Which role permission grants access to service dialogs?

gaprindashvili

#1

I have a custom button for a VM, but the service dialog for it appears to only be accessible if I assign that user’s role the Customization feature/permission.
image

This however allows them to manage/delete all service dialogs, as opposed to just being able to view them. Without this permission the following error is returned on clicking the button.

Service dialogs are viewable through catlog items though, without the aforementioned permission.


Am I missing some role permission here, or have I likely configured things incorrectly somewhere? I am using tagging which may be an issue?


#2

@AllenBW would you be able to help here?


#3

There is a product feature called sui_svc_catalog that encompasses another feature called sui_svc_catalog_operations that you likely want to have assigned to the role that is attempting to manipulate service catalog in the sui… There’s a role called EvmRole-user_self_service that should do the trick

@enosullivan can you share more info about the user your usin’ for these actions?


#4

Thanks for the responses.

@AllenBW my test user is in a group that is using a role copied from EvmRole-user_self_service. I just set the group to use the original EvmRole-user_self_service there again now, in case I had incorrectly changed anything, but I am still getting the 403 Forbidden errors that I showed previously.

Allowed features are shown below, seems like everything you suggested that is needed is ticked. It’s the default self-service role.
image

The user is standard enough, authenticates via LDAP and is in an LDAP group with the self-service role assigned. The group has a tag assigned to it, essentially a department/group tag, and services and virtual machines have this tag assigned to them as well, allowing the members of the group to view and manage those resources. The group has a read-only filter applied to it so it can only see items with that tag, though I imagine that wouldn’t be an issue as buttons and service dialogs cannot be tagged?
Is there specific information on the user or that would be helpful, or anything else?

Thanks again for the help, it’s much appreciated :grinning:


#5

I also opened what is in essence the same question, last week in the Support forum.


#6

OOOooooooo hmmmmm @dclarizio who should we grab for dialog permissions?


#7

If a custom button is shown for a VM, it should be allowed to execute. @enosullivan, is there anything in the server logs showing a failure? Individual buttons are not controlled by the role features. If you can get a log snippet showing the button press transaction starting, perhaps we can debug this. Thx, Dan


#8

Logs that appear to be thrown up when a button is pressed are show below, @dclarizio. If there are any other logs that I am missing that would prove useful, please let me know. Thanks once again for the help.

I may go away and setup a brand new instance of ManageIQ and use as many of the default settings as possible, just to debug the issue and to ensure I’m not causing it with some misconfiguration somewhere.

Custom button was clicked around the timestamp 2018-03-20T09:44:55 below, from the service UI. 403 error is returned almost immediately. Company and group names were obscured for privacy purposes.

api.log

[----] I, [2018-03-20T09:44:53.018505 #2161:bed368]  INFO -- : MIQ(Api::ServiceOrdersController.log_request_initiated)
[----] I, [2018-03-20T09:44:53.023650 #2161:bed368]  INFO -- : MIQ(Api::ServiceOrdersController.log_request) API Request:    {:requested_at=>"2018-03-20 09:44:53 UTC", :method=>"GET", :url=>"https://miq.mycompany.ie/api/service_orders?hide=resources&filter[]=state%3Dordered"}
[----] I, [2018-03-20T09:44:53.032471 #2161:b6c434]  INFO -- : MIQ(Api::ServicesController.log_request_initiated)
[----] I, [2018-03-20T09:44:53.034185 #2161:b6d67c]  INFO -- : MIQ(Api::ServiceTemplatesController.log_request_initiated)
[----] I, [2018-03-20T09:44:53.034831 #2161:b6c434]  INFO -- : MIQ(Api::ServicesController.log_request) API Request:    {:requested_at=>"2018-03-20 09:44:53 UTC", :method=>"GET", :url=>"https://miq.mycompany.ie/api/services?hide=resources&filter[]=ancestry%3Dnull"}
[----] I, [2018-03-20T09:44:53.035601 #2161:b6d67c]  INFO -- : MIQ(Api::ServiceTemplatesController.log_request) API Request:    {:requested_at=>"2018-03-20 09:44:53 UTC", :method=>"GET", :url=>"https://miq.mycompany.ie/api/service_templates?hide=resources&filter[]=display%3Dtrue"}
[----] I, [2018-03-20T09:44:53.044934 #2161:bed368]  INFO -- : MIQ(Api::ServiceOrdersController.log_request) Authentication: {:type=>"token", :token=>"bbc485d4f15bdf739d15d4b662901770", :x_miq_group=>nil, :user=>"enosullivan@mycompany.com"}
[----] I, [2018-03-20T09:44:53.049872 #2161:bed368]  INFO -- : MIQ(Api::ServiceOrdersController.log_request) Authorization:  {:user=>"enosullivan@mycompany.com", :group=>"ManageIQ - My Group", :role=>"EvmRole-user_self_service", :tenant=>"My Group"}
[----] I, [2018-03-20T09:44:53.051609 #2161:bed368]  INFO -- : MIQ(Api::ServiceOrdersController.log_request) Request:        {:method=>:get, :action=>"read", :fullpath=>"/api/service_orders?hide=resources&filter[]=state%3Dordered", :url=>"https://miq.mycompany.ie/api/service_orders?hide=resources&filter[]=state%3Dordered", :base=>"https://miq.mycompany.ie", :path=>"/api/service_orders", :prefix=>"/api", :version=>"3.0.0", :api_prefix=>"https://miq.mycompany.ie/api", :collection=>"service_orders", :c_suffix=>nil, :collection_id=>nil, :subcollection=>nil, :subcollection_id=>nil}
[----] I, [2018-03-20T09:44:53.053511 #2161:bed368]  INFO -- : MIQ(Api::ServiceOrdersController.log_request) Parameters:     {"hide"=>"resources", "filter"=>["state=ordered"], "action"=>"index", "controller"=>"api/service_orders", "format"=>"json", "body"=>{}}
[----] I, [2018-03-20T09:44:53.095621 #2161:b6c434]  INFO -- : MIQ(Api::ServicesController.log_request) Authentication: {:type=>"token", :token=>"bbc485d4f15bdf739d15d4b662901770", :x_miq_group=>nil, :user=>"enosullivan@mycompany.com"}
[----] I, [2018-03-20T09:44:53.096887 #2161:b6d67c]  INFO -- : MIQ(Api::ServiceTemplatesController.log_request) Authentication: {:type=>"token", :token=>"bbc485d4f15bdf739d15d4b662901770", :x_miq_group=>nil, :user=>"enosullivan@mycompany.com"}
[----] I, [2018-03-20T09:44:53.102615 #2161:bed368]  INFO -- : MIQ(Api::ServiceOrdersController.log_request) Response:       {:completed_at=>"2018-03-20 09:44:53 UTC", :size=>"0.835 KBytes", :time_taken=>"0.084 Seconds", :status=>200}
[----] I, [2018-03-20T09:44:53.108953 #2161:b6c434]  INFO -- : MIQ(Api::ServicesController.log_request) Authorization:  {:user=>"enosullivan@mycompany.com", :group=>"ManageIQ - My Group", :role=>"EvmRole-user_self_service", :tenant=>"My Group"}
[----] I, [2018-03-20T09:44:53.110516 #2161:b6d67c]  INFO -- : MIQ(Api::ServiceTemplatesController.log_request) Authorization:  {:user=>"enosullivan@mycompany.com", :group=>"ManageIQ - My Group", :role=>"EvmRole-user_self_service", :tenant=>"My Group"}
[----] I, [2018-03-20T09:44:53.112675 #2161:b6c434]  INFO -- : MIQ(Api::ServicesController.log_request) Request:        {:method=>:get, :action=>"read", :fullpath=>"/api/services?hide=resources&filter[]=ancestry%3Dnull", :url=>"https://miq.mycompany.ie/api/services?hide=resources&filter[]=ancestry%3Dnull", :base=>"https://miq.mycompany.ie", :path=>"/api/services", :prefix=>"/api", :version=>"3.0.0", :api_prefix=>"https://miq.mycompany.ie/api", :collection=>"services", :c_suffix=>nil, :collection_id=>nil, :subcollection=>nil, :subcollection_id=>nil}
[----] I, [2018-03-20T09:44:53.114668 #2161:b6d67c]  INFO -- : MIQ(Api::ServiceTemplatesController.log_request) Request:        {:method=>:get, :action=>"read", :fullpath=>"/api/service_templates?hide=resources&filter[]=display%3Dtrue", :url=>"https://miq.mycompany.ie/api/service_templates?hide=resources&filter[]=display%3Dtrue", :base=>"https://miq.mycompany.ie", :path=>"/api/service_templates", :prefix=>"/api", :version=>"3.0.0", :api_prefix=>"https://miq.mycompany.ie/api", :collection=>"service_templates", :c_suffix=>nil, :collection_id=>nil, :subcollection=>nil, :subcollection_id=>nil}
[----] I, [2018-03-20T09:44:53.116355 #2161:b6c434]  INFO -- : MIQ(Api::ServicesController.log_request) Parameters:     {"hide"=>"resources", "filter"=>["ancestry=null"], "action"=>"index", "controller"=>"api/services", "format"=>"json", "body"=>{}}
[----] I, [2018-03-20T09:44:53.118305 #2161:b6d67c]  INFO -- : MIQ(Api::ServiceTemplatesController.log_request) Parameters:     {"hide"=>"resources", "filter"=>["display=true"], "action"=>"index", "controller"=>"api/service_templates", "format"=>"json", "body"=>{}}
[----] I, [2018-03-20T09:44:53.211441 #2161:b6d67c]  INFO -- : MIQ(Api::ServiceTemplatesController.log_request) Response:       {:completed_at=>"2018-03-20 09:44:53 UTC", :size=>"0.518 KBytes", :time_taken=>"0.177 Seconds", :status=>200}
[----] I, [2018-03-20T09:44:53.228924 #2161:b6c434]  INFO -- : MIQ(Api::ServicesController.log_request) Response:       {:completed_at=>"2018-03-20 09:44:53 UTC", :size=>"1.142 KBytes", :time_taken=>"0.196 Seconds", :status=>200}
[----] I, [2018-03-20T09:44:55.429603 #2161:becf1c]  INFO -- : MIQ(Api::ServiceDialogsController.log_request_initiated)
[----] I, [2018-03-20T09:44:55.431181 #2161:becf1c]  INFO -- : MIQ(Api::ServiceDialogsController.log_request) API Request:    {:requested_at=>"2018-03-20 09:44:55 UTC", :method=>"GET", :url=>"https://miq.mycompany.ie/api/service_dialogs/3?expand=resources&attributes=content"}
[----] I, [2018-03-20T09:44:55.436759 #2161:b7cdd4]  INFO -- : MIQ(Api::ServicesController.log_request_initiated)
[----] I, [2018-03-20T09:44:55.437505 #2161:b7cdd4]  INFO -- : MIQ(Api::ServicesController.log_request) API Request:    {:requested_at=>"2018-03-20 09:44:55 UTC", :method=>"GET", :url=>"https://miq.mycompany.ie/api/services/29?attributes=picture%2Cpicture.image_href"}
[----] I, [2018-03-20T09:44:55.461898 #2161:becf1c]  INFO -- : MIQ(Api::ServiceDialogsController.log_request) Authentication: {:type=>"token", :token=>"bbc485d4f15bdf739d15d4b662901770", :x_miq_group=>nil, :user=>"enosullivan@mycompany.com"}
[----] I, [2018-03-20T09:44:55.463218 #2161:b7cdd4]  INFO -- : MIQ(Api::ServicesController.log_request) Authentication: {:type=>"token", :token=>"bbc485d4f15bdf739d15d4b662901770", :x_miq_group=>nil, :user=>"enosullivan@mycompany.com"}
[----] I, [2018-03-20T09:44:55.468751 #2161:becf1c]  INFO -- : MIQ(Api::ServiceDialogsController.log_request) Authorization:  {:user=>"enosullivan@mycompany.com", :group=>"ManageIQ - My Group", :role=>"EvmRole-user_self_service", :tenant=>"My Group"}
[----] I, [2018-03-20T09:44:55.470139 #2161:b7cdd4]  INFO -- : MIQ(Api::ServicesController.log_request) Authorization:  {:user=>"enosullivan@mycompany.com", :group=>"ManageIQ - My Group", :role=>"EvmRole-user_self_service", :tenant=>"My Group"}
[----] I, [2018-03-20T09:44:55.471732 #2161:becf1c]  INFO -- : MIQ(Api::ServiceDialogsController.log_request) Request:        {:method=>:get, :action=>"read", :fullpath=>"/api/service_dialogs/3?expand=resources&attributes=content", :url=>"https://miq.mycompany.ie/api/service_dialogs/3?expand=resources&attributes=content", :base=>"https://miq.mycompany.ie", :path=>"/api/service_dialogs/3", :prefix=>"/api", :version=>"3.0.0", :api_prefix=>"https://miq.mycompany.ie/api", :collection=>"service_dialogs", :c_suffix=>nil, :collection_id=>"3", :subcollection=>nil, :subcollection_id=>nil}
[----] I, [2018-03-20T09:44:55.473245 #2161:b7cdd4]  INFO -- : MIQ(Api::ServicesController.log_request) Request:        {:method=>:get, :action=>"read", :fullpath=>"/api/services/29?attributes=picture%2Cpicture.image_href", :url=>"https://miq.mycompany.ie/api/services/29?attributes=picture%2Cpicture.image_href", :base=>"https://miq.mycompany.ie", :path=>"/api/services/29", :prefix=>"/api", :version=>"3.0.0", :api_prefix=>"https://miq.mycompany.ie/api", :collection=>"services", :c_suffix=>nil, :collection_id=>"29", :subcollection=>nil, :subcollection_id=>nil}
[----] I, [2018-03-20T09:44:55.474756 #2161:becf1c]  INFO -- : MIQ(Api::ServiceDialogsController.log_request) Parameters:     {"expand"=>"resources", "attributes"=>"content", "action"=>"show", "controller"=>"api/service_dialogs", "format"=>"json", "body"=>{}}
[----] I, [2018-03-20T09:44:55.476187 #2161:b7cdd4]  INFO -- : MIQ(Api::ServicesController.log_request) Parameters:     {"attributes"=>"picture,picture.image_href", "action"=>"show", "controller"=>"api/services", "format"=>"json", "body"=>{}}
[----] E, [2018-03-20T09:44:55.488913 #2161:becf1c] ERROR -- : MIQ(Api::ServiceDialogsController.api_error) API Error
[----] E, [2018-03-20T09:44:55.489122 #2161:becf1c] ERROR -- : MIQ(Api::ServiceDialogsController.api_error) Api::ForbiddenError: Use of the read action is forbidden
[----] I, [2018-03-20T09:44:55.496690 #2161:becf1c]  INFO -- : MIQ(Api::ServiceDialogsController.log_request) Response:       {:completed_at=>"2018-03-20 09:44:55 UTC", :size=>"0.108 KBytes", :time_taken=>"0.067 Seconds", :status=>403}
[----] I, [2018-03-20T09:44:55.629248 #2161:b7cdd4]  INFO -- : MIQ(Api::ServicesController.log_request) Response:       {:completed_at=>"2018-03-20 09:44:55 UTC", :size=>"1.873 KBytes", :time_taken=>"0.192 Seconds", :status=>200}

production.log

[----] I, [2018-03-20T09:44:53.009316 #2161:b6c434]  INFO -- : Started GET "/api/services?hide=resources&filter[]=ancestry%3Dnull" for 127.0.0.1 at 2018-03-20 09:44:53 +0000
[----] I, [2018-03-20T09:44:53.012517 #2161:bed368]  INFO -- : Started GET "/api/service_orders?hide=resources&filter[]=state%3Dordered" for 127.0.0.1 at 2018-03-20 09:44:53 +0000
[----] I, [2018-03-20T09:44:53.017652 #2161:bed368]  INFO -- : Processing by Api::ServiceOrdersController#index as JSON
[----] I, [2018-03-20T09:44:53.017869 #2161:bed368]  INFO -- :   Parameters: {"hide"=>"resources", "filter"=>["state=ordered"]}
[----] I, [2018-03-20T09:44:53.019895 #2161:b6d67c]  INFO -- : Started GET "/api/service_templates?hide=resources&filter[]=display%3Dtrue" for 127.0.0.1 at 2018-03-20 09:44:53 +0000
[----] I, [2018-03-20T09:44:53.023106 #2161:b6c434]  INFO -- : Processing by Api::ServicesController#index as JSON
[----] I, [2018-03-20T09:44:53.028515 #2161:b6d67c]  INFO -- : Processing by Api::ServiceTemplatesController#index as JSON
[----] I, [2018-03-20T09:44:53.029363 #2161:b6c434]  INFO -- :   Parameters: {"hide"=>"resources", "filter"=>["ancestry=null"]}
[----] I, [2018-03-20T09:44:53.030132 #2161:b6d67c]  INFO -- :   Parameters: {"hide"=>"resources", "filter"=>["display=true"]}
[----] I, [2018-03-20T09:44:53.107335 #2161:bed368]  INFO -- : Completed 200 OK in 89ms (Views: 0.3ms | ActiveRecord: 25.9ms)
[----] I, [2018-03-20T09:44:53.229267 #2161:b6d67c]  INFO -- : Completed 200 OK in 178ms (Views: 0.3ms | ActiveRecord: 59.4ms)
[----] I, [2018-03-20T09:44:53.231262 #2161:b6c434]  INFO -- : Completed 200 OK in 199ms (Views: 0.3ms | ActiveRecord: 67.4ms)
[----] I, [2018-03-20T09:44:55.423105 #2161:becf1c]  INFO -- : Started GET "/api/service_dialogs/3?expand=resources&attributes=content" for 127.0.0.1 at 2018-03-20 09:44:55 +0000
[----] I, [2018-03-20T09:44:55.428723 #2161:becf1c]  INFO -- : Processing by Api::ServiceDialogsController#show as JSON
[----] I, [2018-03-20T09:44:55.428945 #2161:becf1c]  INFO -- :   Parameters: {"expand"=>"resources", "attributes"=>"content", "c_id"=>"3"}
[----] I, [2018-03-20T09:44:55.430613 #2161:b7cdd4]  INFO -- : Started GET "/api/services/29?attributes=picture%2Cpicture.image_href" for 127.0.0.1 at 2018-03-20 09:44:55 +0000
[----] I, [2018-03-20T09:44:55.435540 #2161:b7cdd4]  INFO -- : Processing by Api::ServicesController#show as JSON
[----] I, [2018-03-20T09:44:55.435760 #2161:b7cdd4]  INFO -- :   Parameters: {"attributes"=>"picture,picture.image_href", "c_id"=>"29"}
[----] I, [2018-03-20T09:44:55.501947 #2161:becf1c]  INFO -- : Completed 403 Forbidden in 73ms (Views: 0.5ms | ActiveRecord: 12.4ms)
[----] I, [2018-03-20T09:44:55.629668 #2161:b7cdd4]  INFO -- : Completed 200 OK in 193ms (Views: 0.3ms | ActiveRecord: 38.7ms)
[----] I, [2018-03-20T09:45:03.367410 #2161:bed368]  INFO -- : Started GET "/api/service_templates?hide=resources&filter[]=display%3Dtrue" for 127.0.0.1 at 2018-03-20 09:45:03 +0000
[----] I, [2018-03-20T09:45:03.374415 #2161:bed368]  INFO -- : Processing by Api::ServiceTemplatesController#index as JSON
[----] I, [2018-03-20T09:45:03.374795 #2161:bed368]  INFO -- :   Parameters: {"hide"=>"resources", "filter"=>["display=true"]}
[----] I, [2018-03-20T09:45:03.375973 #2161:b6d67c]  INFO -- : Started GET "/api/services?hide=resources&filter[]=ancestry%3Dnull" for 127.0.0.1 at 2018-03-20 09:45:03 +0000
[----] I, [2018-03-20T09:45:03.377943 #2161:b6c434]  INFO -- : Started GET "/api/service_orders?hide=resources&filter[]=state%3Dordered" for 127.0.0.1 at 2018-03-20 09:45:03 +0000
[----] I, [2018-03-20T09:45:03.382102 #2161:b6d67c]  INFO -- : Processing by Api::ServicesController#index as JSON
[----] I, [2018-03-20T09:45:03.388754 #2161:b6c434]  INFO -- : Processing by Api::ServiceOrdersController#index as JSON
[----] I, [2018-03-20T09:45:03.389655 #2161:b6d67c]  INFO -- :   Parameters: {"hide"=>"resources", "filter"=>["ancestry=null"]}
[----] I, [2018-03-20T09:45:03.391649 #2161:b6c434]  INFO -- :   Parameters: {"hide"=>"resources", "filter"=>["state=ordered"]}
[----] I, [2018-03-20T09:45:03.514389 #2161:bed368]  INFO -- : Completed 200 OK in 138ms (Views: 0.4ms | ActiveRecord: 56.1ms)
[----] I, [2018-03-20T09:45:03.557476 #2161:b6c434]  INFO -- : Completed 200 OK in 164ms (Views: 0.3ms | ActiveRecord: 56.4ms)
[----] I, [2018-03-20T09:45:03.588391 #2161:b6d67c]  INFO -- : Completed 200 OK in 196ms (Views: 0.3ms | ActiveRecord: 75.5ms)

#9

I setup a brand new ManageIQ instance with the latest version, created a user and placed them in the user self-service group with the self-service role and then tried to get a service dialog via the API. Appear to be getting the same error, so I don’t appear to have done anything wrong from a default configuration perspective.

firefox_2018-03-20_11-03-23


#10

@AllenBW anything more you can ascertain given the logs and re-install of MIQ?


#11

OH apologies, didn’t get an email for the updated response…

Looks to be something isn’t making it pass server side rbac for some reason or another, “ServiceDialogsController.api_error” would seemingly indicate this is an api issue :face_with_raised_eyebrow: @TimW :wave: was wondering if you could pop in and shed some light when yah have a moment? :bowing_man::heart:


#12

The @TimW account seems a bit inactive. Is @imtayadeway perhaps the correct one?


#13

So I can’t speak as to the why but you will need either the svc_catalog_provision or miq_ae_customization_explorer product features. ````````


#14

Hi @imtayadeway, thanks for the response.
I checked the product features the role had via the API and it has svc_catalog_provision by default.
Postman_2018-04-09_09-20-11
It still doesn’t appear to be able to view dialogs though. Adding the miq_ae_customization_explorer feature does allowing viewing of dialogs, but as mentioned previously it also appears to allow administrative level editing of dialogs.

Just found this, sounds like it may be the issue I was having.


#15

Yep, I think that is it. I can see there that it was backported to the Gaprindishvili release - is it an option to upgrade?


#16

I’ll look into that. Main thing is that it has been fixed in future versions.
Thanks all for the help! :smile: