Restricted role satellite user

[nstrug]

We need to restrict the role of the satellite jenkins user to minimum permissions required for running the job.

[pcfe]

@ture-karlsson

I think I found it. We were lacking the view_organizations permission. I'll trigger a build, after the current publish is finished, and report back.

(my planned slot for this is CW44 but I might have a got at it during my vacation in CW40)

@nstrug next hackathon sould be all day, we were so close. :-)

logs from our attempt on 2017/09/28

with this user

[root@satellite ~]# hammer user list --search "login = jenkins"
---|---------|------|-----------------------
ID | LOGIN   | NAME | EMAIL                 
---|---------|------|-----------------------
5  | jenkins | a b  | [email protected]
---|---------|------|-----------------------
[root@satellite ~]# hammer user info --id 5
Id:                   5
Login:                jenkins
Name:                 a b
Email:                [email protected]
Admin:                no
Authorised by:        Internal
Locale:               default
Timezone:             
Last login:           2017/09/30 03:26:08
Default organisation: 
Default location:     
Roles:                
    Anonymous
    jenkins CI
User groups:          

Locations:            
    Bergmannstraße
    loc-dmz
Organisations:        
    Sat Test
Created at:           2017/09/28 08:43:20
Updated at:           2017/09/30 03:26:08

using this role

[root@satellite ~]# hammer role info --name "jenkins CI"
Id:      22
Name:    jenkins CI
Builtin: No

[root@satellite ~]# hammer filter list --search "jenkins"
----|----------------------|-----------------------------------------|------------|------------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE        | SEARCH                                  | UNLIMITED? | ROLE       | PERMISSIONS                                                                     
----|----------------------|-----------------------------------------|------------|------------|---------------------------------------------------------------------------------
177 | Katello::ContentView | name ~ SOE                              | no         | jenkins CI | view_content_views, edit_content_views, publish_content_views, promote_or_rem...
178 | Host                 | host_collection =  "Test Servers RHEL7" | no         | jenkins CI | view_hosts, build_hosts, power_hosts                                            
----|----------------------|-----------------------------------------|------------|------------|---------------------------------------------------------------------------------
[root@satellite ~]# hammer filter info --id 177
Id:            177
Resource type: Katello::ContentView
Search:        name ~ SOE
Unlimited?:    no
Role:          jenkins CI
Permissions:   view_content_views, edit_content_views, publish_content_views, promote_or_remove_content_views
Organisations: 
    Sat Test
Created at:    2017/09/28 08:45:08
Updated at:    2017/09/28 09:06:41

[root@satellite ~]# hammer filter info --id 178
Id:            178
Resource type: Host
Search:        host_collection =  "Test Servers RHEL7"
Unlimited?:    no
Role:          jenkins CI
Permissions:   view_hosts, build_hosts, power_hosts
Locations:     
    Bergmannstraße
Organisations: 
    Sat Test
Created at:    2017/09/28 08:46:40
Updated at:    2017/09/28 08:46:40

we got

+ ssh -q -l jenkins -i /var/lib/jenkins/.ssh/id_rsa satellite.internal.pcfe.net 'hammer content-view publish --name "cv-Jenkins-SOE-el7" --organization "Sat Test" --description "Build http://jenkins.internal.pcfe.net:8080/job/SOE-el7/216/"'
Could not publish the content view:
  Forbidden - server refused to process the request

hammer itself is usable by the jenkins user

[jenkins@satellite ~]$ hammer host list
---|----------------------------------|------------------|------------|-----------------|------------------
ID | NAME                             | OPERATING SYSTEM | HOST GROUP | IP              | MAC              
---|----------------------------------|------------------|------------|-----------------|------------------
2  | sattestclient01.sattest.pcfe.net | RedHat 7.4       | SOE-el7    | 192.168.200.101 | 52:54:00:c7:7a:da
---|----------------------------------|------------------|------------|-----------------|------------------

But view_organizations permission was missing.

[jenkins@satellite ~]$ hammer content-view publish --name "cv-Jenkins-SOE-el7" --organization "Sat Test" --description "testing this"
Could not publish the content view:
  Forbidden - server refused to process the request

[root@satellite foreman]# tail -f production.log
2017-09-30 13:08:21 a02e7bfa [app] [I] Started GET "/katello/api/organizations?search=name+%3D+%22Sat+Test%22" for 127.0.0.1 at 2017-09-30 13:08:21 +0200
2017-09-30 13:08:22 a02e7bfa [app] [I] Processing by Katello::Api::V2::OrganizationsController#index as JSON
2017-09-30 13:08:22 a02e7bfa [app] [I]   Parameters: {"search"=>"name = \"Sat Test\"", "api_version"=>"v2", "organization"=>{}}
2017-09-30 13:08:22 a02e7bfa [app] [I] Authorized user jenkins(a b)
2017-09-30 13:08:22 a02e7bfa [app] [I]   Rendered api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout (0.5ms)
2017-09-30 13:08:22 a02e7bfa [app] [I] Filter chain halted as :authorize rendered or redirected
2017-09-30 13:08:22 a02e7bfa [app] [I] Completed 403 Forbidden in 78ms (Views: 1.1ms | ActiveRecord: 53.6ms)

I have just granted the user that permission and was able to

[jenkins@satellite ~]$ hammer content-view publish --name "cv-Jenkins-SOE-el7" --organization "Sat Test" --description "testing this"

[pcfe]

this will take a few iterations to get the complete list of permissions from production.log, next failure is when the scripts try to delete kickstarts.

[pcfe]

note to self:
gave the jenkins user dmin rights for now so tht I do not have broken builds during my vacation.
revisit in CW44 if still open.

[ture-karlsson]

That make sense since we have "--organization" in every hammer command. (I didn't see the error because I had set organization default on the system I tested the user on).

May I suggest that you test the user and role creation with this script below? Then when all filters are correct, it can be used when setting up the environment as well.

#!/bin/bash

# create role
hammer role create --name "SOE-CI-Jenkins"

# create filter for content views
hammer filter create \
--permissions "view_content_views,edit_content_views,publish_content_views,promote_or_remove_content_views" \
--search "name ~ SOE" \
--role "SOE-CI-Jenkins"

# create filter for hosts in host collection
hammer filter create \
--permissions "view_hosts,edit_hosts,build_hosts,power_hosts" \
--search "host_collection ='Test Servers'" \
--role "SOE-CI-Jenkins"

# create filter to view organizations
hammer filter create \
--permissions "view_organizations" \
--role "SOE-CI-Jenkins"

# create user jenkins
hammer user create \
--login jenkins \
--password jenkins \
--auth-source-id 1 \
--mail [email protected] \
--organizations "Sat Test"

# assign role to user
hammer user add-role --login jenkins --role "SOE-CI-Jenkins"

For debugging, delete and recreate:

hammer user delete --login jenkins
hammer role delete --name "SOE-CI-Jenkins"

[pcfe]

@ture-karlsson yeah, it's on my list of things to look at in CW44 (in addition to the issues I own) but this is your issue ;-)

feel free to submit your results before that.

If you have no setup you can test with, then assign this issue to me (well and grab me in internal IRC next week so that we can make sure you somehow get your own test setup)

[ture-karlsson]

Yes, I haven't found any time to work on this yet, sorry.

[pcfe]

note to self: my current WIP role is as follows

[root@sat ~]# hammer role info --id 35
Id:            35
Name:          WIP soe-ci
Builtin:       no
Description:   this will eventually replace the role "Edit soe-ci related hosts" since I need also the permissions
- sync soe-ci repos
- edit the CVs
- destroy/create host (for image based install)
Once I am done, the "WIP" will be removed

pcfe, 2020-08-27
Locations:
    [REDACTED]
Organizations:
    [REDACTED]

[root@sat ~]# hammer role filters --id 35
----|-------------------------|----------------------------------|------------|-----------|------------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE           | SEARCH                           | UNLIMITED? | OVERRIDE? | ROLE       | PERMISSIONS
----|-------------------------|----------------------------------|------------|-----------|------------|---------------------------------------------------------------------------------
430 | Katello::Product        | name  =  prd-acme-soe            | no         | no        | WIP soe-ci | view_products, create_products, edit_products, destroy_products, sync_products
440 | ProvisioningTemplate    | none                             | no         | no        | WIP soe-ci | view_provisioning_templates, create_provisioning_templates, edit_provisioning...
431 | Katello::ContentView    | name ~ cv-soe-ci                 | no         | no        | WIP soe-ci | view_content_views, edit_content_views, publish_content_views, promote_or_rem...
434 | Organization            | none                             | no         | no        | WIP soe-ci | view_organizations, assign_organizations
435 | Location                | none                             | no         | no        | WIP soe-ci | view_locations, assign_locations
436 | Katello::ActivationKey  | none                             | no         | no        | WIP soe-ci | view_activation_keys
437 | Parameter               | none                             | yes        | no        | WIP soe-ci | edit_params
438 | HostClass               | none                             | yes        | no        | WIP soe-ci | edit_classes
439 | ConfigReport            | none                             | yes        | no        | WIP soe-ci | view_config_reports
442 | Katello::KTEnvironment  | name  !~ production              | no         | no        | WIP soe-ci | promote_or_remove_content_views_to_environments
432 | Hostgroup               | name ~  soe-ci                   | no         | no        | WIP soe-ci | view_hostgroups, edit_hostgroups
441 | Katello::HostCollection | name ~ hc-soe-el                 | no         | no        | WIP soe-ci | view_host_collections
433 | Host                    | hostgroup_title ~ foo-dev/soe-ci | no         | no        | WIP soe-ci | view_hosts, create_hosts, edit_hosts, destroy_hosts, build_hosts, power_hosts...
----|-------------------------|----------------------------------|------------|-----------|------------|---------------------------------------------------------------------------------