Hello Foreman team,

We've discovered what looks like a RBAC scalability bug where if you associate more than 600+ roles to a non-admin user it breaks their UI and hammer CLI and returns 500 errors.

We've been able to reproduce this on both 1.19.1 and 1.23.0.

This is what our process looks like (we manage large-scale R&D scale/performance environments in engineering via QUADS - https://quads.dev/)

1) associate one role per bare-metal system (named either via FQDN or short hostname)

hammer role create --name host01.example.com

2) associate one filter for that role with permissions

hammer filter create --role host01.example.com --search "name = host01.example.com" --permissions view_hosts,edit_hosts,build_hosts,power_hosts,console_hosts --role-id $(hammer role info --name host01.example.com | egrep ^Id: | awk '{ print $NF }')

3) add a non-admin user

hammer user create --login cloud01 --password password --mail quads@example.com --auth-source-id 1

4) add that role to the new user.

5) Do this 635+ times for 635+ hosts or more.

• Up until 500+ you can still get the return of hammer host list -u cloud01 -p mypassword
• After 500-600 roles you only get 500's for that user only.

We have since moved to using system ownership in lieu of 1 x role per bare-metal system, however we think this is a scalability bug and it can be easily recreated by creating a non-admin user, creating 600+ roles with filters, then associating those roles to that user and trying to login to the UI or run any hammer host commands.