 

12:15:09 +0200 2013
Processing by HostsController#domain_selected as
Parameters: {鈥渄omain_id鈥=>鈥11鈥, 鈥渙rganization_id鈥=>鈥2鈥潁
User Load (0.2ms) SELECT users.* FROM users WHERE
users.id = 3 LIMIT 1
Setting current user thread-local variable to user
Setting Load (0.2ms) SELECT settings.* FROM settings
WHERE settings.name = 鈥榓uthorize_login_delegation鈥 ORDER BY
LOWER(settings.name http://settings.name) LIMIT 1
CACHE (0.0ms) SELECT settings.* FROM settings WHERE
settings.name = 鈥榓uthorize_login_delegation鈥 ORDER BY
LOWER(settings.name http://settings.name) LIMIT 1
TaxableTaxonomy Load (0.3ms) SELECT DISTINCT
taxable_taxonomies.taxonomy_id FROM taxable_taxonomies WHERE
(taxable_taxonomies.taxable_id = 3 AND
taxable_taxonomies.taxable_type = 鈥楿ser鈥)
SQL (0.2ms) SELECT COUNT() FROM taxonomies WHERE
taxonomies.type = 鈥極rganization鈥 AND ( (taxonomies.id
http://taxonomies.id in (1,2)))
Organization Load (0.3ms) SELECT taxonomies.
FROM
taxonomies WHERE taxonomies.type = 鈥極rganization鈥 AND (
(taxonomies.id http://taxonomies.id in (1,2))) ORDER BY type, name
LIMIT 1
Setting current organization thread-local variable to
organization
Role Load (0.2ms) SELECT roles.* FROM roles INNER JOIN
user_roles ON roles.id = user_roles.role_id WHERE
((user_roles.user_id = 3))
Rendered common/403.rhtml (0.8ms)
Completed 403 Forbidden in 46ms (Views: 4.1ms | ActiveRecord:
3.3ms)

---

If I give user administrator privileges everything works as 

planned.
Any ideas what might be wrong?

Cheers,
Samuli Heinonen


You received this message because you are subscribed to the Google
Groups 鈥淔oreman users鈥 group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at
http://groups.google.com/group/foreman-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.