Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1489367 - [Hammer] Org Admin user cannot create user though cli
Summary: [Hammer] Org Admin user cannot create user though cli
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Organizations and Locations
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
high vote
Target Milestone: Unspecified
Assignee: Marek Hulan
QA Contact: Corey Welton
URL:
Whiteboard:
Depends On:
Blocks: 1373844
TreeView+ depends on / blocked
 
Reported: 2017-09-07 09:34 UTC by Jitendra Yejare
Modified: 2019-04-01 20:26 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1502725 (view as bug list)
Environment:
Last Closed: 2018-02-21 17:31:06 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 21119 None None None 2017-09-27 08:58:58 UTC
Foreman Issue Tracker 21357 None None None 2017-10-19 17:53:09 UTC
Github Katello katello pull 7008 None None None 2017-10-19 17:57:44 UTC

Description Jitendra Yejare 2017-09-07 09:34:10 UTC
Description of problem:
An Org Admin user cannot create another user through hammer CLI, throws exception- 
"Organization ids Invalid organizations selection, you must select at least one of yours"

Version-Release number of selected component (if applicable):
Satellite 6.3.0 snap 14

How reproducible:
Always

Steps to Reproduce:
1. Create Org Admin role and assign any taxonomies to it
2. Create user and assign above Org Admin role to it and same taxonomies
3. Login with above Org Admin user
4. Attempt to create new users


Actual Results:

Try any of the following

# hammer user create --auth-source-id 1 --login user3_from1 --mail use.r3@gmail.com --password passwd
-> Organization ids Invalid organizations selection, you must select at least one of yours
  Location ids Invalid locations selection, you must select at least one of yours

# hammer user create --auth-source-id 1 --login user3_from1 --mail use.r3@gmail.com --password passwd --organization-ids 1
Could not create the user:
  Organization ids Invalid organizations selection, you must select at least one of yours
  Location ids Invalid locations selection, you must select at least one of yours

# hammer user create --auth-source-id 1 --login user3_from1 --mail use.r3@gmail.com --password passwd --location-ids 2
Could not create the user:
  Organization ids Invalid organizations selection, you must select at least one of yours

# hammer user create --auth-source-id 1 --login user3_from1 --mail use.r3@gmail.com --password passwd --location-ids 2 --organization-ids 1
Could not create the user:
  Organization ids Invalid organizations selection, you must select at least one of yours

Expected results:
User should be created through Org Admin user

Additional info:

Comment 3 Marek Hulan 2017-09-12 05:53:37 UTC
I'll try to reproduce. From quick read I think only the last command should succeed. New user must have orgs and locs set.

Comment 4 Andrew Kofink 2017-09-21 12:48:48 UTC
I am able to reproduce.

Comment 5 Andrew Kofink 2017-09-21 14:22:38 UTC
So, I guess the real question is, should the 'Organization admin' role contain the 'assign_organizations' permission?

Comment 7 Marek Hulan 2017-09-25 14:44:02 UTC
I don't think org admin should has such permission. The use case is that we have a user who is "org admin of $org", the $org should be auto-assigned to the resource. I think UI does it automatically, API needs to start doing it too. I'll try to look at it this week but I'm offline next week. If you want to look at that, just please ping me and retake :-)

Comment 8 Marek Hulan 2017-09-26 17:59:31 UTC
This is another org and locs issue, this time for the whole API. No API call sets current organization or location. The reason was that hammer did not support sessions and there's no generic API parameter to set it.

One part of the solution is to take the set_taxonomy before filter from UI application controller and put it into application_shared concern. That should ensure that for non-admin user, first available taxonoy is selected.

Second part is calling set_user_taxonomies from UserMixin after api login happens in order for user to be able to modify in which context he or she works. Otherwise it would always select the first one.

Later I could imagine adding --current-organization override argument but that wuld require more changes.

Comment 9 Marek Hulan 2017-09-27 08:58:56 UTC
Created redmine issue http://projects.theforeman.org/issues/21119 from this bug

Comment 10 pm-sat@redhat.com 2017-09-27 10:14:02 UTC
Upstream bug assigned to mhulan@redhat.com

Comment 11 pm-sat@redhat.com 2017-09-27 10:14:06 UTC
Upstream bug assigned to mhulan@redhat.com

Comment 17 Corey Welton 2017-10-23 17:19:53 UTC
Verified in snap 21

[root@yttrium ~]# hammer user create --auth-source-id 1 --login permutation1 --mail use.r3@gmail.com --password passwd
User [permutation1] created
[root@yttrium ~]# hammer user create --auth-source-id 1 --login permutation2 --mail use.r3@gmail.com --password passwd --organization-ids 1
User [permutation2] created
[root@yttrium ~]# hammer user create --auth-source-id 1 --login permutation3 --mail use.r3@gmail.com --password passwd --location-ids 2
User [permutation3] created
[root@yttrium ~]# hammer user create --auth-source-id 1 --login permutation4 --mail use.r3@gmail.com --password passwd --location-ids 2 --organization-ids 1
User [permutation4] created

Comment 18 Bryan Kearney 2018-02-21 17:31:06 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336


Note You need to log in before you can comment on or make changes to this bug.