anxstj commented 4 years ago

ISSUE TYPE

Bug Report

SUMMARY

If users have Inventory Admin permissions, then they are not allowed to create inventory sources.

ENVIRONMENT

AWX version: 11.2.0
AWX install method: docker
Ansible version: 2.9.9
Operating System: Debian 9
Web Browser: Firefox 74

STEPS TO REPRODUCE

GET /api/v2/users/76
{
    "id": 76,
    "type": "user",
    "url": "/api/v2/users/76/",
    "related": {
        ...
    },
    "summary_fields": {
        "user_capabilities": {
            "edit": true,
            "delete": true
        }
    },
    "created": "2019-12-11T17:26:44.744286Z",
    "username": "myuser",
    "first_name": "Service User",
    "last_name": "myuser",
    "email": myuser@example.com",
    "is_superuser": false,
    "is_system_auditor": false,
    "ldap_dn": "",
    "last_login": "2020-07-09T14:46:16.679122Z",
    "external_account": null,
    "auth": []
}

GET /api/v2/users/76/roles/
{
    "count": 4,
    "next": null,
    "previous": null,
    "results": [
        {
            "id": 1305,
            "type": "role",
            "url": "/api/v2/roles/1305/",
            "related": {
                "users": "/api/v2/roles/1305/users/",
                "teams": "/api/v2/roles/1305/teams/",
                "credential": "/api/v2/credentials/75/"
            },
            "summary_fields": {
                "user_capabilities": {
                    "unattach": true
                },
                "resource_name": "mycredential",
                "resource_type": "credential",
                "resource_type_display_name": "Credential"
            },
            "name": "Use",
            "description": "Can use the credential in a job template"
        },
        {
            "id": 233,
            "type": "role",
            "url": "/api/v2/roles/233/",
            "related": {
                "users": "/api/v2/roles/233/users/",
                "teams": "/api/v2/roles/233/teams/",
                "organization": "/api/v2/organizations/6/"
            },
            "summary_fields": {
                "user_capabilities": {
                    "unattach": true
                },
                "resource_name": "myorga",
                "resource_type": "organization",
                "resource_type_display_name": "Organization"
            },
            "name": "Member",
            "description": "User is a member of the organization"
        },
        {
            "id": 227,
            "type": "role",
            "url": "/api/v2/roles/227/",
            "related": {
                "users": "/api/v2/roles/227/users/",
                "teams": "/api/v2/roles/227/teams/",
                "organization": "/api/v2/organizations/6/"
            },
            "summary_fields": {
                "user_capabilities": {
                    "unattach": true
                },
                "resource_name": "myorga",
                "resource_type": "organization",
                "resource_type_display_name": "Organization"
            },
            "name": "Inventory Admin",
            "description": "Can manage all inventories of the organization"
        },
        {
            "id": 1382,
            "type": "role",
            "url": "/api/v2/roles/1382/",
            "related": {
                "users": "/api/v2/roles/1382/users/",
                "teams": "/api/v2/roles/1382/teams/",
                "project": "/api/v2/projects/166/"
            },
            "summary_fields": {
                "user_capabilities": {
                    "unattach": true
                },
                "resource_name": "myproject",
                "resource_type": "project",
                "resource_type_display_name": "Project"
            },
            "name": "Use",
            "description": "Can use the project in a job template"
        }
    ]
}

EXPECTED RESULTS

awx --conf.host https://awx.example.com --conf.token mytoken inventory_sources create --inventory 238 --name foobar --source scm --credential 75 --source_project 166 --source_path inventory.py
{
     "id": 684,                                                                                                                        
     "type": "inventory_source",                                                                                                       
     "url": "/api/v2/inventory_sources/684/",
    ...
}

ACTUAL RESULTS

awx --conf.host https://awx.example.com --conf.token mytoken inventory_sources create --inventory 238 --name foobar --source scm --credential 75 --source_project 166 --source_path inventory.py
usage: awx inventory_sources [-h] action ...

positional arguments:
  action
    list
    get
    modify
    delete
    update
    associate
    disassociate

optional arguments:
  -h, --help    show this help message and exit

awx inventory_sources: argument action: invalid choice: 'create' (choose from 'list', 'get', 'modify', 'delete', 'update', 'associate', 'disassociate')

ADDITIONAL INFORMATION

Assigning OrgAdmin permissions to the user helps, but this shouldn't be necessary.

AlanCoding commented 3 years ago

I suspect this may be a duplicate of https://github.com/ansible/awx/issues/9297

Could you test with https://github.com/ansible/awx/pull/10372 and see if that fixes it?

thanks!

anxstj commented 3 years ago

Hi @AlanCoding,

no, this does not fix the problem. Tested with AWX 15.0.1 and awxkit 19.2.0

This is not a UI bug, creating the inventory source via UI with the same user works. It's just the awx cli command which fails.

AlanCoding commented 3 years ago

9297 is not a UI issue either, it was observed in the UI because the UI makes use of the OPTIONS data, and so does the AWX CLI.

But the problem could be something else, thanks for testing it.

tiagodcc commented 1 year ago

Hi All,

I have also encountered a potential awxkit permission issue regarding inventory modifies. The behavior is identical for the tested awxkit versions 21.10.1 and 19.4.0.

The execution of the command below with the token of a global system administrator returns the help page containing valid arguments. By adding the described cli arguments, it executes the command properly.

awx -f human --conf.host https://awx.example.com --conf.token mytoken inventory modify 5 -h
# usage: awx inventory modify [-h] [--name TEXT] [--description TEXT] [--organization ID] [--kind {,smart}] [--host_filter TEXT] [--variables JSON/YAML] [--insights_credential ID] id

# positional arguments:
#   id                    the ID (or unique name) of the resource

# optional arguments:
#   -h, --help            show this help message and exit
#   --name TEXT           Name of this inventory.
#   --description TEXT    Optional description of this inventory.
#   --organization ID     Organization containing this inventory.
#   --kind {,smart}       Kind of inventory being represented.
#   --host_filter TEXT    Filter that will be applied to the hosts of this inventory.
#   --variables JSON/YAML
#                         Inventory variables in JSON or YAML format. You can optionally specify a file path e.g., @path/to/file.yml
#   --insights_credential ID
#                         Credentials to be used by hosts belonging to this inventory when accessing Red Hat Insights API.

awx -f human --conf.host https://awx.example.com --conf.token mytoken inventory modify 5 --variables "{}"
#id name
#== =================
#5  example-inventory

However, the execution of the same commands with the authentication token of a user that has "ADMIN" permissions on the inventory base returns the general help page. The user is able to modify the inventory correctly via REST API (tested with curl and the awx api browser) and UI.

awx -f human --conf.host https://awx.example.com --conf.token mytoken2 inventory modify 5 --variables "{}"
#usage: awx inventory modify [-h] id

#positional arguments:
#  id          the ID (or unique name) of the resource

#optional arguments:
#  -h, --help  show this help message and exit

csh0101 commented 1 year ago

are there have something we do?