Actions
Bug #11718
closed
Problems with roles that filter on facts
Status:
Resolved
Priority:
High
Assignee:
-
Category:
Users, Roles and Permissions
Target version:
-
Description
Summary¶
When logged in as a user with a role which has filters that limit access based on facts, the user is unable to retrieve fact_values. Suspected cause is a bug with SQL query rendering. Behavior and error reports are listed below.
References to $curl below are executed as curl -u linuxsysadmin:<password> -s https://<foreman-url>
Steps to reproduce¶
- Centos 7 + Foreman 1.8.3.
- Create role "Linux Sysadmin"
- Create user "linuxsysadmin" and assign to role "Linux Sysadmin"
- Assign these filters to the "Linux Sysadmin" role:
- view_hosts, destroy_hosts: "facts.kernel ~ linux"
- view_facts: unlimited - Run this:
$curl/api/hosts
- Result: Works as expected - output not shown. - Run this:
$curl/api/v2/hosts
- Result: Works as expected - output not shown. - Run this:
$curl/api/fact_values
- Result: Error: PGError: ERROR: missing FROM-clause entry for table \"fact_names_456810\"\n ...{ "error": { "message": "PGError: ERROR: missing FROM-clause entry for table \"fact_names_456810\"\n LINE 1: ...ames\".\"id\" = \"fact_values\".\"fact_name_id\" WHERE ((fact_names...\n ^\n: SELECT \"fact_values\".\"id\" AS t0_r0, \"fact_values\".\"value\" AS t0_r1, \"fact_values\".\"fact_name_id\" AS t0_r2, \"fact_values\".\"host_id\" AS t0_r3, \"fact_values\".\"updated_at\" AS t0_r4, \"fact_values\".\"created_at\" AS t0_r5, \"fact_names\".\"id\" AS t1_r0, \"fact_names\".\"name\" AS t1_r1, \"fact_names\".\"updated_at\" AS t1_r2, \"fact_names\".\"created_at\" AS t1_r3, \"fact_names\".\"compose\" AS t1_r4, \"fact_names\".\"short_name\" AS t1_r5, \"fact_names\".\"type\" AS t1_r6, \"fact_names\".\"ancestry\" AS t1_r7, \"hosts\".\"id\" AS t2_r0, \"hosts\".\"name\" AS t2_r1, \"hosts\".\"last_compile\" AS t2_r2, \"hosts\".\"last_freshcheck\" AS t2_r3, \"hosts\".\"last_report\" AS t2_r4, \"hosts\".\"updated_at\" AS t2_r5, \"hosts\".\"source_file_id\" AS t2_r6, \"hosts\".\"created_at\" AS t2_r7, \"hosts\".\"root_pass\" AS t2_r8, \"hosts\".\"serial\" AS t2_r9, \"hosts\".\"puppet_status\" AS t2_r10, \"hosts\".\"architecture_id\" AS t2_r11, \"hosts\".\"operatingsystem_id\" AS t2_r12, \"hosts\".\"environment_id\" AS t2_r13, \"hosts\".\"ptable_id\" AS t2_r14, \"hosts\".\"medium_id\" AS t2_r15, \"hosts\".\"build\" AS t2_r16, \"hosts\".\"comment\" AS t2_r17, \"hosts\".\"disk\" AS t2_r18, \"hosts\".\"installed_at\" AS t2_r19, \"hosts\".\"model_id\" AS t2_r20, \"hosts\".\"hostgroup_id\" AS t2_r21, \"hosts\".\"owner_id\" AS t2_r22, \"hosts\".\"owner_type\" AS t2_r23, \"hosts\".\"enabled\" AS t2_r24, \"hosts\".\"puppet_ca_proxy_id\" AS t2_r25, \"hosts\".\"managed\" AS t2_r26, \"hosts\".\"use_image\" AS t2_r27, \"hosts\".\"image_file\" AS t2_r28, \"hosts\".\"uuid\" AS t2_r29, \"hosts\".\"compute_resource_id\" AS t2_r30, \"hosts\".\"puppet_proxy_id\" AS t2_r31, \"hosts\".\"certname\" AS t2_r32, \"hosts\".\"image_id\" AS t2_r33, \"hosts\".\"organization_id\" AS t2_r34, \"hosts\".\"location_id\" AS t2_r35, \"hosts\".\"type\" AS t2_r36, \"hosts\".\"otp\" AS t2_r37, \"hosts\".\"realm_id\" AS t2_r38, \"hosts\".\"compute_profile_id\" AS t2_r39, \"hosts\".\"provision_method\" AS t2_r40, \"hosts\".\"grub_pass\" AS t2_r41 FROM \"fact_values\" INNER JOIN \"hosts\" ON \"hosts\".\"id\" = \"fact_values\".\"host_id\" AND \"hosts\".\"type\" IN ('Host::Managed') LEFT OUTER JOIN \"fact_names\" ON \"fact_names\".\"id\" = \"fact_values\".\"fact_name_id\" WHERE ((fact_names_456810.\"name\" = 'kernel') AND (\"fact_values_456810\".\"value\" ILIKE '%Linux%')) AND (fact_names.name <> '_timestamp') ORDER BY \"fact_values\".\"value\" ASC NULLS FIRST LIMIT 20 OFFSET 0" } } - Run this:
$curl/api/v2/fact_values
- Result: Empty result set, but no error.{ "results": {}, "sort": { "order": null, "by": null }, "search": "", "per_page": 20, "page": 1, "subtotal": 0, "total": 0 }
Updated by 
Updated by 
Updated by
Actions