Fixes #13689 - don't use authorized scope in provisioning template#156
Conversation
|
Oh, awesome. This explains a problem a user was having recently, and I could not figure it out. ACK |
|
Shouldn't we pass the user to determine the proxies then? It allows user that has no permissions on a particular proxy to use it. |
|
Setting the user by owner might not be trivial (as the host can be owned by user or usergroup). What about asking for the unscoped proxies in https://github.com/iNecas/foreman_remote_execution/blob/fix-ssh-keys-seed-global-proxy/app/models/concerns/foreman_remote_execution/host_extensions.rb#L60 by passing some optional param to |
|
That sounds ok to me, I guess. Although I'm not sure I find it very interesting from a permissions perspective to have such a restriction. I would think the only thing anyone cares about is if a user can execute this on a particular host, not from which proxies it gets executed. If a subnet has proxies A, B, C, and D, I'd want them all to be used. |
The user is not set in context of provisioning, therefore the public keys of the global proxies were not populated properly into the provisioned hosts.
iNecas
force-pushed
the
fix-ssh-keys-seed-global-proxy
branch
from
ddc57d7 to
db3e8ee
Compare
theforeman-bot
added
Needs testing
Needs re-review
and removed
Waiting on contributor
labels
|
I've updated the PR based on our discussion (+ added a test case for this) |
|
APJ |
|
Merging, thanks @iNecas |
Fixes #13689 - don't use authorized scope in provisioning template
fixes #12763 - puppetclass importer should be async
4 participants
The user is not set in context of provisioning, therefore the public
keys of the global proxies were not populated properly into the provisioned
hosts.